ESXi hosts can be joined to Active Directory, or more precisely, can use Active Directory for authenticating users, which allows for assigning permissions to domain users at host level. The advantage of this is that you can manage user accounts using Active Directory for authentication, authorization, and compliance, which is significantly easier and more secure than trying to manage local accounts.

VMware recommends taking advantage of this functionality by employing the use of a tenant administrative or federated domain as a security repository for permitting easy authentication and authorization with unique administrative credentials.

Using the pre-created Active Directory group “ESXi Admins” provides root access to authorized administrators as well as a way to audit direct access to the ESXi hosts.

For more information, refer to the VMware vSphere Security document at http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdf.