There are a number of ways to create users and groups on a ESXi host. The most familiar way is to use the vSphere client. You do this by connecting the client directly to a host, rather than to vCenter, then browse to the Local Users and Groups tab:
To create a new user you can right click anywhere in this screen, then click ‘Add’. You will see the following screen:
You can enter a login name and a password and select whether shell access is required. UID and username are optional – these will be generated if you choose not to specify anything. You can also select the group membership. By default the new user will be added to the Users group, if no other group is selected.
You can also create groups in the same way, after switching to the groups view:
Note: Groups have been depreciated in ESXi 5.1 onwards.
Creating ESXi Users with the CLI or vMA
You can also create/add new users and groups on an ESXi host using the CLI or vMA. For example, from the vMA, you can run the following command to create a new user.
vi-admin@vma:~[esxi1.vmlab.loc]> vicfg-user -e user -o add -l testuser Enter password for the user: Enter password for the user again: Created user testuser successfully.
We can verify it has been created by running the following, to list the users on the host:
vi-admin@vma:~[esxi1.vmlab.loc]> vicfg-user -e user -o list USERS ----------------- Principal -: testuser Full Name -: ESXi User UID -: 1003 Shell Access -:1
There are a number of other options you can use with vicfg-user including removing users, creating and removing groups and adding users to groups. You can also reset users passwords and associate users with roles. For example, to assign the new ‘testuser’ the admin role, you can run:
vi-admin@vma:~[esxi1.vmlab.loc]> vicfg-user -e user -o modify -l testuser -r admin Updated user testuser successfully. Assigned the role admin
All available options can be viewed by running:
vicfg-user --help
Creating Users and Groups using PowerCLI
You can also use PowerCLI to create users and groups using the New-VMHostAccount cmdlet:
PowerCLI C:\> New-VMHostAccount -Id TestUser2 -Password Pa55w0rd -Description "Test User" Name Domain Description ---- ------ ----------- TestUser2 Test User
Roles and Permissions
Once you have created your local accounts, by which ever method you choose, you will need to associate the account with a role in order for it to be able to perform tasks on the host. This is done through the Roles pane in the vSphere client, (though, as shown earlier, you can also use the CLI):
As shown above, there are three built-in roles: No Access, Read-Only and Administrator. These roles can be cloned and modified, or new ones can be created, to allow for more granular control:
Once you have created your users and roles, you can then use them to assign permissions to objects on the host:
