jmsloane
Contributor
Contributor

Attempt # 3, Config.HostAgent.plugins.hostsvc.esxAdminsGroup resets to ESXadmins, how to stop?

It is great getting 75 people to view the thread but no one is offering any advice, surely this is not just a one time thing.

We are trying to configure our host profile to remove the esxadmin from config.hostagent.plugins.hostsvc.esxadminsgroup. We can do it to each host using a script command to change the group to something other than the ESXadmins but how can I do that using a host profile? If we have to reboot anything it defaults back to esxadmins, we need this to stop. I know a script changing it back or setting it after the reboot is an option but we need it to NOT be reset. Any thoughts?

Tags (1)
0 Kudos
5 Replies
daphnissov
Immortal
Immortal

This setting is only applicable if both of these two things are true in your environment:

  1. Your ESXi hosts are joined to Active Directory
  2. You have a preexisting AD group called ESXAdmins with membership

Are both of those things true for you?

0 Kudos
jmsloane
Contributor
Contributor

Daph,

We do not have them connected to AD, I realise that it shouldnt be a big deal but we have a stig requirement that wants it set t o something else. We have changed the names but it will still the group will come back on a reboot.

0 Kudos
daphnissov
Immortal
Immortal

If they aren't connected to AD then the STIG requirement is nullified as it has absolutely no effect. It doesn't become auditable until those conditions are true.

https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247

0 Kudos
jmsloane
Contributor
Contributor

I found that too, however i am just worried that since it still technically shows ESXadmins, during an inspection we may be dinged. I am just looking for the setting to change in the host profile without going to each and every host.

0 Kudos
daphnissov
Immortal
Immortal

You shouldn't get dinged on that because part of that same report is basically isAdJoined and if it's false then that invalidates other advanced settings. Also, this is one of those advanced settings that isn't exposed by host profiles. Not all are, this is one. Again, it's not at all relevant if you're not joined.

0 Kudos