How to modify the default expiry time for the vpxuser account
search cancel

How to modify the default expiry time for the vpxuser account

book

Article ID: 320773

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to modify the password of the vpxuser account.

 

Environment

  • VMware vCenter Server 8.0.x
  • VMware vCenter Server 7.0.x
  • VMware vCenter Server 6.x

Resolution

The vCenter Server creates a vpxuser account on each ESX/ESXi host that it manages.  The password for each of these vpxuser account is auto-generated when the ESXi host is added to the vCenter inventory, and by default is updated automatically every 30 days.

To modify the default password settings:

  1. Open the vSphere Client for your vCenter Server and login with a account that has administration permissions for the vCenter
  2. Select the vCenter object in the inventory, then go to Configure > Settings > Advanced Settings
  3. Click on [EDIT SETTINGS] in the upper right-hand corner
  4. Scroll down to the parameter VirtualCenter.VimPasswordExpirationInDays and change the value from the default.
  5. Restart the vCenter Server service to apply the change for the vpxuser accounts on the connected ESXi hosts by running the following command in an SSH session on the VCSA:
    # service-control --restart vpxd

Notes:

  • For security reasons, VMware does not recommend increasing the value.
  • When the password is automatically changed, you will find the following entry in /var/log/hostd.log
    Password was changed for account vpxuser on host

 

 

 

Additional Information

For more information, see:

 

Impact/Risks:

  • When modifying the vpxuser password expiry time you may also need to take consideration of the Security.PasswordMaxDays setting for users on the ESXi host side Advanced Settings if it has also been changed (default 99999 days). For more information see Configure the Passwords and Account Lockout Policy in the VMware Host Client section in the vSphere Single Host Management - VMware host Client Guide
  • If the VirtualCenter.VimPasswordExpirationInDays occurs while the ESXi host is in maintenance mode then vpxd will delay the password renewal until within 24 hours after it has exited maintenance mode. If the Security.PasswordMaxDays has also been modified and the vpxuser password expires while the ESXi host is in maintenance mode then the ESXi host would need to be disconnected and reconnected to vCenter Server and the root password re-entered.
  • The Security.PasswordMaxDays should always be a greater value than the VirtualCenter.VimPasswordExpirationInDays to ensure the password can be changed by vpxd before it expires on the ESXi host. vCenter Server is not aware of changes to the Security.PasswordMaxDays on the ESXi host