NOTE: "ESX Admins" group name is configurable. "ESX Admins" will be used as the example group name in this KB.
For more information see KB:
Using the ESX Admins AD group on ESXi: domain membership and user authentication
After adding an ESXi host to Active Directory and configuring the "ESX Admins" group in AD, any user that is part of the "ESX Admins" group should automatically be given VIM Admin role on the ESXi, however attempted AD user logins fail to the Host UI or with SSH.
* ESXi host has been added to Active Directory
* ESX Admins group has been created in Active Directory
* Running "esxcli system permission list" does not show the "ESX Admins" group:
esxcli system permission list
Principal Is Group Role Role Description
-------------- -------- ----- ----------------
cloudadmin false Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
NOTE: If the ESX Admins group was added successfully then this would be the output:
Principal Is Group Role Role Description
-------------- -------- ----- ----------------
DC\esx^admins true Admin Full access rights
cloudadmin false Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
ESXi 8.0
Possible causes:
1. The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.
2. The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".
IMPORTANT NOTE: For ESXi 8.0 Update 3 onwards the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false" by default. This was changed due to security concerns. On versions of ESXi prior to Update 3 it is set to "true" by default. It is important to note that changing this to "false" does not remove any permissions already granted to the "ESX Admins" group.
Therefor it is possible to have an ESXi host that was patched from a version prior to Update 3 that have "ESX Admins" group logins working with "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" currently set to "false" after patching to U3. The same can be said if this setting was manually set to "false".
To remove the permissions for an AD group or to disable AD logins see KB:
Secure Default Settings for ESXi Active Directory integration
1. The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.
- To resolve this the ESXi host will need to be removed/readded to Active Directory
NOTE: Make sure the correct group is configured in AD and on the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroup", see KB:
Using the ESX Admins AD group on ESXi: domain membership and user authentication
To remove the host from AD:
To readd the host back to AD:
NOTE: The same AD operations can be done via the host client:
Verify that the "ESX Admins" group permissions propagated to the ESXi with "esxcli permissions list" command (see issue/introduction section of this KB). If the "ESX Admins" group permissions have not propagated, then move onto the next section.
2. The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".
- To resolve this the the "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" will need to be set to "true"
NOTE: It may be necessary to remove/readd the ESXi host back to Active Directory.
Verify that the "ESX Admins" group permissions propagated to the ESXi with "esxcli permissions list" command (see issue/introduction section of this KB).