Search the VMware Knowledge Base (KB)
View by Article ID

Use of virtual accounts for services on a Windows vCenter Server 6.0 (2124709)

  • 7 Ratings

Purpose

Starting from vCenter Server 6.0 for Windows, virtual accounts replace the Local Service Account used in vCenter Server 5.x to run the vCenter Server services. This article contains information on the impact it will have on your environment.

Resolution

Virtual accounts in vSphere 6.0 for Windows increase the security of vCenter Server by disallowing privilege escalation within the host operating system in the event that a single service becomes compromised. Because all services are placed into their own silo using virtual accounts. Even when a user gains access to a single virtual account, they are limited only to the functionality of that account and also limited to only that single service. This ensures that the vSphere 6.0 environment is running on a minimum set of privileges that is dependent on the specific service.

The following virtual accounts are now used as the service accounts to run their respective service.

Service Service Account
VMware Component Manager NT SERVICE\VMwareComponentManager
VMware Content Library Service NT SERVICE\vdcs
VMware ESX Agent Manager NT SERVICE\EsxAgentManager
VMware Message Bus Config Service NT SERVICE\mbcs
VMware Performance Charts NT SERVICE\vmware-perfcharts
VMware Postgres NT SERVICE\vPostgres
VMware vAPI Endpoint NT SERVICE\vapiEndpoint
VMware vCenter workflow manager NT SERVICE\vmware-vpx-workflow
VMware vService Manager  NT SERVICE\VServiceManager
VMware vSphere Audo Deploy Waiter NT SERVICE\vmware-autodeploy-waiter
VMware vSphere Web Client NT SERVICE\vspherewebclientsvc

Notes:
  • Future releases of vSphere uses unique virtual accounts for all services. However, vSphere 6.0 is limited to the preceding list.
  • Do not change these accounts after they are established.

Additional Information

For more information about Virtual Accounts, see these Microsoft TechNet articles:
When attempting to install or upgrade your vCenter Server 6.0, you may receive the error:

The user group "NT SERVICE\ALL SERVICES" does not have the "Log on as a service" user right. This precludes the ability to use the virtual accounts feature in Windows permit greater security through increased idolation of services. We recommend that you add this group back to the list of services that have this right. If this right is not added then any installed services that would normally use a virtual account will instead use "Local Service" account.

This is due to the NT SERVICE\All Services group on the local machine not having the Log on as a service right, which is a requirement. For more information, see vSphere Install and Upgrade guide.

To resolve this issue, see the Microsoft TechNet article Add a Log on as a service right to an account.
 
Note: The preceding links were correct as of October 27, 2015. If you find a link is broken provide a feedback and a VMware employee will update the link.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 7 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 7 Ratings
Actions
KB: