Skip to main content

ESXi Ad Integration: Something to watch out for

  • July 30, 2024
  • 13 comments
  • 452 views
dips
Forum|alt.badge.img+7
  • dips
  • On the path to Greatness

Hey Folks, 

An interesting configuration issue that recently popped up affecting:

  • VMware vSphere ESXi 7.0
  • VMware vSphere ESXi 8.0

If you have an AD Group called “ESX Admins” in your AD Environment, it is automatically given the VM Admin role when ESXi is joined to the AD domain. 

To mitigate:

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
  • Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
  • Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to "" 

Resource: https://knowledge.broadcom.com/external/article/369707/

Be safe out there!

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
coolsport00
Link State
Thomson

13 comments

coolsport00
Forum|alt.badge.img+21
  • coolsport00
  • Veeam Legend
  • July 30, 2024

Yeah... Saw that yesterday. Thanks for sharing this Dipen.

Out of all my years of using vSphere, I never understood having the Hosts bound to AD 🤷🏼‍♂️

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
dips
L
Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • On the path to Greatness
  • July 30, 2024

Same, never saw the need for it especially when they were managed by vCenter. 

Mitigations are easy to apply anyway without downtime which is one saving grace I suppose.

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
coolsport00
L
Dynamic
Chris.Childerhose
Forum|alt.badge.img+21

Our VMware team patched this yesterday and never saw it like I usually do before them. 😂

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dips
MarcoLuvisi
Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • On the path to Greatness
  • July 30, 2024

They beat you to it @Chris.Childerhose ;) 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
MarcoLuvisi
Dynamic
Chris.Childerhose
Forum|alt.badge.img+21

They beat you to it @Chris.Childerhose ;) 

Yes they did.  😜

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dips
MarcoLuvisi
Dynamic
L

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Chris.Childerhose
dips
Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • On the path to Greatness
  • July 30, 2024

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Yes, that is correct. However, it is worth applying the mitigations if you are on all versions prior to ESXi 8.0 U3.

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
L
Dynamic
L

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Yes, that is correct. However, it is worth applying the mitigations if you are on all versions prior to ESXi 8.0 U3.

Yeah, actually you’re absolutely right. I just applied the fix to all our ESX hosts. Thanks and have a nice day everybody!

Chris.Childerhose
dips
Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • On the path to Greatness
  • July 30, 2024

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Yes, that is correct. However, it is worth applying the mitigations if you are on all versions prior to ESXi 8.0 U3.

Yeah, actually you’re absolutely right. I just applied the fix to all our ESX hosts. Thanks and have a nice day everybody!

Welcome, glad we could help :) and welcome to the Community Forums!

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
L
Dynamic
Dynamic
Forum|alt.badge.img+13
  • Dynamic
  • Veeam Vanguard
  • July 30, 2024

Thanks for this information @dips. We also would never join an ESXi to the AD. But this behaviour is difficult to understand how such a thing could be intentional. Also i sending your post to my colleagues, to be aware of that. 

Markus Hartmann | Veeam Vanguard | Veeam Legend 2024 | VMCA 2024 & VMCE 2024 | VMware Certified Implementation Expert - DCV | https://markushartmann.blog/
Chris.Childerhose
dips
MarcoLuvisi
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • On the path to Greatness
  • July 31, 2024

Thanks for this information @dips. We also would never join an ESXi to the AD. But this behaviour is difficult to understand how such a thing could be intentional. Also i sending your post to my colleagues, to be aware of that. 

Welcome, glad it was of help.

I have been thinking about why an ESXi host would end up in AD and I think it may be at smaller places where they run just one host or prefer to login to the host via AD authentication. Just a thought

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
MarcoLuvisi
Dynamic
DavideAbrigo
Forum|alt.badge.img+1
  • DavideAbrigo
  • Experienced User
  • July 31, 2024

Quick PowerCLI to change the settings on all hosts in a cluster:

Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd' | Set-AdvancedSetting -Value 'false' -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.vimsvc.authValidateInterval' | Set-AdvancedSetting -Value 90 -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' | Set-AdvancedSetting -Value "" -Confirm:$false

 

Chris.Childerhose
MarcoLuvisi
Dynamic
Chris.Childerhose
Forum|alt.badge.img+21

Quick PowerCLI to change the settings on all hosts in a cluster:

Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd' | Set-AdvancedSetting -Value 'false' -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.vimsvc.authValidateInterval' | Set-AdvancedSetting -Value 90 -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' | Set-AdvancedSetting -Value "" -Confirm:$false

 

Thanks for sharing that one.  Love using PowerShell for automating things.  😎

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
MarcoLuvisi
Dynamic
Terms & ConditionsAccessibility statement