Information Technology Reference
In-Depth Information
Deleting a Local User or Group
Perform the following steps to delete a local user or group from a specii c ESXi host using the
vSphere Client:
1.
After you've connected to the desired ESXi host using the vSphere Client, select the ESXi
host from the inventory and click the Local Users & Groups tab.
2.
To delete a user, click the Users button. To delete a group, click the Groups button.
3.
Right-click the user or group you want to remove, and select Remove from the context
menu. When prompted for coni rmation, select Yes.
Perform these steps to delete a local user or group using the vCLI:
1.
Log into the vMA via SSH using PuTTY.exe (Windows) or a terminal window (Mac OS X
or Linux).
2.
Use the following command to remove a user:
vicfg-user --server esxi-03.lab.local --username root --entity user
--operation delete --login UserName
To remove a group, change the --entity and --login parameters:
vicfg-user --server esxi-03.lab.local --username root --entity group
--operation delete --group GroupName
Note that you cannot delete a group from the CLI without i rst removing all of its members.
This limitation does not apply when deleting a group from the vSphere Client.
To VC or Not to VC
h e best way to administer your vSphere environment is to connect the vSphere Web Client to
a vCenter Server instance. Although you can connect the legacy vSphere Client to an ESXi host
directly, you lose a great deal of functionality. If you didn't purchase vCenter Server, you may have
no other choice than to connect to the ESXi hosts. In such instances, you'd have to create user
accounts locally on the ESXi hosts for VM administration as outlined in this section.
Now that you have an idea of the specii c steps used to manage users and groups locally on
each ESXi host, what are the security challenges involved in doing so? And how can those secu-
rity challenges be addressed? Here are just a couple of examples:
You must manually manage users and groups separately on each and every ESXi host. If
you forget to delete a user account for a departing employee on a specii c ESXi host, you've
just created a potential security problem.
◆
There is no way to centrally enforce password policies. Although you can set password
policies on each ESXi host, you have to do this separately on every ESXi host in your envi-
ronment. If you ever need to change the password policy, you must do so on each ESXi host
individually.
◆
You can address both of these particular security challenges by leveraging functionality pro-
vided by VMware with ESXi to integrate authentication into Active Directory, as you'll see in the
next section.
