sheenlim2017
Contributor
Contributor

Unable to Add Exception users in Lockdown Mode

Hello Vmware Community,

I hope you all are having a wonderful day.

I am having issues with adding a Exception User in Lockdown Mode. I am running ESXi 6.7 and enabled Lockdown Mode - Strict. Then I want a AD user to be excluded from the lock down. This AD User is a limited user.

I know my connection to the AD is functional because when I create a test account to the OU that vCenter is looking I can see the test accounts I added. However, when I add a user in Exception Users in Lockdown Mode i get this error message.

Screenshot_2018-11-19_09-01-06.png

This seems to be happening to any user as well including local users.

Screenshot_2018-11-19_09-02-56.png

Any ideas?

0 Kudos
8 Replies
MikeStoica
Expert
Expert

use your lymdynasty\user without  .com at your domain name

0 Kudos
sheenlim2017
Contributor
Contributor

Tried this, didn't work.

0 Kudos
sk84
Expert
Expert

Exception users for lockdown mode must exist on the ESXi host and not at vCenter level. Or, if you are using AD integration for your ESXi hosts, these users must have privileges on the hosts.

See: Specify Lockdown Mode Exception Users

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
sheenlim2017
Contributor
Contributor

So I tried what you said,

1. I created role named "Lockout Exception Users" with Host Permission.

Screenshot from 2018-11-26 10-29-36.png

2. Then, I defined the domain user, limdynasty\noc with the permission lockout exception users on the ESXi host.

Screenshot from 2018-11-26 10-48-16.png

3. When adding the noc user to the exception user, it still failed saying the account does not exist.

Screenshot from 2018-11-26 10-49-43.png

NOTE: I tried creating a local noc account on the ESXi host and added the lockdown exception user from the ESXi and enabled the strict lockdown from vcenter server, however this ended up no users logging in.

0 Kudos
sk84
Expert
Expert

The permissions must be defined locally on the ESXi host and not through the vCenter. So you have to log on to the ESXi host with the host client and select "Action" on the top of the Welcome Screen (Default Host View) and choose "Permissions". There you can assign an ESXi privilege role to a specific ESXi user.

For this reason, the vCenter AD permissions do not work either, because you are working locally on the ESXi host and not through the vSphere client.

Maybe these information will also help you to understand why no one can log in anymore:

Lockdown Mode Behavior

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
darrenkm
Contributor
Contributor

Anyone have an update on this?  I added a new group from AD (not ESX admins) to the local admin of the host and I cannot add exception group.

Manage -> System -> Advanced settings -> Config.HostAgent.plugins.hostsvc.esxAdminsGroup ->new AD group

Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd -> True

Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval ->1 Minutes

Note that I am trying to add the AD group not the user...

0 Kudos
darrenkm1
Contributor
Contributor

Added the user only to the lockdown mode.  Dont forget to add permissions to the host as well or you will not be able to login. 

0 Kudos
NathanosBlightc
Commander
Commander

As the VMware said "The exception users do not lose their permissions when the host enters the Lockdown Mode." They are used for Agent Servicing or Service Account definitions to perform operations like Backup jobs. They can be Local host users or AD users that are defined locally for the Host. So the important point is here, you cannot add them to exception users by the vCenter Server and must be done through ESXi itself management tools. Also remember they have only their associated privileges, so no more higher permissions is available for user in lockdown mode situation!

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos