It is likely that occasionally, some advanced configuration and troubleshooting of an ESXi host might still require local privileged access through the classic C# client, or console access through the DCUI or SSH. While better managed through Active Directory integration, local host user accounts are often required, if for no other reason than “in case of emergency” accounts.

Previous releases of vSphere required you to create local accounts on each host corresponding to business and security requirements. However, in vSphere 6.0, you can manage local accounts on the hypervisor using new ESXCLI commands, providing the ability to script and inject such configuration during deployment. The new ESXCLI commands allows us to add, list, remove, and modify accounts across all hosts in a cluster from the vCenter Server, whereas previously the account and permission management functionality for ESXi hosts was only available with direct host connections. Setting, removing and listing local permissions on ESXi servers can also be centrally managed.

However, despite this simplification of administration of local host accounts which strengthens the security of the vSphere platform, the number of local user accounts created on the hypervisors must be limited to those that are absolutely essential.

In addition, in previous versions of ESXi, local host account password complexity changes had to be made manually by editing the /etc/pam.d/passwd file on each ESXi host. In vSphere 6.0, this has been moved to an entry in the hosts “Advanced System Settings,” enabling centrally managed changes for all hosts in a cluster.