VMware Cloud Community
jmsloane
Contributor
Contributor
‎08-20-2018 07:18 AM

Attempt # 3, Config.HostAgent.plugins.hostsvc.esxAdminsGroup resets to ESXadmins, how to stop?

It is great getting 75 people to view the thread but no one is offering any advice, surely this is not just a one time thing.

We are trying to configure our host profile to remove the esxadmin from config.hostagent.plugins.hostsvc.esxadminsgroup. We can do it to each host using a script command to change the group to something other than the ESXadmins but how can I do that using a host profile? If we have to reboot anything it defaults back to esxadmins, we need this to stop. I know a script changing it back or setting it after the reboot is an option but we need it to NOT be reset. Any thoughts?

Tags (1)
0 Kudos
5 Replies
daphnissov
Immortal
Immortal
‎08-20-2018 07:27 AM

This setting is only applicable if both of these two things are true in your environment:

  1. Your ESXi hosts are joined to Active Directory
  2. You have a preexisting AD group called ESXAdmins with membership

Are both of those things true for you?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
jmsloane
Contributor
Contributor
‎08-20-2018 07:43 AM

Daph,

We do not have them connected to AD, I realise that it shouldnt be a big deal but we have a stig requirement that wants it set t o something else. We have changed the names but it will still the group will come back on a reboot.

0 Kudos
daphnissov
Immortal
Immortal
‎08-20-2018 07:48 AM

If they aren't connected to AD then the STIG requirement is nullified as it has absolutely no effect. It doesn't become auditable until those conditions are true.

https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
jmsloane
Contributor
Contributor
‎08-20-2018 08:00 AM

I found that too, however i am just worried that since it still technically shows ESXadmins, during an inspection we may be dinged. I am just looking for the setting to change in the host profile without going to each and every host.

0 Kudos
daphnissov
Immortal
Immortal
‎08-20-2018 08:26 AM

You shouldn't get dinged on that because part of that same report is basically isAdJoined and if it's false then that invalidates other advanced settings. Also, this is one of those advanced settings that isn't exposed by host profiles. Not all are, this is one. Again, it's not at all relevant if you're not joined.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos