Cannot login to ESXi hosts with AD users after adding hosts to Active Directory and configuring ESX Admins group
search cancel

Cannot login to ESXi hosts with AD users after adding hosts to Active Directory and configuring ESX Admins group

book

Article ID: 390063

calendar_today

Updated On: 03-06-2025

Products

VMware vSphere ESX 8.x

Issue/Introduction

NOTE: "ESX Admins" group name is configurable. "ESX Admins" will be used as the example group name in this KB.

For more information see KB:

Using the ESX Admins AD group on ESXi: domain membership and user authentication

After adding an ESXi host to Active Directory and configuring the "ESX Admins" group in AD, any user that is part of the "ESX Admins" group should automatically be given VIM Admin role on the ESXi, however attempted AD user logins fail to the Host UI or with SSH.


* ESXi host has been added to Active Directory

* ESX Admins group has been created in Active Directory

* Running "esxcli system permission list" does not show the "ESX Admins" group:

esxcli system permission list

Principal       Is Group     Role      Role Description
--------------     --------       -----         ----------------
cloudadmin   false         Admin      Full access rights
dcui               false         Admin      Full access rights
root               false         Admin      Full access rights
vpxuser         false         Admin      Full access rights



NOTE: If the ESX Admins group was added successfully then this would be the output:

Principal                  Is Group     Role      Role Description
--------------                --------       -----         ----------------
DC\esx^admins       true          Admin      Full access rights
cloudadmin             false         Admin      Full access rights
dcui                         false        Admin      Full access rights
root                         false         Admin      Full access rights
vpxuser                   false        Admin      Full access rights

Environment

ESXi 8.0

Cause

Possible causes:

1. The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.

2. The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".


Resolution

IMPORTANT NOTE: For ESXi 8.0 Update 3 onwards the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false" by default. This was changed due to security concerns. On versions of ESXi prior to Update 3 it is set to "true" by default. It is important to note that changing this to "false" does not remove any permissions already granted to the "ESX Admins" group.

Therefor it is possible to have an ESXi host that was patched from a version prior to Update 3 that have "ESX Admins" group logins working with "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" currently set to "false" after patching to U3. The same can be said if this setting was manually set to "false".

To remove the permissions for an AD group or to disable AD logins see KB:
Secure Default Settings for ESXi Active Directory integration




1. The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.

           - To resolve this the ESXi host will need to be removed/readded to Active Directory     


NOTE: Make sure the correct group is configured in AD and on the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroup", see KB:

Using the ESX Admins AD group on ESXi: domain membership and user authentication
 
      To remove the host from AD:     

  1. From the vCenter Server vSphere Client, select the host that will be removed from Active Directory.
  2. Click the Configure tab.
  3. Click the Authentication Services.
  4. Click the three dots "..."  link at the top right pane and select "Leave Domain"




       To readd the host back to AD:     

  1. Confirm the ESXi host is synchronizing time with the Active Directory Domain controller. For more information, see Synchronizing ESXi/ESX time with a Microsoft Domain Controller.
  2. From the vCenter Server vSphere Client, select the host that will be added to the Active Directory.
  3. Click the Configure tab.
  4. Click the Authentication Services.
  5. Click the Join Domain... link at the top right pane.
  6. In the Join Domain dialog, enter a domain. Use the form example.com or example.com/OU1/OU2.
  7. Enter the username (in user@example.com format) and password of a directory service user account that has permission to join the host to the domain and click OK.
  8. Click OK.





      NOTE: The same AD operations can be done via the host client:
      
     
      

Verify that the "ESX Admins" group permissions propagated to the ESXi with "esxcli permissions list" command (see issue/introduction section of this KB). If the "ESX Admins" group permissions have not propagated, then move onto the next section.




2. The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".

           - To resolve this the the "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" will need to be set to "true"       

  1. From the vCenter Server vSphere Client, select the ESXi host.
  2. Click the Configure tab.
  3. Click on Advanced System Settings.
  4. Click on Edit and filter the "key" column for "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd"
  5. If this is set to "false" then set it to "true". If it does not exist then create it. 



NOTE: It may be necessary to remove/readd the ESXi host back to Active Directory.

Verify that the "ESX Admins" group permissions propagated to the ESXi with "esxcli permissions list" command (see issue/introduction section of this KB).

Additional Information