We need to make sure that root is not used for vCenter 6.0 login, is there any way to disable it or prevent users who know the root password from using it (instead of their domain account)?
In vCenter, the root user by default has no permissions to vCenter the application. It obviously does to the OS/appliance but not to login to the web client. There's nothing more you need to do if you're ok with that arrangement.
We had a user make changes to a VM using root to login to vCenter, that's what needs to be prevented if possible.
Then someone has explicitly enabled root to have vCenter permissions. You can check in the SSO configuration under the localos domain. If that's enabled with users configured for it, disable it.
It has nothing to do with SSO configuration.
Someone have modify the "permissions" (check the tab when at the upper vCenter level) and add manually the user "root" from the identity source "localOS" and give it Administrative rights. But as already told and this is the true its not a default.
Normaly a vCenter use 3 identity ressources:
- vsphere.local
- localOS
- your_windowsAD
The first 2 are defaults but IIRC only the administrator@vsphere.local is the one and only "user" which is added. Yeah there are some other system accounts added as well.
So you have to remove the account from the permission or lower the level to "readonly".
Regards
Joerg