This article provides information on using the ESX Admins AD group and describes alternate methods of granting AD users/groups access to the ESXi hosts.

Symptoms:

• After successfully joining an ESXi host to an Active Directory (AD) domain, you see this log spew in the /var/log/messages or /var/log/syslog.log file on the ESXi host:
  
  nssquery: Group lookup failed for 'AD Domain Name\ESX Admins 
• In /var/log/hostd.log file, you see an error similar to:

• The ESX Admins group does not exist in the AD domain.
• If the ESX Admins group exists in the AD domain, joining an ESXi host to an Active Directory domain grants it the AD Domain Name\esx admins Administrator role.
• Removing the Administrator role from the group is initially successful, but restarting the ESXi host grants the Administrative role again to the group.

VMware ESXi 6.0.x
VMware vSphere ESXi 7.0.x
VMware ESXi 6.5.x

If the AD group that is configured for Administrator for ESXi hosts is not named ESX Admins, and an ESX Admins group doesn't exist in the AD, this error message will appear.

By default, an ESXi host joined to an AD domain queries the domain for the ESX Admins group, and this behavior is not configurable. If the group exists in AD, it is granted the Administrator role on the host, and any user accounts in that group receive full administrative privileges on the host and can log in to the host through SSH.

If this behavior is desirable, create the ESX Admins group in the AD domain and populate it with user accounts or groups to which administrative access to the hosts should be granted. Also, additional AD user accounts, and groups can be granted with appropriate access to hosts.

If granting the Administrator role to user accounts or groups in the ESX Admins group is not desirable, try one of these options.

• Remove or do not create an ESX Admins group in AD. Grant other AD accounts/groups with appropriate roles. However, you continue to see the log spew in the /var/log/messages or /var/log/syslog.log file on the ESXi hosts.
   
• Change the role assigned to the ESX Admins group from Administrator to No Access . Grant other AD accounts/groups the appropriate roles. In this case, any user accounts in the ESX Admins group cannot access the ESXi host. Also, ensure that any users that need access (administrative or otherwise) to the host are removed from the ESX Admins group.
   
• Assign the Administrator role to the ESX Admins group, but ensure there are no user accounts or groups in this group. Grant other AD accounts/groups the appropriate roles. This requires the least administrative effort, but you must ensure that user accounts or groups are not added to the ESX Admins group later.

Workaround:
Change the default esxAdminsGroup from ESX Admins to the domain group that are the administrators:

1. Navigate to the ESXi host in the vCenter vSphere Client (HTML5)
2. Click the Configuration tab and click Advanced Settings
3. Navigate to Config > HostAgent
4. Change the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting to match the Administrator group that you want to use in the Active Directory. These settings take effect within a minute, and no reboot is required.

For more information, see the vSphere Datacenter Administration Guide. ESX/ESXi 4.1 および ESXi 5.0 ドメイン メンバーとユーザー認証による ESX Admins AD グループの使用
使用具有 ESX/ESXi 4.1 和 ESXi 5.0 域成员资格和用户身份验证的 ESX Admins AD 组

Impact/Risks:
No functional impacts to ESXi operations.