VMware Cloud Community
vtyurin
Contributor
Contributor
‎02-17-2019 10:29 PM

Disable administrator@vsphere.local. Is it permit operation?

Hello! Our security team want to disable bultin user "administrator@vsphere.local". Is that operation safe to disable the account?

I can't find any link on docs.vmware.com for approve our security team do not disable administrator@vsphere.local

WBR, Valery

0 Kudos
2 Replies
ThompsG
Virtuoso
Virtuoso
‎02-18-2019 12:53 AM

Hi there,

Just like in AD, you can disable the Administrator account. This is permissible however please make sure you have another account that has been elevated to the SSO Administrators group before you do.

In regards to being safe. Again as long as you have elevated people to the vCenter SSO administrators group then it is safe. If the account is required then you can enable it again HOWEVER if you don't have anybody else that is a part of the SSO administrators group then...

Not something I'd like to contemplate at this point. With AD there is a way to enable this account but does require logging in the a "local administrator" and then scheduling a task. Not sure if there is a similar way to gain access to SSO so be warned.

Kind regards.

0 Kudos
ThompsG
Virtuoso
Virtuoso
‎02-18-2019 12:56 AM

Oh and to be clear - I'm not advocating that you do disable the account. I would probably rather have the security boffins set a massively long password that they maintain (or people they trust) on this account and audit its use. Day to day admins should be using their own named accounts.

Kind regards.

0 Kudos