A user is an individual authorized to log in to an ESX/ESXi or vCenter Server system.
vSphere does not explicitly restrict users with the same authentication credentials from accessing and taking action within the vSphere environment simultaneously.
You manage users defined on the vCenter Server system and users defined on individual hosts separately.
n Manage ESX/ESXi defined users with the vSphere Client, the vSphere Web Services SDK, or vicfg-user.
n Manage vCenter Server users with the vSphere Client or the vSphere Web Services SDK.
Even if the user lists of a host and a vCenter Server system appear to have common users (for instance, a user called devuser), these users are separate users with the same name. The attributes of devuser in vCenter Server, including permissions, passwords, and so forth, are separate from the attributes of devuser on the ESX/ESXi host. If you log in to vCenter Server as devuser, you might have permission to view and delete files
from a datastore. If you log in to an ESX/ESXi host as devuser, you might not have these permissions.
Users authorized to work directly on an ESX/ESXi host are added to the internal user list when ESX/ESXi is installed or can be added by a system administrator after installation. You can use vicfg-user to add users, remove users, change passwords, set group membership, and configure permissions.
CAUTION See the Authentication and User Management chapter of the ESX Configuration Guide or ESXi Configuration Guide for information about root users before you make any changes to the default users. Mistakes regarding root users can have serious access consequences.
Each ESX/ESXi host has a number of default users:
n The root user has full administrative privileges. Administrators use this login and its associated password to log in to a host through the vSphere Client. Root users can control all aspects of the host that they are logged on to. Root users can manipulate permissions, creating groups and users (on ESX/ESXi hosts only), working with events, and so on.
n The vpxuser user is a vCenter Server entity with root rights on the ESX/ESXi host, allowing it to manage activities for that host. The system creates vpxuser when an ESX/ESXi host is attached to vCenter Server. vpxuser is not present on the ESX/ESXi host unless the host is being managed through vCenter Server.
n Other users might be defined by the system, depending on the networking setup and other factors.
The following example scenario illustrates some of the tasks that you can perform.
1 List the existing users.
vicfg-user <conn_options> -e user -o list
The list displays all users that are predefined by the system and all users that were added later.
C:\>vicfg-user.pl --server esx1 --username root -e user -o list
Enter password:
USERS
-----------------
Principal -: root
Full Name -: root
UID -: 0
Shell Access -:1
-----------------
Principal -: bin
Full Name -: bin
UID -: 1
Shell Access -:0
-----------------
Principal -: daemon
Full Name -: daemon
UID -: 2
Shell Access -:0
-----------------
Principal -: adm
Full Name -: adm
UID -: 3
Shell Access -:0
-----------------
Principal -: lp
Full Name -: lp
UID -: 4
Shell Access -:0
-----------------
Principal -: sync
Full Name -: sync
UID -: 5
Shell Access -:1
-----------------
Principal -: shutdown
Full Name -: shutdown
UID -: 6
Shell Access -:1
-----------------
Principal -: halt
Full Name -: halt
UID -: 7
Shell Access -:1
-----------------
Principal -: mail
Full Name -: mail
UID -: 8
Shell Access -:0
-----------------
Principal -: news
Full Name -: news
UID -: 9
Shell Access -:1
-----------------
Principal -: uucp
Full Name -: uucp
UID -: 10
Shell Access -:0
-----------------
Principal -: operator
Full Name -: operator
UID -: 11
Shell Access -:0
-----------------
Principal -: gopher
Full Name -: gopher
UID -: 13
Shell Access -:0
-----------------
Principal -: ftp
Full Name -: FTP User
UID -: 14
Shell Access -:0
-----------------
Principal -: nobody
Full Name -: Nobody
UID -: 99
Shell Access -:0
-----------------
Principal -: nscd
Full Name -: NSCD Daemon
UID -: 28
Shell Access -:0
-----------------
Principal -: vcsa
Full Name -: virtual console memory owner
UID -: 69
Shell Access -:0
-----------------
Principal -: pcap
Full Name -:
UID -: 77
Shell Access -:0
-----------------
Principal -: ntp
Full Name -:
UID -: 38
Shell Access -:0
-----------------
Principal -: rpc
Full Name -: Portmapper RPC user
UID -: 32
Shell Access -:0
-----------------
Principal -: rpcuser
Full Name -: RPC Service User
UID -: 29
Shell Access -:0
-----------------
Principal -: nfsnobody
Full Name -: Anonymous NFS User
UID -: -2
Shell Access -:0
-----------------
Principal -: sshd
Full Name -: Privilege-separated SSH
UID -: 74
Shell Access -:0
-----------------
Principal -: vimuser
Full Name -: vimuser
UID -: 12
Shell Access -:0
-----------------
Principal -: vpxuser
Full Name -: VMware VirtualCenter administration account
UID -: 500
Shell Access -:0
-----------------
C:\>vicfg-user.pl --server esx2 --username root -e user -o list
Enter password:
USERS
-----------------
Principal -: root
Full Name -: Administrator
UID -: 0
Shell Access -:1
-----------------
Principal -: nobody
Full Name -: Nobody
UID -: 99
Shell Access -:0
-----------------
Principal -: nfsnobody
Full Name -: Anonymous NFS User
UID -: 65534
Shell Access -:0
-----------------
Principal -: dcui
Full Name -: DCUI User
UID -: 100
Shell Access -:0
-----------------
Principal -: daemon
Full Name -: daemon
UID -: 2
Shell Access -:0
-----------------
Principal -: vimuser
Full Name -: vimuser
UID -: 12
Shell Access -:0
-----------------
Principal -: vpxuser
Full Name -: VMware VirtualCenter administration account
UID -: 500
Shell Access -:0
-----------------
2 Add a new user, specifying a login ID and password.
vicfg-user <conn_options> -e user -o add -l user27 -p 27_password
The command creates the user. By default, the command auto‐generates a UID for the user and does not
give shell access.
C:\>vicfg-user.pl --server esx1 --username root -e user -o add -l user27 -p 27_password
Enter password:
Created user user27 successfully.
C:\>vicfg-user.pl --server esx2 --username root -e user -o add -l user27 -p 27_password
Enter password:
Created user user27 successfully.
3 List the users again to verify that the new user was added and a UID was generated.
vicfg-user <conn_options> -e user -o list
USERS
-------------------
Principal -: root
Full Name -: root
UID -: 0
Shell Access -> 1
-------------------
...
--------------------
Principal -: user27
Full Name -:
UID -: 501
Shell Access -> 0
C:\>vicfg-user.pl --server esx1 --username root -e user -o list
Enter password:
USERS
-----------------
Principal -: root
Full Name -: root
UID -: 0
Shell Access -:1
-----------------
.
.
.
-----------------
Principal -: user27
Full Name -:
UID -: 501
Shell Access -:0
-----------------
C:\>vicfg-user.pl --server esx2 --username root -e user -o list
Enter password:
USERS
-----------------
Principal -: root
Full Name -: Administrator
UID -: 0
Shell Access -:1
-----------------
.
.
.
-----------------
Principal -: user27
Full Name -: Linux User,,,
UID -: 501
Shell Access -:0
-----------------
4 Modify the password for user user27.
vicfg-user <conn_options> -e user -o modify -l user27 -p 27_password2
The system might return Updated user user27 successfully.
C:\>vicfg-user.pl --server esx1 --username root -e user -o modify -l user27 -p 27_password2
Enter password:
Updated user user27 successfully.
C:\>vicfg-user.pl --server esx2 --username root -e user -o modify -l user27 -p 27_password2
Enter password:
Updated user user27 successfully.
5 Assign read-only privileges to the user (which currently has no access).
vicfg-user <conn_options> -e user -o modify -l user27 --role read-only
Updated user user27 successfully.
Assigned the role read-only
The system prompts whether you want to change the password, which might be advisable if the user does
not currently have a password. Answer y or n. The system then updates the user.
C:\>vicfg-user.pl --server esx1 --username root -e user -o modify -l user27 --role read-only
Enter password:
Updated user user27 successfully.
Assigned the role read-only
C:\>vicfg-user.pl --server esx2 --username root -e user -o modify -l user27 --role read-only
Enter password:
Updated user user27 successfully.
Assigned the role read-only
6 List the existing groups.
vicfg-user <conn_options> -e group -o list
The system prints an extensive list of all groups and the users in each group.
C:\>vicfg-user.pl --server esx1 --username root -e group -o list
Enter password:
Group Information:
Principal -: root
Full Name -:
GID -: 0
Users in group root:
Principal -: root
Full Name -: root
------------------
Group Information:
Principal -: bin
Full Name -:
GID -: 1
Users in group bin:
Principal -: root
Full Name -: root
Principal -: bin
Full Name -: bin
Principal -: daemon
Full Name -: daemon
------------------
Group Information:
Principal -: daemon
Full Name -:
GID -: 2
Users in group daemon:
Principal -: root
Full Name -: root
Principal -: bin
Full Name -: bin
Principal -: daemon
Full Name -: daemon
------------------
Group Information:
Principal -: sys
Full Name -:
GID -: 3
Users in group sys:
Principal -: root
Full Name -: root
Principal -: bin
Full Name -: bin
Principal -: adm
Full Name -: adm
------------------
Group Information:
Principal -: adm
Full Name -:
GID -: 4
Users in group adm:
Principal -: root
Full Name -: root
Principal -: daemon
Full Name -: daemon
Principal -: adm
Full Name -: adm
------------------
Group Information:
Principal -: tty
Full Name -:
GID -: 5
------------------
Group Information:
Principal -: disk
Full Name -:
GID -: 6
Users in group disk:
Principal -: root
Full Name -: root
------------------
Group Information:
Principal -: lp
Full Name -:
GID -: 7
Users in group lp:
Principal -: daemon
Full Name -: daemon
Principal -: lp
Full Name -: lp
------------------
Group Information:
Principal -: mem
Full Name -:
GID -: 8
------------------
Group Information:
Principal -: kmem
Full Name -:
GID -: 9
------------------
Group Information:
Principal -: wheel
Full Name -:
GID -: 10
Users in group wheel:
Principal -: root
Full Name -: root
------------------
Group Information:
Principal -: mail
Full Name -:
GID -: 12
Users in group mail:
Principal -: mail
Full Name -: mail
------------------
Group Information:
Principal -: news
Full Name -:
GID -: 13
Users in group news:
Principal -: news
Full Name -: news
------------------
Group Information:
Principal -: uucp
Full Name -:
GID -: 14
Users in group uucp:
Principal -: uucp
Full Name -: uucp
------------------
Group Information:
Principal -: man
Full Name -:
GID -: 15
------------------
Group Information:
Principal -: gopher
Full Name -:
GID -: 30
------------------
Group Information:
Principal -: dip
Full Name -:
GID -: 40
------------------
Group Information:
Principal -: ftp
Full Name -:
GID -: 50
------------------
Group Information:
Principal -: lock
Full Name -:
GID -: 54
------------------
Group Information:
Principal -: nobody
Full Name -:
GID -: 99
------------------
Group Information:
Principal -: users
Full Name -:
GID -: 100
Users in group users:
Principal -: vpxuser
Full Name -: VMware VirtualCenter administration account
Principal -: user27
Full Name -:
------------------
Group Information:
Principal -: nscd
Full Name -:
GID -: 28
------------------
Group Information:
Principal -: floppy
Full Name -:
GID -: 19
------------------
Group Information:
Principal -: vcsa
Full Name -:
GID -: 69
------------------
Group Information:
Principal -: pcap
Full Name -:
GID -: 77
------------------
Group Information:
Principal -: ntp
Full Name -:
GID -: 38
------------------
Group Information:
Principal -: utmp
Full Name -:
GID -: 22
------------------
Group Information:
Principal -: rpc
Full Name -:
GID -: 32
------------------
Group Information:
Principal -: rpcuser
Full Name -:
GID -: 29
------------------
Group Information:
Principal -: nfsnobody
Full Name -:
GID -: -2
------------------
Group Information:
Principal -: sshd
Full Name -:
GID -: 74
------------------
Group Information:
Principal -: vimuser
Full Name -:
GID -: 20
------------------
C:\>
C:\>vicfg-user.pl --server esx2 --username root -e group -o list
Enter password:
Group Information:
Principal -: root
Full Name -:
GID -: 0
Users in group root:
Principal -: root
Full Name -: Administrator
------------------
Group Information:
Principal -: tty
Full Name -:
GID -: 5
------------------
Group Information:
Principal -: nobody
Full Name -:
GID -: 99
------------------
Group Information:
Principal -: nfsnobody
Full Name -:
GID -: 65534
------------------
Group Information:
Principal -: users
Full Name -:
GID -: 100
Users in group users:
Principal -: vpxuser
Full Name -: VMware VirtualCenter administration account
Principal -: user27
Full Name -: Linux User,,,
------------------
Group Information:
Principal -: vimuser
Full Name -:
GID -: 20
------------------
Group Information:
Principal -: daemon
Full Name -:
GID -: 2
------------------
C:\>
7 Create a group.
vicfg-user <conn_options> -e group -o add -d test
C:\>vicfg-user.pl --server esx1 --username root -e group -o add -d test
Enter password:
Created group test successfully.
C:\>vicfg-user.pl --server esx2 --username root -e group -o add -d test
Enter password:
Created group test successfully.
The system adds the group, and assigns a group ID. When you now list all groups, the new group is
included.
----------
Group Information:
Principal -: test
Full Name -:
GID -: 500
----------
C:\>vicfg-user.pl --server esx1 --username root -e group -o list
Enter password:
.
.
.
------------------
Group Information:
Principal -: test
Full Name -:
GID -: 500
------------------
C:\>vicfg-user.pl --server esx2 --username root -e group -o list
Enter password:
.
.
.
------------------
Group Information:
Principal -: test
Full Name -:
GID -: 500
------------------
8 Add user user27 to the new group.
vicfg-user <conn_options> -e user -o modify -l user27 -g test
C:\>vicfg-user.pl --server esx1 --username root -e user -o modify -l user27 -g test
Enter password:
Updated user user27 successfully.
Assigned to the group test
C:\>vicfg-user.pl --server esx2 --username root -e user -o modify -l user27 -g test
Enter password:
Updated user user27 successfully.
Assigned to the group test
The system assigns the user to the group test. When you now list all groups, the new group and the
assigned user are included.
----------
Group Information:
Principal -: test
Full Name -:
GID -: 500
Users in group test:
Principal -: user27
Full Name -:
___________
C:\>vicfg-user.pl --server esx1 --username root -e group -o list
Enter password:
.
.
.
------------------
Group Information:
Principal -: test
Full Name -:
GID -: 500
Users in group test:
Principal -: user27
Full Name -:
------------------
C:\>vicfg-user.pl --server esx2 --username root -e group -o list
Enter password:
.
.
.
------------------
Group Information:
Principal -: test
Full Name -:
GID -: 500
Users in group test:
Principal -: user27
Full Name -: Linux User,,,
------------------
9 Remove the user with login ID user27
vicfg-user <conn_options> -e user -o delete -l user27
The system removes the user and prints a message.
Removed the user user27 successfully.
C:\>vicfg-user.pl --server esx1 --username root -e user -o delete -l user27
Enter password:
Removed the user user27 successfully.
C:\>vicfg-user.pl --server esx2 --username root -e user -o delete -l user27
Enter password:
Removed the user user27 successfully.
2 comments:
What might happen if I'm getting a "Host Account Manager not found" error message when trying to list users or groups?
I had that very thing happen to me, which is what led me to this page. Since I figured it out, I'm hoping it will help you (or someone in your boat.) What was the cause for this was that I had the server name incorrect. To be more specific, I had a DNS error that did not allow the server name to resolve correctly. I ended up using the IP address of the ESX server and was able to (in my case) remove the vpxuser as needed.
Hope it helps!
Post a Comment