Search the VMware Knowledge Base (KB)
View by Article ID

Using the ESX Admins AD group with ESX/ESXi 4.1 and ESXi 5.x/6.x domain membership and user authentication (1025569)

  • 21 Ratings

Symptoms

  • After successfully joining an ESX/ESXi 4.1 host to an Active Directory (AD) domain, you see this log spew in the /var/log/messages file on the ESX/ESXi host:

    nssquery: Group lookup failed for 'AD Domain Name\ESX Admins '

  • In ESXi 5.0, you see this log spew in the /var/log/syslog.log file.
  • In the /var/log/hostd.log file of the ESXi 5.x/6.x host, you see an error similar to:

    [25CC6B90 warning 'UserDirectory'] Group lookup failed for 'AD_Domain_Name\ESX Admins'

  • The ESX Admins group does not exist in the AD domain.
  • If the ESX Admins group exists in the AD domain, joining an ESX/ESXi 4.1 or ESXi 5.x/6.x host to an Active Directory domain grants it the AD Domain Name\esx^admins Administrator role.
  • Removing the Administrator role from the group is initially successful, but restarting the ESX/ESXi host grants the Administrative role again to the group.

Purpose

This article provides information on using the ESX Admins AD group and describes alternate methods of granting AD users/groups access to the ESX/ESXi hosts.

Resolution

By default, an ESX/ESXi 4.1 and ESXi 5.x/6.x host joined to an AD domain queries the domain for the ESX Admins group and this behavior is not configurable. If the group exists in AD, it is granted the Administrator role on the host and any user accounts in that group gets full administrative privileges on the host and can log in to the host through SSH.

If this behavior is desirable, create the ESX Admins group in the AD domain and populate it with user accounts or groups to which administrative access to the hosts should be granted. Also, additional AD user accounts and groups can be granted with appropriate access to hosts.

If it is not desirable to grant the Administrator role to user accounts or groups in the ESX Admins group, try one of these options.
  • Remove or do not create an ESX Admins group in AD. Grant other AD accounts/groups with appropriate roles. However, you continue to see the log spew in the /var/log/messages or /var/log/syslog.log file on the ESX/ESXi hosts.

  • Change the role assigned to the ESX Admins group from  Administrator to No Access . Grant other AD accounts/groups the appropriate roles. In this case, any user accounts in the ESX Admins group are unable to access the ESX/ESXi host. Also, ensure that any users that need access (administrative or otherwise) to the host are removed from the ESX Admins group.

  • Assign the Administrator role to the ESX Admins group, but ensure that there are no user accounts or groups in this group. Grant other AD accounts/groups the appropriate roles. This requires the least administrative effort, but you must ensure that user accounts or groups are not added to the ESX Admins group later.

Additional Information

For more information, see the vSphere Datacenter Administration Guide.

See Also

Update History

10/03/2012 - Added additional symptom for ESXi 5.0.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 21 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 21 Ratings
Actions
KB: