Hello Vmware Community,
I hope you all are having a wonderful day.
I am having issues with adding a Exception User in Lockdown Mode. I am running ESXi 6.7 and enabled Lockdown Mode - Strict. Then I want a AD user to be excluded from the lock down. This AD User is a limited user.
I know my connection to the AD is functional because when I create a test account to the OU that vCenter is looking I can see the test accounts I added. However, when I add a user in Exception Users in Lockdown Mode i get this error message.
This seems to be happening to any user as well including local users.
Exception users for lockdown mode must exist on the ESXi host and not at vCenter level. Or, if you are using AD integration for your ESXi hosts, these users must have privileges on the hosts.
So I tried what you said,
1. I created role named "Lockout Exception Users" with Host Permission.
2. Then, I defined the domain user, limdynasty\noc with the permission lockout exception users on the ESXi host.
3. When adding the noc user to the exception user, it still failed saying the account does not exist.
NOTE: I tried creating a local noc account on the ESXi host and added the lockdown exception user from the ESXi and enabled the strict lockdown from vcenter server, however this ended up no users logging in.
The permissions must be defined locally on the ESXi host and not through the vCenter. So you have to log on to the ESXi host with the host client and select "Action" on the top of the Welcome Screen (Default Host View) and choose "Permissions". There you can assign an ESXi privilege role to a specific ESXi user.
For this reason, the vCenter AD permissions do not work either, because you are working locally on the ESXi host and not through the vSphere client.
Maybe these information will also help you to understand why no one can log in anymore:
Anyone have an update on this? I added a new group from AD (not ESX admins) to the local admin of the host and I cannot add exception group.
Manage -> System -> Advanced settings -> Config.HostAgent.plugins.hostsvc.esxAdminsGroup ->new AD group
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd -> True
Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval ->1 Minutes
Note that I am trying to add the AD group not the user...
As the VMware said "The exception users do not lose their permissions when the host enters the Lockdown Mode." They are used for Agent Servicing or Service Account definitions to perform operations like Backup jobs. They can be Local host users or AD users that are defined locally for the Host. So the important point is here, you cannot add them to exception users by the vCenter Server and must be done through ESXi itself management tools. Also remember they have only their associated privileges, so no more higher permissions is available for user in lockdown mode situation!