As an administrator managing a vSphere environment, the last thing that you would want to do is share the root password. Remember, a forgotten root password cannot be recovered/reset and will require a reinstallation of ESXi.

Joining an ESXi host to an Active Directory domain will allows users from a particular domain user group to log in to the ESXi host without needing to know the root password. This not only eliminates the need to periodically change the root password, but also enables better auditing.

Here is what you will need before you join the ESXi host to the domain and configure access to it:

• The name of the domain
• The username and password of a domain user that has permissions to join the machine to the domain
• The name of the domain user group that selected users will be a part of

The following procedure will guide you through the steps that are required to join the ESXi host to the domain and allow a domain user group access to it:

1. Connect to the vCenter Server's HTML 5 interface, that is, https://FQDN of vCenter/ui.
2. Select the ESXi host from the Inventory and navigate to Configure | System | Authentication Services. From here, click on Join Domain.
3. On the Join Domain screen, specify a domain name and domain credentials and click OK:

4. You should see a Join Windows Domain task complete successfully message in the Recent Tasks pane.

Now that the host is joined to the domain, we can configure it to allow access for a domain user group.

5. With the host selected, navigate to Configure | System | Advanced System Settings and click Edit.
6. On the Edit Advanced System Settings screen, type esxadmin into the search box to filter the settings.
7. Click on the Value field corresponding to the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting and enter the name of the domain user group:

You should now be able to log in as a domain user to the console (direct/SSH) and DCUI using the following formats:

• user@domain: For example, abhilashgb@vdescribed
• domain\user: For example, vdescribed\abhilashgb

Once the ESXi host has been joined to the Active Directory domain, a domain user group can be allowed to log in to the ESXi host. This access is enabled by specifying the name of the user group using the advanced system setting, that is, Config.HostAgent.plugins.hostsvc.esxAdminsGroup.

By default, this user group is granted administrator privileges. This behavior can, however, be changed by using the advanced system setting, that is, Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd.