[Home] [Forum]

 

A question that comes up on VMware's forums occasionally is about the ESXi root account and the possibility of deleting the account. The account should not be deleted, but it is possible to remove the account from the Administrator role that it is granted at the host level. That prevents the root account from being used to make a connection with the vSphere client or other vSphere API methods. With the administrator role revoked, the root account can still login at the DCUI.

If the Administrator role is removed from the root account, this prevents virtual machines from starting that have been configured to start with automatically in Configuration > Virtual Machine Startup/Shutdown. To enable automatic start, create a new role with the following two permissions:

Host > Configuration > Virtual machine autostart configuration
Virtual Machine > Interaction > Power On

The root account should be assigned this new role at the host level.

When I was trying to determine the required permissions for this, I started with a role that just had the Power On permission. I used vim-cmd in Tech Support Mode to test the role as shown in the following output. With just the Power On permission the command failed with the error shown.

~ # vim-cmd hostsvc/autostartmanager/autostart
(vim.fault.NoPermission) {
dynamicType = <unset>,
faultCause = (vmodl.MethodFault) null,
object = 'vim.host.AutoStartManager:ha-autostart-mgr',
privilegeId = "Host.Config.AutoStart",
msg = "Permission to perform this operation was denied.",
}
~ # Host.Config.AutoStart

To determine which permission corresponded with the privilegeId of Host.Config.AutoStart I ran the following PowerCLI cmd-let on the Administrator role (which I assume is granted all privileges on a stand alone host. The output of that command is shown below.

Get-VIPrivilege -Role "Admin"

Description Id
The only privilege held by sessions which have not logged in System.Anonymous
Visibility without read access to an entity. This is assigned implicitly by the system, if read privileges are assigned at lower levels in the inventory System.View
Grants read access to an entity System.Read
Add, remove, and rename custom attribute definitions Global.ManageCustomFields
Set the value of a custom attribute on an object Global.SetCustomField
Log a user-defined event on an object Global.LogEvent
Cancel a running task Global.CancelTask
Manage licenses Global.Licenses
Export diagnostic data Global.Diagnostics
Edit global settings Global.Settings
Act as the vCenter Server Global.VCServer
Discover and convert physical host to virtual machine Global.CapacityPlanning
Schedule an external script action Global.ScriptAction
Add or remove endpoints to or from the proxy Global.Proxy
Operations are disabled in vCenter Global.DisableMethods
Operations are enabled in vCenter Global.EnableMethods
Access the directory service Global.ServiceManagers
Access the health of vCenter group Global.Health
Add or remove system tag Global.SystemTag
Add or remove global tag Global.GlobalTag
Create folder Folder.Create
Delete folder Folder.Delete
Rename folder Folder.Rename
Move folder Folder.Move
Create a datacenter Datacenter.Create
Remove a datacenter Datacenter.Delete
Rename a datacenter Datacenter.Rename
Move a datacenter Datacenter.Move
Configure IP pool on a datacenter Datacenter.IpPoolConfig
Rename a datastore Datastore.Rename
Move a datastore Datastore.Move
Remove a datastore from the datacenter Datastore.Delete
Browse a datastore Datastore.Browse
Remove a file from a datastore Datastore.DeleteFile
Perform low level file operations on a datastore Datastore.FileManagement
Allocate space on a datastore Datastore.AllocateSpace
Configure a datastore Datastore.Config
Update virtual machine files on a datastore Datastore.UpdateVirtualMachineFiles
Move a network Network.Move
Remove a network Network.Delete
Configure a network Network.Config
Assign network to virtual machine, host service console, VMkernel virtual NIC or physical NIC Network.Assign
Create a vNetwork Distributed Switch DVSwitch.Create
Change the configuration of a vNetwork Distributed Switch DVSwitch.Modify
Change the host member of a vNetwork Distributed Switch DVSwitch.HostOp
Change the policy of a vNetwork Distributed Switch DVSwitch.PolicyOp
Change the configuration of a port in a vNetwork Distributed Switch DVSwitch.PortConfig
Change the setting of a port in a vNetwork Distributed Switch DVSwitch.PortSetting
Delete a vNetwork Distributed Switch DVSwitch.Delete
Move a vNetwork Distributed Switch into another folder DVSwitch.Move
Change the VSPAN configuration of a vNetwork Distributed Switch DVSwitch.Vspan
Add or update network I/O control resource pools DVSwitch.ResourceManagement
Create a dvPort group DVPortgroup.Create
Modify the configuration of a dvPort group DVPortgroup.Modify
Set the policy of a dvPort group DVPortgroup.PolicyOp
Set the scope of a dvPort group DVPortgroup.ScopeOp
Delete a dvPort group DVPortgroup.Delete
Add a standalone host Host.Inventory.AddStandaloneHost
Create a cluster along with its initial specification Host.Inventory.CreateCluster
Add a host to a cluster Host.Inventory.AddHostToCluster
Remove a host Host.Inventory.RemoveHostFromCluster
Move a cluster or standalone host Host.Inventory.MoveCluster
Rename cluster Host.Inventory.RenameCluster
Remove a cluster or standalone host Host.Inventory.DeleteCluster
Modify a cluster's specification Host.Inventory.EditCluster
Move a host between clusters Host.Inventory.MoveHost
Configure authentication stores Host.Config.AuthenticationStore
Remote file management and CIM read/write access Host.Config.SystemManagement
Connect or disconnect a host Host.Config.Connection
Enable and disable maintenance mode Host.Config.Maintenance
Virtual machine autostart configuration Host.Config.AutoStart
Enable/disable hyperthreading Host.Config.HyperThreading
Storage, host datastore, and diagnostic partition configuration Host.Config.Storage
Configure internet services and firewall Host.Config.NetService
Service console memory reservation Host.Config.Memory
Network configuration Host.Config.Network
Modify advanced settings for the host Host.Config.AdvancedConfig
Modify system resource settings Host.Config.Resources
Modify SNMP settings Host.Config.Snmp
Change date and time settings for the host Host.Config.DateTime
Change PciPassthru settings for the host Host.Config.PciPassthru
Change host settings Host.Config.Settings
Query host patches Host.Config.Patch
Firmware system operations Host.Config.Firmware
Power system operations Host.Config.Power
Bring the host under vCenter management Host.Local.InstallAgent
User account management Host.Local.ManageUserGroups
Create a virtual machine without registering it Host.Local.CreateVM
Reconfigure a virtual machine Host.Local.ReconfigVM
Delete an unregistered virtual machine Host.Local.DeleteVM
Establish a remote connection to a CIM interface Host.Cim.CimInteraction
Create a new virtual machine or template VirtualMachine.Inventory.Create
Create a virtual machine based on an existing virtual machine or template VirtualMachine.Inventory.CreateFromExisting
Add an existing virtual machine to the inventory VirtualMachine.Inventory.Register
Remove a virtual machine VirtualMachine.Inventory.Delete
Unregister a virtual machine VirtualMachine.Inventory.Unregister
Move a virtual machine VirtualMachine.Inventory.Move
Power On or resume a virtual machine VirtualMachine.Interact.PowerOn
Power Off a virtual machine VirtualMachine.Interact.PowerOff
Suspend a virtual machine VirtualMachine.Interact.Suspend
Reset (power cycle) a virtual machine VirtualMachine.Interact.Reset
Answer a virtual machine run-time question VirtualMachine.Interact.AnswerQuestion
Interact with the virtual machine console VirtualMachine.Interact.ConsoleInteract
Connect/disconnect media and network devices VirtualMachine.Interact.DeviceConnection
Configure a different media for virtual CD-ROMs VirtualMachine.Interact.SetCDMedia
Configure a different media for virtual floppies VirtualMachine.Interact.SetFloppyMedia
Install VMware Tools (or mount/unmount the tools installer image) VirtualMachine.Interact.ToolsInstall
Acquire a ticket to connect to a virtual machine guest control service remotely VirtualMachine.Interact.GuestControl
Defragment all disks on the virtual machine VirtualMachine.Interact.DefragmentAllDisks
Turn On Fault Tolerance for this virtual machine VirtualMachine.Interact.CreateSecondary
Turn Off Fault Tolerance for this virtual machine VirtualMachine.Interact.TurnOffFaultTolerance
Make the Secondary VM the Primary VM VirtualMachine.Interact.MakePrimary
Terminate the Secondary VM VirtualMachine.Interact.TerminateFaultTolerantVM
Disable the Secondary VM VirtualMachine.Interact.DisableSecondary
Enable the Secondary VM VirtualMachine.Interact.EnableSecondary
Record session on a virtual machine VirtualMachine.Interact.Record
Replay session on a virtual machine VirtualMachine.Interact.Replay
Backup operations on a virtual machine VirtualMachine.Interact.Backup
Create a screenshot VirtualMachine.Interact.CreateScreenshot
Rename a virtual machine VirtualMachine.Config.Rename
Browse for and attach an existing virtual disk VirtualMachine.Config.AddExistingDisk
Create and attach a new virtual disk VirtualMachine.Config.AddNewDisk
Detach and optionally remove a virtual disk VirtualMachine.Config.RemoveDisk
Virtual machine raw device configuration VirtualMachine.Config.RawDevice
Add, remove or edit a virtual USB device backed by a host USB device VirtualMachine.Config.HostUSBDevice
Change the number of virtual CPUs VirtualMachine.Config.CPUCount
Set the amount of virtual machine memory VirtualMachine.Config.Memory
Add or remove virtual devices VirtualMachine.Config.AddRemoveDevice
Modify virtual device settings VirtualMachine.Config.EditDevice
Change virtual machine settings VirtualMachine.Config.Settings
Change virtual machine resource allocations VirtualMachine.Config.Resource
Upgrade virtual hardware VirtualMachine.Config.UpgradeVirtualHardware
Reset guest information variables VirtualMachine.Config.ResetGuestInfo
Make advanced configuration changes VirtualMachine.Config.AdvancedConfig
Lease disks for disk manager VirtualMachine.Config.DiskLease
Set the placement policy for a single virtual machine's swapfile VirtualMachine.Config.SwapPlacement
Extend virtual disk VirtualMachine.Config.DiskExtend
Enable or disable change tracking for the virtual machine's disks VirtualMachine.Config.ChangeTracking
Unlock an encrypted virtual machine VirtualMachine.Config.Unlock
Query unowned files VirtualMachine.Config.QueryUnownedFiles
Reload Virtual Machine from new configuration path VirtualMachine.Config.ReloadFromPath
Check if a virtual machine is compatible for Fault Tolerance VirtualMachine.Config.QueryFTCompatibility
Create a snapshot VirtualMachine.State.CreateSnapshot
Make a snapshot current VirtualMachine.State.RevertToSnapshot
Remove a snapshot VirtualMachine.State.RemoveSnapshot
Rename a snapshot VirtualMachine.State.RenameSnapshot
Customize a virtual machine's guest operating system VirtualMachine.Provisioning.Customize
Clone a virtual machine VirtualMachine.Provisioning.Clone
Promote a virtual machine's disks VirtualMachine.Provisioning.PromoteDisks
Create a template from a virtual machine VirtualMachine.Provisioning.CreateTemplateFromVM
Deploy a virtual machine from a template VirtualMachine.Provisioning.DeployTemplate
Clone a template VirtualMachine.Provisioning.CloneTemplate
Mark a virtual machine as a template VirtualMachine.Provisioning.MarkAsTemplate
Mark a template as a virtual machine VirtualMachine.Provisioning.MarkAsVM
Read customization specifications VirtualMachine.Provisioning.ReadCustSpecs
Create, edit or delete customization specifications VirtualMachine.Provisioning.ModifyCustSpecs
Allow random access to disk files through a separate NFC connection VirtualMachine.Provisioning.DiskRandomAccess
Allow read-only random access to disk files through a separate NFC connection VirtualMachine.Provisioning.DiskRandomRead
Allow download of virtual machines (used by provisioning operations) VirtualMachine.Provisioning.GetVmFiles
Allow upload of virtual machine (used by provisioning operations) VirtualMachine.Provisioning.PutVmFiles
Query virtual rights management policy VRMPolicy.Query
Update virtual rights management policy VRMPolicy.Update
Assign a virtual machine to a resource pool Resource.AssignVMToPool
Assign a vApp to a resource pool Resource.AssignVAppToPool
Apply a DRS vMotion recommendation Resource.ApplyRecommendation
Create a resource pool Resource.CreatePool
Rename a resource pool Resource.RenamePool
Modify a resource pool Resource.EditPool
Move a resource pool Resource.MovePool
Remove a resource pool Resource.DeletePool
Migrate a powered on virtual machine Resource.HotMigrate
Relocate a powered off virtual machine Resource.ColdMigrate
Query vMotion compatibility of a set of hosts Resource.QueryVMotion
Create an alarm Alarm.Create
Remove an alarm Alarm.Delete
Modify an alarm Alarm.Edit
Acknowledge an alarm Alarm.Acknowledge
Set status for an alarm Alarm.SetStatus
Disable actions for an alarm Alarm.DisableActions
Create a task Task.Create
Update a task Task.Update
Create a scheduled task ScheduledTask.Create
Remove a scheduled task ScheduledTask.Delete
Run a scheduled task immediately ScheduledTask.Run
Edit a scheduled task ScheduledTask.Edit
Monitor who is logged in and stop sessions Sessions.TerminateSession
Verify session validity Sessions.ValidateSession
Modify the message (seen by all users when logging in) Sessions.GlobalMessage
Impersonate users Sessions.ImpersonateUser
Modify historical intervals Performance.ModifyIntervals
Modify a role's name or privileges Authorization.ModifyRoles
Reassign the permissions of one role to another Authorization.ReassignRolePermissions
Modify a permission's role or propagation Authorization.ModifyPermissions
Register extensions Extension.Register
Update extensions Extension.Update
Unregister extensions Extension.Unregister
Edit vApp resource configuration VApp.ResourceConfig
Edit vApp instance configuration, such as policies and property values VApp.InstanceConfig
Edit vApp application configuration, such as product info VApp.ApplicationConfig
Export vApp VApp.Export
Import vApp VApp.Import
View the OVF environment for a virtual machine VApp.ExtractOvfEnvironment
Add a virtual machine to the vApp VApp.AssignVM
Assign resource pool to vApp VApp.AssignResourcePool
Assign a vApp to another vApp VApp.AssignVApp
Clone a vApp VApp.Clone
Create a new vApp VApp.Create
Delete a vApp VApp.Delete
Unregister a vApp VApp.Unregister
Move a vApp VApp.Move
Power On a vApp VApp.PowerOn
Power Off a vApp VApp.PowerOff
Suspend a vApp VApp.Suspend
Rename a vApp VApp.Rename
Create a host profile Profile.Create
Delete a host profile Profile.Delete
Edit a host profile Profile.Edit
View a host profile Profile.View
Clear host profile related information Profile.Clear
Export a host profile Profile.Export

 

 

 


INSERT YOUR COMMENT - IF YOU HAVE A QUESTION PLEASE USE THE FORUM


Name (required)

Web Site (optional)

Email address (required - will not be displayed)

Comment (required)

Please enter code

 

Copyright © 2011 - Dave Mishchenko