Managing ESXi Local User Accounts from vCenter Server Using PowerCLI

February 8, 2023

Reading time: 5 minutes

There was once a time early in my career when I would SSH to each VMware ESXi host and manually update the root account’s password. As time went by and the environment I was responsible for grew larger, so did the workload for resetting root account passwords regularly. Eventually, I researched and learned that these VMware ESXi local user accounts could be modified using VMware PowerCLI, and password updates became a much easier task. Recently, during a conversation with a fellow vSphere administrator, I learned that they had no idea that modifying VMware ESXi local accounts via VMware vCenter Server was possible. So, as a result, I decided to write this walkthrough.

Getting Started

The quickest and easiest method for managing VMware ESXi local user accounts is via VMware PowerCLI. VMware PowerCLI exposes the esxcli commands allowing you to execute any esxcli command remotely that you could also execute locally on the VMware ESXi host’s CLI. The first step when using VMware PowerCLI is to connect to your VMware vCenter Server using the Connect-VISever command, such as the following:

Connect-VIServer {vCenter Server FQDN}

Next, provide a username and password for the connection. Ensure that you are connecting with a user account that has Administrator privileges to the VMware vCenter Server instance, as this is required to modify the VMware ESXi local user accounts. Now that we have a VMware PowerCLI connection to our VMware vCenter Server instances, we need to create an esxcli instance for our target VMware ESXi host. Execute the following command to generate an instance of esxcli for our target host:

$esxcli = Get-EsxCli -VMHost "{ESXi Host as Listed in vCenter Server}" -V2

List All Local User Accounts

Now that we have an instance of the esxcli command object available to us, we use the following command to list the local user accounts on the VMware ESXi host:

$esxcli.system.account.list.Invoke()

The command should return an output similar to the following that lists all local accounts on the VMware ESXi host:

Screenshot showing the output of the $esxcli.system.account.list.Invoke() PowerCLI command

Creating a New Local User Account

Creating a new ESXi local user account using VMware PowerCLI requires creating a hash table containing the arguments necessary for the esxcli.system.account.add command, providing values for the arguments, and then invoking the VMware PowerCLI command to create the account. To get started, issue the following command to create a new variable containing the hash table of esxcli.system.account.add command arguments:

$esxcliArgs = $esxcli.system.account.add.CreateArgs()

If we now execute $esxcliArgs, we are presented with the contents of the hash table as shown below:

Screenshot showing the output of the newly generated esxcli.system.account.add.CreateArgs PowerCLI hash table

As you can see, the arguments include the following:

id – Required field, which is the username for the user account
shellAccess – Optional field that indicates whether or not the account should have shell access on the host. This field is only applicable for VMware ESXi 8.0 or greater.
password – Optional field that specifies the password for the user account.
passwordconfirmation – Optional field to confirm the password for the user account.
description – Optional field to provide a description for the new user account.

For this example, I create a new user account with the id of myUser, a description of My New User Account, shellAccess set to false, and a password of VMware1234!. This is accomplished by setting the properties on the $esxicliArgs variable that was just created and issuing the esxcli.system.account.add.invoke command as follows:

$esxcliArgs.id = "myUser"
$esxcliArgs.description = "My New User Account"
$esxcliArgs.shellaccess = $false
$esxcliArgs.password = "VMware1234!"
$esxcliArgs.passwordconfirmation = "VMware1234!"
$esxcliArgs = $esxcli.system.account.add.Invoke($esxcliArgs)

If the command is successful, no output will be returned. To verify that the user account was created, we can issue the esxcli.system.account.list command again to list all user accounts. You should see an output similar to the following:

Screenshot showing the esxcli commands to create a new user account and list all user accounts to verify success

As you can see, our new user account is the last user account on the list.

Updating a Local User Account

Updating a VMware ESXi local user account via VMware PowerCLI is similar to creating a new account. Instead of using the esxcli.system.account.add, we use the esxcli.system.account.set command. The arguments provided to the command are identical to those used by the esxcli.system.account.add command. We begin again by creating a new hash table containing our command arguments. Execute the following command to generate the hash table:

$esxcliArgs = $esxcli.system.account.set.CreateArgs()

Next, we set the properties that we wish to update. In this example, we will provide a new password value of VMware1! for the user account created earlier:

$esxcliArgs.id = "myUser"
$esxcliArgs.password = "VMware1!"
$esxcliArgs.passwordconfirmation = "VMware1!"

We then update the account using the esxcli.system.account.set.invoke command:

$esxcli.system.account.set.Invoke($esxcliArgs)

If the command is successful, we will receive a response of true , as shown in the following screenshot:

Screenshot showing the esxcli commands to update a user account

Deleting a Local User Account

Now that we have covered how to list all local user accounts, create a new local user account, and update an existing one, it’s time to finish up by deleting the local user account. This is accomplished by using the esxcli.system.account.remove command. Again, we will create a hash table for our esxcli command, set the values, then invoke the command. In this case, the only argument is the id of the user account.

$esxcliArgs = $esxcli.system.account.remove.CreateArgs()
$esxcliArgs.id = "myUser"
$esxcli.system.account.remove.Invoke($esxcliArgs)

If the command executes successfully, you will receive a response of true , as shown below:

Screenshot showing the esxcli commands to delete a user account

Conclusion

This blog post provides a walkthrough of only one method for managing VMware ESXi local user accounts from VMware vCenter Server. There are many ways to update these user accounts. The code examples above can easily be extended and wrapped in additional loop structures to update multiple accounts on multiple hosts. In the blog post, Managing ESXi Local User Accounts from Aria Automation Orchestrator, I walk through the code necessary for managing these accounts using VMware Aria Automation Orchestrator.