Identifying the User or Process that Modified ESXi Lockdown Mode
search cancel

Identifying the User or Process that Modified ESXi Lockdown Mode

book

Article ID: 434674

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Administrators need to identify the specific user, service account, or automated process that initiated the change to prevent recurrence.

Environment

VMware vSphere ESXi 7.x, 8.x

Cause

Lockdown Mode can be modified through multiple interfaces, including:

  1. vSphere Client: A user with administrative privileges manually changing the setting via the vCenter UI.
  2. Direct Console User Interface (DCUI): A user with local access to the host console.
  3. PowerCLI / API: Automated scripts or third-party management tools (e.g., backup agents, security scanners, or identity managers like CyberArk) CyberArk Password Issues.
  4. Host Profiles: Compliance checks or host profile remediations that may not align with the desired manual state.

Resolution

To identify the source of the change, administrators should perform an audit of both vCenter Server events and ESXi host-level logs.

1. Audit vCenter Server Events

The vCenter Server maintains a task and event history that tracks configuration changes.

  1. Log in to the vSphere Client.
  2. Select the affected ESXi host in the inventory.
  3. Navigate to the Monitor tab and select Tasks and Events > Events.
  4. In the search/filter box, type "Lockdown Mode".
  5. Locate the event where the status changed to "Disabled".
  6. Review the User column to identify the account responsible Lockdown Mode ESXi.

2. Review ESXi Host Logs (hostd)

If the change was made directly on the host or the vCenter events are unavailable, review the hostd logs.

  1. Enable SSH on the ESXi host and log in.
  2. Run the following command to find entries related to Lockdown Mode changes: grep -i "LockdownMode" /var/run/log/hostd.log
  3. Look for methods such as EnterLockdownMode or ExitLockdownMode. The log entry will typically include a session ID or opID that can be traced back to a specific user session or service Identify Root Login.

3. Investigate Automated Scripts and Third-Party Tools

If the auditing reveals a service account or unexpected login:

  • Check for PowerCLI scripts using the .ExitLockdownMode() method Lockdown Mode ESXi.
  • Consider using the Exception Users list to allow necessary service accounts to function without disabling Lockdown Mode globally Managing Exception Users.

Additional Information

Powered by Wolken Software