thanks! Didnt see that forum

Hello,

ESXi 4.1 and 5.0 do have increased capabilities within the management appliance for security controls, and if those controls exist as they do in this case, they should be enforced. In this case you would need to edit the system-auth file directly, then on ESXi 4.1 on reboot copy that file back over from somewhere. You can use an Alert in vCenter to run a script that performs the vifs vCLI command to copy files over to ESXi on boot. A bit clunky but it will work. Even so, perhaps the control should be implemented some other way.

Yet if the security control disappears during a reboot, the security control should still be enforced. However, more to the point, the only time you should be logging into the ESXi console is a break glass event such as a catastrophic failure, and as such you will most likely use the root user. That is not a user you want to chage upon. However, you do want to change its password periodically and the password vaulting tools that are out there from Reflex Systems and HyTrust will manage this for you.

If it was me, I would not add any users to ESXi directly, thereby moving the problem to just the maintenance of the root user. Then apply the same control you are trying to do by using a password vaulting system that will automatically update/modify the password.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
vSphere Upgrade Saga -- Virtualization Security Round Table Podcast