VxRail: Best Practices for VxRail Account and Passwords

Summary: The rules for accounts and passwords implemented by VxRail are explained in this article. Recommendations for VxRail account naming including vCenter ESXi host, VxRail Manager, and Platform Services Controller (PSC) root accounts, general suggestions for accounts password best practices for use in Dell VxRail. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Accounts used during initial deployment:

 
CAUTION: Create a maximum of one account per cluster for the VMware vCenter Server management account. Do not use shared accounts.
 
  1. vCenter administrator account
This is the administrator account for the vCenter (VC) server. It has full authorization to all vCenter operations. For an internal VC, the account name should be administrator@vsphere.local. For external VC, the customer should provide the account name with the same permission as administrator@vsphere.local.
  1. Management account
This is the management account that VxRail Manager uses. It is created on the PSC and each ESXi host with the localos domain. In the PSC, it will get the VMware HCIA Management permission after initial deployment. In each ESXi host, it will be assigned with the administrator permission after initial deployment. The customer selects the management account username during initial deployment. For external VC, the customer creates this account without any permission or any group that is assigned to it.
  1. vCenter and PSC root account
This is the existing Linux system root account in vCenter and PSC. It is used for script execution and file uploading on the virtual machine (VM) in some workflows such as initial configuration, node addition, and so forth.
  1. ESXi host root account:
This is the existing ESXi system root account for each host. It is used for script execution and file uploading on the host in some workflows such as initial configuration, node addition, and so on.

Account naming restrictions

  1. vCenter administrator account
    • For internal VC, it is fixed to administrator@vsphere.local, no other restrictions.
    • For external VC, the customer provides it. There is no restriction from the VxRail Manger point of view.
  1. Management account
    • For internal VC, the customer chooses it at initial deployment. The account name must comply with restrictions by PSC and ESXi hosts.
    • For external VC, the customer provides it. The account name must comply with restrictions by PSC and ESXi hosts.
    • PSC restrictions:
      • For the localos domain: Match the regular expression
        • [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]?, up to 32 characters.
      • For a customer-specified domain: Follow the restrictions in the specific domain.
  • ESXi restrictions: Match the regular expression
    • [A-Za-z_][A-Za-z0-9_-]*[A-Za-z0-9_$-]?, up to 16 characters.
  1. vCenter and PSC root account
Fixed Linux system root account in vCenter and PSC, no other restrictions
  1. ESXi system root account
Fixed ESXi system root account in each ESXi host, no other restrictions

Password restrictions

General suggestions for all the accounts: Avoid using special characters in a password, such as / ? ; , . | \ ' " & $ = ` < #  ! -

  1. vCenter administrator password:
The password entered for the administrator account is applied on the vCenter administrator account, vCenter, and PSC root account. The password must comply with password restrictions by vCenter and VM system policy. It is used to deploy the VM from VxRail Manager and comply with the code restrictions by VxRail Manager.
  • vCenter software restriction: VC password policyThis hyperlink is taking you to a website outside of Dell Technologies.
  • VM system policy: See Linux default password restriction
  1. Management password
    • For internal VC, the customer chooses the management account at initial deployment. The account name must comply with restrictions by PSC and ESXi hosts.
    • For external VC, the customer provides the account. The password should comply with restrictions on the PSC and ESXi host.
    • PSC VM system policy: See Linux default password restriction
    • ESXi restriction: ESXi password policyThis hyperlink is taking you to a website outside of Dell Technologies., blank space not allowed
    • From release 4.0.0 to 4.0.200, the Secure Remote Services admin password is aligned with the management password. The password must comply with Secure Remote Services admin password rules as well. Reference article VxRail: Fail to update management account password when Secure Remote Services is enabled.
  2. vCenter and PSC root account
Same password as vCenter administrator account, see the section above.
  1. ESXi host root account 
ESXi password policyThis hyperlink is taking you to a website outside of Dell Technologies., blank spaces are not allowed.

iDRAC:  

For iDRAC9, the iDRAC secure password is available on the back of the system information tag (Service Tag) under iDRAC Default Password. See article What is the default username and password for Integrated Dell Remote Access Controller (iDRAC) for more information.

Some simple passwords may no longer work. For instance, in the screenshot below, the reason the default password of "calvin" is no longer accepted, is because of a password security setting for the iDRAC. See article Dell Technologies VxRail: iDRAC settings that cannot be changed for more information.

For Example: At the moment, you cannot set the iDRAC password to the old "calvin" default. This is prevented since the iDRAC password Policy Setting is *not* set to "0 - No Protection":  iDRAC > iDRAC Settings > Users > Global User Settings > Password Settings > Policy Settings > Minimum Score = "0 - No Protection"

Changing iDRAC policy settings may cause upgrade failures.

Changing iDRAC policy settings may cause upgrade failures

Insufficient privilege level

Additional Information

The passwords for the vCenter administrator account and the vCenter and PSC root account should be aligned all the time. Password inconsistency leads to node replacement and single node addition procedure failures.
 

Affected Products

VxRail
Article Properties
Article Number: 000158231
Article Type: How To
Last Modified: 25 Nov 2025
Version:  26
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.