Create a local user/assign permissions on ESXi host


To totally unlock this section you need to Log-in


Login

There are a number of ways to create users and groups on a ESXi host. The most familiar way is to use the vSphere client. This how-to will show you the necessary steps using the vSphere Client as well as PowerCLI. You do this by connecting the client directly to a host, rather than to vCenter, then browse to the Local Users and Groups tab:

Create a local user/assign permissions on an ESXi host

To create a new user you can right click anywhere in this screen, then click Add. You will see the following screen:

Create a local user/assign permissions on an ESXi host

You can enter a login name and a password and select whether shell access is required. UID and username are optional – these will be generated if you choose not to specify anything. You can also select the group membership. By default the new user will be added to the Users group, if no other group is selected.

You can also create groups in the same way, after switching to the groups view:

Create a local user/assign permissions on an ESXi host

Note: Groups have been depreciated in ESXi 5.1 onwards.

Creating ESXi Users with the CLI or vMA

You can also create/add new users and groups on an ESXi host using the CLI or vMA (Management Assistant). For example, from the vMA, you can run the following command to create a new user.

vi-admin@vma:~[esxi1.vmlab.loc]> vicfg-user -e user -o add -l testuser

Enter password for the user:
Enter password for the user again:
Created user testuser successfully.

We can verify it has been created by running the following, to list the users on the host:

vi-admin@vma:~[esxi1.vmlab.loc]> vicfg-user -e user  -o list

USERS
-----------------
Principal -: testuser
Full Name -: ESXi User
UID -: 1003
Shell Access -:1

There are a number of other options you can use with vicfg-user including removing users, creating and removing groups and adding users to groups. You can also reset users passwords and associate users with roles. For example, to assign the new ‘testuser’ the admin role, you can run:

vi-admin@vma:~[esxi1.vmlab.loc]> vicfg-user -e user -o modify -l testuser -r admin
Updated user testuser successfully.
Assigned the role admin

All available options can be viewed by running:

vicfg-user --help

Creating Users and Groups using PowerCLI

You can also use PowerCLI to create users and groups using the New-VMHostAccount cmdlet (the following is a pseudo-code to show how each command is used with switches):

Connect-VIServer -Protocol https -Server  -User root -Password “your_password”

New-VMHostAccount -Id -Password “your_new_password” -Description
New-VIRole -Name -Privilege “eg: Settings”
New-VIPermission -Entity -Principal -Role “” -Propagate:$true

The following is a working example:

PowerCLI C:\> New-VMHostAccount -Id TestUser2 -Password Pa55w0rd -Description "Test User"

Roles and Permissions

Once you have created your local accounts, by which ever method you choose, you will need to associate the account with a role in order for it to be able to perform tasks on the host. This is done through the Roles pane in the vSphere Client, (though, as shown earlier, you can also use the CLI):

Create a local user/assign permissions on an ESXi host

As shown above, there are three built-in roles: No Access, Read-Only and Administrator. These roles can be cloned and modified, or new ones can be created, to allow for more granular control:

Create a local user/assign permissions on an ESXi host

Once you have created your users and roles, you can then use them to assign permissions to objects on the host:

Create a local user/assign permissions on an ESXi host