My company has just turned over two vSphere 5.0 environments to operations. Despite the fact that we responsibly support 3 other ESX environments with Administrator rights, Tech Planning rolled lockdown mode into the design requirements, so we have no ability to access the CLI from the DCUI console nor ssh. The roles we have been placed in will not allow us to disable lockdown mode in an emergency, and we do not have the priviliges to start sshd or esxcli either way. On top of that, we cannot even access the DCUI at all because OSE refused to add the hosts to AD. The punchline is that the environments have been dumped on us to fully "own," with no escalation path leading to the gatekeepers who retain sole Datacenter ROOT Admin rights. Claims have been made that everything we would ever need to do can be done from within vCenter. Oh, and they also stood up a vMA server that is completely useless with every host in perpetual lockdown mode. I suppose they can use PowerCLI to disable lockdown across the environment at their leisure, but I seriously doubt that will even come up as they have added zero hosts to vMA, and have wiped their hands clean with the turnover.
My management is prepared to fight, and I would really appreciate some every day scenarios that make this situation both asinine and a liability. I am trying to avoid any split hairs over obscure circumstances. Here are my first thoughts.
1.) We cannot kill a hung World PID for the vCSA guest if it crashes badly and cannot be administered from the client to host. We would have to migrate VMs and reboot the host.
2.) We cannot restart the management agents from the DCUI to troubleshoot host connectivity issues. A dirty shutdown from the blade console of the host would be required.
3.) We cannot troubleshoot zombie VMs that show as running but are really not.
4.) We cannot perform various troubleshooting tasks in scenarios that would require at least temporary esxcli access (This is what I really need help with. I can't live without the CLI!)
I know there have to be one hundred reasons why this is a bad idea. A great deal of what I use the CLI for is to quickly format or parse data from files or esxcli built-ins with for loops, etc, but I know that is not going to help my cause. 
thanks!