Several ESXi advanced settings have default values that are not secure by default.
The AD group "ESX Admins"
is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.
[root@esxifqdn:~] esxcli system permission list
Principal Is Group Role Role Description
------------- -------- ----- ----------------
yourdomain\esx^admins true Admin Full access rights
cloudadmin false Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
This article relates to all versions prior to ESXi 8.0 U3.
This issue is fixed in ESXi 8.0 U3.
To workaround the issue, change the following ESXi advanced options:
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd
from true
to false
Config.HostAgent.plugins.vimsvc.authValidateInterval
from 1440
to 90
Config.HostAgent.plugins.hostsvc.esxAdminsGroup
from "ESX Admins
" to "" If the ESXi host was already joined to Active Directory before the workaround was applied, then remove the Admin permission for the AD group ("ESX Admins
" by default) if it exists. This can be done through the Host Client UI or with the following esxcli command:
esxcli system permission unset -i 'yourdomain\esx^admins' --group
The above step should be done after the workaround is applied.
All currently assigned VIM permissions can be validated through the Host Client UI or the below esxcli command:
esxcli system permission list
Note: The ESX Admins group will be added to the host with Admin privileges once the host is added to Active Directory. It is recommended to change these settings before joining the domain. These settings take effect within a minute. A reboot is not required.
6/28/2024 - Added Config.HostAgent.plugins.hostsvc.esxAdminsGroup
and note.
8/12/2024 - Added steps required for ESXi hosts already joined to the AD domain.