ESXi failed to enable lockdown mode as the legacy admin permission associated with a removed account
search cancel

ESXi failed to enable lockdown mode as the legacy admin permission associated with a removed account

book

Article ID: 414195

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi

Issue/Introduction

ESXi failed to enable lockdown mode as the legacy admin permission associated with a removed account.

Follow error messages was reported on ESXi host client.

"Failed to enter lock down mode: The requested change cannot be completed because it could leave the system without full administrative privileges for a user or group."

Environment

VMware vSphere 7.x

VMware vSphere 8.x

Cause

When ESXi was enable the lockdown mode, system will attempt to remove the Admin permissions for all users which were not in the exception list.

In some abnormal situations, if one account had been removed, but the record of Admin permission was still present.

It will led this issue.

For example,

The account "groupadmin" is not present now.

But the Admin permission was still assigned.

# esxcli system permission list
Principal   Is Group  Role   Role Description
----------  --------  -----  ----------------
dcui           false  Admin  Full access rights
groupadmin     false  Admin  Full access rights
root           false  Admin  Full access rights
vpxuser        false  Admin  Full access rights

# esxcli system account list
User ID  Description
-------  -----------
root     Administrator
dcui     DCUI User
vpxuser  VMware Workstation administration account

Resolution

The issue could be fixed with follow step.

1. Re-add the legacy account "groupadmin" on the ESXi host client.

2. Remove the permission for the account "groupadmin".

# esxcli system permission unset -i groupadmin
# esxcli system permission list
Principal  Is Group  Role   Role Description
---------  --------  -----  ----------------
dcui          false  Admin  Full access rights
root          false  Admin  Full access rights
vpxuser       false  Admin  Full access rights

# esxcli system account list
User ID     Description
----------  -----------
root        Administrator
dcui        DCUI User
vpxuser     VMware Workstation administration account
groupadmin  ESXi User

3.Remove the account "groupadmin"

# esxcli system account remove -i groupadmin

4.Attempt to enable lockdown mode for this host in web client or host client.

Additional Information

If the the issue couldn't been fixed with this procedure.

Please attempt KB381978.

Unable to enable lockdown mode in ESXi
https://knowledge.broadcom.com/external/article/381978/

Powered by Wolken Software