PowerFlex: ESXi Security Hardening Settings for ESXi Active Directory integration

Summary: The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain. Note: Several ESXi advanced settings have default values that are not secure by default. ...

Acest articol se aplică pentru Acest articol nu se aplică pentru Acest articol nu este legat de un produs specific. Acest articol nu acoperă toate versiunile de produs existente.
Consultați alte resurse

Instructions

This article relates to all versions prior to ESXi 8.0 U3. 

Several ESXi advanced settings have default values that are not secure by default.

The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.

Checking for the presence of the group using following command esxcli system permission list gives the result:

[root@esxifqdn:~] esxcli system permission list
Principal      Is Group  Role   Role Description
-------------  --------  -----  ----------------
yourdomain\esx^admins      true  Admin  Full access rights
cloudadmin        false  Admin  Full access rights
dcui              false  Admin  Full access rights
root              false  Admin  Full access rights
vpxuser           false  Admin  Full access rights

 

This issue is fixed in ESXi 8.0 U3.

To workaround the issue, change the following ESXi advanced options:

Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to ""

If the ESXi host was already joined to Active Directory before the workaround was applied, then remove the Admin permission for the AD group ("ESX Admins" by default) if it exists. This can be done through the Host Client UI or with the following esxcli command:

 esxcli system permission unset -i 'yourdomain\esx^admins' --group

  
The above step should be done after the workaround is applied.

  
All currently assigned VIM permissions can be validated through the Host Client UI or the below esxcli command: 

  

  
esxcli system permission list

  

  
 

  
The ESX Admins group will be added to the host with Admin privileges once the host is added to Active Directory. It is recommended to change these settings before joining the domain. These settings take effect within a minute. A reboot is not required.

  
See the following Broadcom KB.
Secure Default Settings for ESXi Active Directory integration (External Link)

  
 

        


        

        
        
Produse afectate

        PowerFlex rack, PowerFlex Appliance, PowerFlex rack RCM Software







                        

                            

    

        

            

                
                    
 Proprietăți articol

                
            

            

                

                        
Article Number: 000250853

                

                
                

                        
Article Type: How To

                

                

                        
Ultima modificare: 03 ian. 2026


                

                    

                            
Version:  3

                    


            


        

    

    

        

            

                
                    
Găsiți răspunsuri la întrebările dvs. de la alți utilizatori Dell

                
            

            

                

                    
                



            


        

    

    

        

            

                
                    
Servicii de asistență

                
            

            

                

                    Verificați dacă dispozitivul dvs. este acoperit de serviciile de asistență.