VMware Cloud Community
PlatformTeam
Contributor
Contributor
‎03-29-2022 12:12 PM

Where to find Advanced Settings documentation

Hi,

I haven't been able to find documentation for advanced setting Config.HostAgent.plugins.hostsvc.esxAdminsGroup.
which I believe is the underlying cause for a problem I have entering lockdown mode.

The host is joined to an AD domain, the setting is configured with the AD group for ESX admins, the lockdown mode
Exception Users has only a limited number of local user accounts and when I try to enable lockdown mode I get a
general error.  I went through the host logfiles and found the following error where <domain>\<user> is a member
of the AD group named in esxAdminsGroup but not an Exception Users member.

<datetime> error hostd[<pid>] … user=vpxuser:<domain>\<user> Enable lockdown mode failed: N3VimFault12UserNotFoundExceptionE(Fault cause vim.fault.UserNotFound)

This KB article states the following about adding admins to Exception Users so it would seem unlikely even
contradictory to look to esxAdminsGroup to see that they are also Exception Users.

https://kb.vmware.com/s/article/1008077

  • Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.

That is my reason for wanting to find the "proper" documentation for this setting.

Thanks,
Darren

0 Kudos
3 Replies
scott28tt
VMware Employee
VMware Employee
‎03-29-2022 03:32 PM

Thread reported so moderators know it should be moved to the area for vSphere.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
depping
Leadership
Leadership
‎03-30-2022 01:26 AM

Contact Support. Many advanced settings are not documented as they are not supposed to be fiddled with in the first place 🙂

0 Kudos
PlatformTeam
Contributor
Contributor
‎03-30-2022 06:53 AM

I asked for documentation on the advanced setting of interest and was sent instructions for changing advanced settings.

Configuring advanced options for ESXi/ESX (1038578) (vmware.com)

It appears that the "...esxAdminGroup" setting may not only identify who the ESX Admins are but also be consulted when activating lockdown mode. If this is true then that would contradict other advice about the "Exception Users" list.

https://kb.vmware.com/s/article/1008077

  1. Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.

It seems that I may not get an answer and will have to figure out my lockdown mode issue on my own through trial and error.

0 Kudos