This article provides steps to prevent forced lockout when the root account is still active by modifying the /etc/cron.daily/pass-expiration script If the root account is still accessible through the vCenter Server Appliance console or through the secure shell (SSH).

If the root account is still accessible through the vCenter Server Appliance console or through the secure shell (SSH), you can prevent this issue from occurring by modifying the /etc/cron.daily/pass-expiration script.

To prevent the forced lockout when the root account is still active:

1. Log in to the vCenter Server Appliance as the root user.
2. Take a backup copy of /etc/cron.daily/pass-expiration.
3. Open the /etc/cron.daily/pass-expiration script using a text editor.
4. Locate and delete these commands:
   
   # disable the password if it's time and not already done.
   # don't rely on the pam account facility. prepend an x in the shadow file.
   if [ $TODAY -ge $DEADLINE ] && ! grep -q 'root:x' $SHADOW; then
   sed -e 's/^root:\(.*\)/root:x\1/' $SHADOW -i
   fi
   
   
5. Insert these entries to replace the forced lockout with a forced password change:
   
   # force a password change for root if we've reached the password expiration date.
   # pam.unix2 doesn't do this the way we would like, so we do this instead.
   if [ $TODAY -ge $DEADLINE ]; then
   chage –d 0 root
   fi
   
   
6. Save and close the file.

Note: By default, the password expiration on the local root account in vCenter Server Appliance is set to 90 days after the password is changed. This typically occurs at first boot. If the password is not changed on installation, there is a 90-day period before expiration.