By default, an ESXi host joined to an AD domain queries the domain for the ESX Admins group, and this behavior is not configurable. If the group exists in AD, it is granted the Administrator role on the host, and any user accounts in that group receive full administrative privileges on the host and can log in to the host through SSH.
If this behavior is desirable, create the ESX Admins group in the AD domain and populate it with user accounts or groups to which administrative access to the hosts should be granted. Also, additional AD user accounts, and groups can be granted with appropriate access to hosts.
If granting the Administrator role to user accounts or groups in the ESX Admins group is not desirable, try one of these options.
- Remove or do not create an ESX Admins group in AD. Grant other AD accounts/groups with appropriate roles. However, you continue to see the log spew in the /var/log/messages or /var/log/syslog.log file on the ESXi hosts.
- Change the role assigned to the ESX Admins group from Administrator to No Access . Grant other AD accounts/groups the appropriate roles. In this case, any user accounts in the ESX Admins group cannot access the ESXi host. Also, ensure that any users that need access (administrative or otherwise) to the host are removed from the ESX Admins group.
- Assign the Administrator role to the ESX Admins group, but ensure there are no user accounts or groups in this group. Grant other AD accounts/groups the appropriate roles. This requires the least administrative effort, but you must ensure that user accounts or groups are not added to the ESX Admins group later.
Workaround:
Change the default esxAdminsGroup from ESX Admins to the domain group that are the administrators:
- Navigate to the ESXi host in the vCenter vSphere Client (HTML5)
- Click the Configuration tab and click Advanced Settings
- Navigate to Config > HostAgent
- Change the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting to match the Administrator group that you want to use in the Active Directory. These settings take effect within a minute, and no reboot is required.