A question that comes up on VMware’s forums occasionally is about the ESXi root account and the possibility of deleting the account. The account should not be deleted, but it is possible to remove the account from the Administrator role that it is granted at the host level. That prevents the root account from being used to make a connection with the vSphere client or other vSphere API methods. With the administrator role revoked, the root account can still login at the DCUI.
If the Administrator role is removed from the root account, this prevents virtual machines from starting that have been configured to start with automatically in Configuration > Virtual Machine Startup/Shutdown. To enable automatic start, create a new role with the following two permissions:
Host > Configuration > Virtual machine autostart configuration
Virtual Machine > Interaction > Power On
The root account should be assigned this new role at the host level.
When I was trying to determine the required permissions for this, I started with a role that just had the Power On permission. I used vim-cmd in Tech Support Mode to test the role as shown in the following output. With just the Power On permission the command failed with the error shown.
~ # vim-cmd hostsvc/autostartmanager/autostart
(vim.fault.NoPermission) {
dynamicType = ,
faultCause = (vmodl.MethodFault) null,
object = 'vim.host.AutoStartManager:ha-autostart-mgr',
privilegeId = "Host.Config.AutoStart",
msg = "Permission to perform this operation was denied.",
}
~ # Host.Config.AutoStart
To determine which permission corresponded with the privilegeId of Host.Config.AutoStart I ran the following PowerCLI cmd-let on the Administrator role (which I assume is granted all privileges on a stand alone host. The output of that command is shown below.
Get-VIPrivilege -Role “Admin”
| Description | Id |
| The only privilege held by sessions which have not logged in | System.Anonymous |
| Visibility without read access to an entity. This is assigned implicitly by the system, if read privileges are assigned at lower levels in the inventory | System.View |
| Grants read access to an entity | System.Read |
| Add, remove, and rename custom attribute definitions | Global.ManageCustomFields |
| Set the value of a custom attribute on an object | Global.SetCustomField |
| Log a user-defined event on an object | Global.LogEvent |
| Cancel a running task | Global.CancelTask |
| Manage licenses | Global.Licenses |
| Export diagnostic data | Global.Diagnostics |
| Edit global settings | Global.Settings |
| Act as the vCenter Server | Global.VCServer |
| Discover and convert physical host to virtual machine | Global.CapacityPlanning |
| Schedule an external script action | Global.ScriptAction |
| Add or remove endpoints to or from the proxy | Global.Proxy |
| Operations are disabled in vCenter | Global.DisableMethods |
| Operations are enabled in vCenter | Global.EnableMethods |
| Access the directory service | Global.ServiceManagers |
| Access the health of vCenter group | Global.Health |
| Add or remove system tag | Global.SystemTag |
| Add or remove global tag | Global.GlobalTag |
| Create folder | Folder.Create |
| Delete folder | Folder.Delete |
| Rename folder | Folder.Rename |
| Move folder | Folder.Move |
| Create a datacenter | Datacenter.Create |
| Remove a datacenter | Datacenter.Delete |
| Rename a datacenter | Datacenter.Rename |
| Move a datacenter | Datacenter.Move |
| Configure IP pool on a datacenter | Datacenter.IpPoolConfig |
| Rename a datastore | Datastore.Rename |
| Move a datastore | Datastore.Move |
| Remove a datastore from the datacenter | Datastore.Delete |
| Browse a datastore | Datastore.Browse |
| Remove a file from a datastore | Datastore.DeleteFile |
| Perform low level file operations on a datastore | Datastore.FileManagement |
| Allocate space on a datastore | Datastore.AllocateSpace |
| Configure a datastore | Datastore.Config |
| Update virtual machine files on a datastore | Datastore.UpdateVirtualMachineFiles |
| Move a network | Network.Move |
| Remove a network | Network.Delete |
| Configure a network | Network.Config |
| Assign network to virtual machine, host service console, VMkernel virtual NIC or physical NIC | Network.Assign |
| Create a vNetwork Distributed Switch | DVSwitch.Create |
| Change the configuration of a vNetwork Distributed Switch | DVSwitch.Modify |
| Change the host member of a vNetwork Distributed Switch | DVSwitch.HostOp |
| Change the policy of a vNetwork Distributed Switch | DVSwitch.PolicyOp |
| Change the configuration of a port in a vNetwork Distributed Switch | DVSwitch.PortConfig |
| Change the setting of a port in a vNetwork Distributed Switch | DVSwitch.PortSetting |
| Delete a vNetwork Distributed Switch | DVSwitch.Delete |
| Move a vNetwork Distributed Switch into another folder | DVSwitch.Move |
| Change the VSPAN configuration of a vNetwork Distributed Switch | DVSwitch.Vspan |
| Add or update network I/O control resource pools | DVSwitch.ResourceManagement |
| Create a dvPort group | DVPortgroup.Create |
| Modify the configuration of a dvPort group | DVPortgroup.Modify |
| Set the policy of a dvPort group | DVPortgroup.PolicyOp |
| Set the scope of a dvPort group | DVPortgroup.ScopeOp |
| Delete a dvPort group | DVPortgroup.Delete |
| Add a standalone host | Host.Inventory.AddStandaloneHost |
| Create a cluster along with its initial specification | Host.Inventory.CreateCluster |
| Add a host to a cluster | Host.Inventory.AddHostToCluster |
| Remove a host | Host.Inventory.RemoveHostFromCluster |
| Move a cluster or standalone host | Host.Inventory.MoveCluster |
| Rename cluster | Host.Inventory.RenameCluster |
| Remove a cluster or standalone host | Host.Inventory.DeleteCluster |
| Modify a cluster’s specification | Host.Inventory.EditCluster |
| Move a host between clusters | Host.Inventory.MoveHost |
| Configure authentication stores | Host.Config.AuthenticationStore |
| Remote file management and CIM read/write access | Host.Config.SystemManagement |
| Connect or disconnect a host | Host.Config.Connection |
| Enable and disable maintenance mode | Host.Config.Maintenance |
| Virtual machine autostart configuration | Host.Config.AutoStart |
| Enable/disable hyperthreading | Host.Config.HyperThreading |
| Storage, host datastore, and diagnostic partition configuration | Host.Config.Storage |
| Configure internet services and firewall | Host.Config.NetService |
| Service console memory reservation | Host.Config.Memory |
| Network configuration | Host.Config.Network |
| Modify advanced settings for the host | Host.Config.AdvancedConfig |
| Modify system resource settings | Host.Config.Resources |
| Modify SNMP settings | Host.Config.Snmp |
| Change date and time settings for the host | Host.Config.DateTime |
| Change PciPassthru settings for the host | Host.Config.PciPassthru |
| Change host settings | Host.Config.Settings |
| Query host patches | Host.Config.Patch |
| Firmware system operations | Host.Config.Firmware |
| Power system operations | Host.Config.Power |
| Bring the host under vCenter management | Host.Local.InstallAgent |
| User account management | Host.Local.ManageUserGroups |
| Create a virtual machine without registering it | Host.Local.CreateVM |
| Reconfigure a virtual machine | Host.Local.ReconfigVM |
| Delete an unregistered virtual machine | Host.Local.DeleteVM |
| Establish a remote connection to a CIM interface | Host.Cim.CimInteraction |
| Create a new virtual machine or template | VirtualMachine.Inventory.Create |
| Create a virtual machine based on an existing virtual machine or template | VirtualMachine.Inventory.CreateFromExisting |
| Add an existing virtual machine to the inventory | VirtualMachine.Inventory.Register |
| Remove a virtual machine | VirtualMachine.Inventory.Delete |
| Unregister a virtual machine | VirtualMachine.Inventory.Unregister |
| Move a virtual machine | VirtualMachine.Inventory.Move |
| Power On or resume a virtual machine | VirtualMachine.Interact.PowerOn |
| Power Off a virtual machine | VirtualMachine.Interact.PowerOff |
| Suspend a virtual machine | VirtualMachine.Interact.Suspend |
| Reset (power cycle) a virtual machine | VirtualMachine.Interact.Reset |
| Answer a virtual machine run-time question | VirtualMachine.Interact.AnswerQuestion |
| Interact with the virtual machine console | VirtualMachine.Interact.ConsoleInteract |
| Connect/disconnect media and network devices | VirtualMachine.Interact.DeviceConnection |
| Configure a different media for virtual CD-ROMs | VirtualMachine.Interact.SetCDMedia |
| Configure a different media for virtual floppies | VirtualMachine.Interact.SetFloppyMedia |
| Install VMware Tools (or mount/unmount the tools installer image) | VirtualMachine.Interact.ToolsInstall |
| Acquire a ticket to connect to a virtual machine guest control service remotely | VirtualMachine.Interact.GuestControl |
| Defragment all disks on the virtual machine | VirtualMachine.Interact.DefragmentAllDisks |
| Turn On Fault Tolerance for this virtual machine | VirtualMachine.Interact.CreateSecondary |
| Turn Off Fault Tolerance for this virtual machine | VirtualMachine.Interact.TurnOffFaultTolerance |
| Make the Secondary VM the Primary VM | VirtualMachine.Interact.MakePrimary |
| Terminate the Secondary VM | VirtualMachine.Interact.TerminateFaultTolerantVM |
| Disable the Secondary VM | VirtualMachine.Interact.DisableSecondary |
| Enable the Secondary VM | VirtualMachine.Interact.EnableSecondary |
| Record session on a virtual machine | VirtualMachine.Interact.Record |
| Replay session on a virtual machine | VirtualMachine.Interact.Replay |
| Backup operations on a virtual machine | VirtualMachine.Interact.Backup |
| Create a screenshot | VirtualMachine.Interact.CreateScreenshot |
| Rename a virtual machine | VirtualMachine.Config.Rename |
| Browse for and attach an existing virtual disk | VirtualMachine.Config.AddExistingDisk |
| Create and attach a new virtual disk | VirtualMachine.Config.AddNewDisk |
| Detach and optionally remove a virtual disk | VirtualMachine.Config.RemoveDisk |
| Virtual machine raw device configuration | VirtualMachine.Config.RawDevice |
| Add, remove or edit a virtual USB device backed by a host USB device | VirtualMachine.Config.HostUSBDevice |
| Change the number of virtual CPUs | VirtualMachine.Config.CPUCount |
| Set the amount of virtual machine memory | VirtualMachine.Config.Memory |
| Add or remove virtual devices | VirtualMachine.Config.AddRemoveDevice |
| Modify virtual device settings | VirtualMachine.Config.EditDevice |
| Change virtual machine settings | VirtualMachine.Config.Settings |
| Change virtual machine resource allocations | VirtualMachine.Config.Resource |
| Upgrade virtual hardware | VirtualMachine.Config.UpgradeVirtualHardware |
| Reset guest information variables | VirtualMachine.Config.ResetGuestInfo |
| Make advanced configuration changes | VirtualMachine.Config.AdvancedConfig |
| Lease disks for disk manager | VirtualMachine.Config.DiskLease |
| Set the placement policy for a single virtual machine’s swapfile | VirtualMachine.Config.SwapPlacement |
| Extend virtual disk | VirtualMachine.Config.DiskExtend |
| Enable or disable change tracking for the virtual machine’s disks | VirtualMachine.Config.ChangeTracking |
| Unlock an encrypted virtual machine | VirtualMachine.Config.Unlock |
| Query unowned files | VirtualMachine.Config.QueryUnownedFiles |
| Reload Virtual Machine from new configuration path | VirtualMachine.Config.ReloadFromPath |
| Check if a virtual machine is compatible for Fault Tolerance | VirtualMachine.Config.QueryFTCompatibility |
| Create a snapshot | VirtualMachine.State.CreateSnapshot |
| Make a snapshot current | VirtualMachine.State.RevertToSnapshot |
| Remove a snapshot | VirtualMachine.State.RemoveSnapshot |
| Rename a snapshot | VirtualMachine.State.RenameSnapshot |
| Customize a virtual machine’s guest operating system | VirtualMachine.Provisioning.Customize |
| Clone a virtual machine | VirtualMachine.Provisioning.Clone |
| Promote a virtual machine’s disks | VirtualMachine.Provisioning.PromoteDisks |
| Create a template from a virtual machine | VirtualMachine.Provisioning.CreateTemplateFromVM |
| Deploy a virtual machine from a template | VirtualMachine.Provisioning.DeployTemplate |
| Clone a template | VirtualMachine.Provisioning.CloneTemplate |
| Mark a virtual machine as a template | VirtualMachine.Provisioning.MarkAsTemplate |
| Mark a template as a virtual machine | VirtualMachine.Provisioning.MarkAsVM |
| Read customization specifications | VirtualMachine.Provisioning.ReadCustSpecs |
| Create, edit or delete customization specifications | VirtualMachine.Provisioning.ModifyCustSpecs |
| Allow random access to disk files through a separate NFC connection | VirtualMachine.Provisioning.DiskRandomAccess |
| Allow read-only random access to disk files through a separate NFC connection | VirtualMachine.Provisioning.DiskRandomRead |
| Allow download of virtual machines (used by provisioning operations) | VirtualMachine.Provisioning.GetVmFiles |
| Allow upload of virtual machine (used by provisioning operations) | VirtualMachine.Provisioning.PutVmFiles |
| Query virtual rights management policy | VRMPolicy.Query |
| Update virtual rights management policy | VRMPolicy.Update |
| Assign a virtual machine to a resource pool | Resource.AssignVMToPool |
| Assign a vApp to a resource pool | Resource.AssignVAppToPool |
| Apply a DRS vMotion recommendation | Resource.ApplyRecommendation |
| Create a resource pool | Resource.CreatePool |
| Rename a resource pool | Resource.RenamePool |
| Modify a resource pool | Resource.EditPool |
| Move a resource pool | Resource.MovePool |
| Remove a resource pool | Resource.DeletePool |
| Migrate a powered on virtual machine | Resource.HotMigrate |
| Relocate a powered off virtual machine | Resource.ColdMigrate |
| Query vMotion compatibility of a set of hosts | Resource.QueryVMotion |
| Create an alarm | Alarm.Create |
| Remove an alarm | Alarm.Delete |
| Modify an alarm | Alarm.Edit |
| Acknowledge an alarm | Alarm.Acknowledge |
| Set status for an alarm | Alarm.SetStatus |
| Disable actions for an alarm | Alarm.DisableActions |
| Create a task | Task.Create |
| Update a task | Task.Update |
| Create a scheduled task | ScheduledTask.Create |
| Remove a scheduled task | ScheduledTask.Delete |
| Run a scheduled task immediately | ScheduledTask.Run |
| Edit a scheduled task | ScheduledTask.Edit |
| Monitor who is logged in and stop sessions | Sessions.TerminateSession |
| Verify session validity | Sessions.ValidateSession |
| Modify the message (seen by all users when logging in) | Sessions.GlobalMessage |
| Impersonate users | Sessions.ImpersonateUser |
| Modify historical intervals | Performance.ModifyIntervals |
| Modify a role’s name or privileges | Authorization.ModifyRoles |
| Reassign the permissions of one role to another | Authorization.ReassignRolePermissions |
| Modify a permission’s role or propagation | Authorization.ModifyPermissions |
| Register extensions | Extension.Register |
| Update extensions | Extension.Update |
| Unregister extensions | Extension.Unregister |
| Edit vApp resource configuration | VApp.ResourceConfig |
| Edit vApp instance configuration, such as policies and property values | VApp.InstanceConfig |
| Edit vApp application configuration, such as product info | VApp.ApplicationConfig |
| Export vApp | VApp.Export |
| Import vApp | VApp.Import |
| View the OVF environment for a virtual machine | VApp.ExtractOvfEnvironment |
| Add a virtual machine to the vApp | VApp.AssignVM |
| Assign resource pool to vApp | VApp.AssignResourcePool |
| Assign a vApp to another vApp | VApp.AssignVApp |
| Clone a vApp | VApp.Clone |
| Create a new vApp | VApp.Create |
| Delete a vApp | VApp.Delete |
| Unregister a vApp | VApp.Unregister |
| Move a vApp | VApp.Move |
| Power On a vApp | VApp.PowerOn |
| Power Off a vApp | VApp.PowerOff |
| Suspend a vApp | VApp.Suspend |
| Rename a vApp | VApp.Rename |
| Create a host profile | Profile.Create |
| Delete a host profile | Profile.Delete |
| Edit a host profile | Profile.Edit |
| View a host profile | Profile.View |
| Clear host profile related information | Profile.Clear |
| Export a host profile | Profile.Export |