If your ESXi host is managed by a vCenter Server, it is recommended to perform management tasks through the vSphere Web Client as preferred way.
However, as an another best practice for standalone ESXi host, we can create at least one user account on ESXi host and assign it full administrative privileges on the host.
We can use this account instead of the root account. However, do not remove the root account.
ESXi predefined users:
Following users are predefined on standalone ESXi host.
- Root
- VPXUser
- vCenter Server uses vpxuser account when managing activities for the ESXi host.
- vCenter Server has Administrator privileges on the host that it manages through this account.
- The vCenter Server administrator can perform most of the same tasks on the host as the root user and also schedule tasks, work with templates, and so forth.
- However, the vCenter Server administrator cannot directly create, delete, or edit local users and groups for hosts.
- DCUI
- The dcui user runs on hosts and acts with Administrator rights.
- This user’s primary purpose is to configure hosts for lockdown mode from the Direct Console User Interface (DCUI).
- This user acts as an agent for the direct console and cannot be modified or used by interactive users.
ESXi predefined Roles:
Following roles are predefined on ESXi host for permission management:
- Read Only
- Administrator
- No Access
You can manage local users and groups and add local custom roles to an ESXi host using an old vSphere Client connected directly to the ESXi host.
Starting with vSphere 6.0, you can use ESXCLI account management commands for managing ESXi local user accounts.
You can use ESXCLI permission management commands for modifying permissions on both Active Directory accounts (users and groups) and on ESXi local accounts (users only).
Check my other article on how to add local user account on ESXi host using command line at below link.How to add local account in esxi shell