VMware Cloud Community
jaelae
Enthusiast
Enthusiast
‎02-02-2018 12:11 PM

Creating Read Only users for multiple ESXi hosts

I am currently using vCenter 6.0 Update 3 with 6.0 U3 nodes. I have Windows AD Auth on my vCenter and have the ESXi hosts all domain joined with an AD ESXi admin group defined in Config.HostAgent.

This works great for my admin access for myself and other users on my team. However, I am trying to figure out the easiest way to create RO users for monitoring tools to logon and monitor the environment without having to use the root account. I can create individual local users on each host but that seems to be a lengthy process with a lot of hosts. Can you also define a RO user on the ESXi hosts that is an AD user or is that not possible?

Tags (1)
6 Replies
sandu
Enthusiast
Enthusiast
‎02-02-2018 12:24 PM

If you have a vCenter, why do you want to create users and each ESXi to manage it individually? Simplest method would be to create a vCenter user and assign required permission and give access to whomever is responsible for monitoring or any other task.

If for some reason, you have to do this on per ESXi basis, you can use host profile to add readonly/any other permission for a domain account and apply it on all the hosts.

Hope it helps

Thank you,

Sandeep

0 Kudos
jleydonphreesia
Contributor
Contributor
‎02-02-2018 03:48 PM

Sandeep,

For this we need to be able to authenticate directly to the ESXi host. There are events not being monitored from a vCenter level. The more in-depth data seems to only be available if we access the hosts directly. Therefore we need accounts that can sign into the host itself. On a host profile I can grant domain account access meaning, granting permission to access a host but this does not allow me to sign into the host via ESXi host API

As an example in my situation. I am using LogicMonitor with the ESXi root account to pull events from the hosts to give me more accurate health information including memory alerts, and other host specific issues.

0 Kudos
sandu
Enthusiast
Enthusiast
‎02-02-2018 04:37 PM

Using host profile you can assign a permission to a domain user which will allow him to login locally to ESXi

Please have a look this VMware documentation: Configure Security Host Profile

Hope it helps!

Thank you,

Sandeep

jleydonphreesia
Contributor
Contributor
‎02-06-2018 05:50 AM

Thanks a lot Sandeep. This would resolve the issue if I modify my existing host profiles with it. I will review this and see if it is worth implementing versus using local accounts.

0 Kudos
daphnissov
Immortal
Immortal
‎02-06-2018 06:11 AM

For this we need to be able to authenticate directly to the ESXi host. There are events not being monitored from a vCenter level. The more in-depth data seems to only be available if we access the hosts directly.

I'm curious, to what data are you referring here? What are you trying to gather by connecting directly to ESXi that you cannot get through vCenter?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
IARG
Contributor
Contributor
‎04-03-2019 09:29 PM

I know this is an old thread however, this is helpful for us because our single vCenter server is located remotely to some hosts.

For example; You have datastore monitoring on your vcenter server. It's retrieving datastore information from a remote host. If a WAN link was to drop between your vCentre server and the remote esxi host then you can no longer retrieve datastore statuses. I have monitoring configured on local and remote monitoring probes, I want my datastore checks to be performed on my remote probes which communicate directly to the hosts and not through the vCentre server.

Hopefully that makes sense.

0 Kudos