VMWare vSphere: Managing Password Expiration Settings

From time to time within the vSphere Client interface I come throughout the notification: Your password will expire in xx days. I made a decision to learn to handle password insurance policies in VMWare vSphere, methods to change the time when a password expiry notification seems for native and area vSphere customers and set the password settings for some customers to by no means expire. Here is what I’ve discovered.

Password & Lockout Policy on VMWare Single Sign On (SSO)

In my case, I made a decision to disable the password expiration for the native consumer [email protected] (since no person works below this native account completely, and the vSphere directors authenticate below their Active Directory area accounts).

By default, the SSO coverage is utilized for vSphere native customers, which requires a consumer password to be modified each 90 days.

You can discover the SSO password coverage settings within the following part of the vSphere Client: Administration -> Single Sign On -> Configuration.

As you possibly can see on the Password Policy tab, the next necessities are utilized to the passwords of all native vCSA customers:

  • The minimal password size is eight characters (most — 20 characters);
  • A password expires in 90 days (most lifetime);
  • The final 5 passwords will not be allowed to be reused;
  • Some password complexity restrictions.

Click Edit and alter the coverage settings. For instance, you possibly can change Maximum lifetime to 365 (it implies that it’s a must to change passwords yearly) or enter zero right here (that means that the password just isn’t expired).

vmware vsphere password and locout policies

Change Password Expiration Settings to Never Expire for Local VMWare vCSA Users

If you do not need to alter your password coverage for all vCenter customers, you possibly can change the password coverage and the expiration settings for the particular consumer. For instance, you wish to set the password for the native backup_user to by no means expire. To do it, hook up with your vCSA host utilizing the SSH shopper.

Enable the SSH entry to vCSA within the Access -> SSH login -> Enabled part of the Appliance Management (https://your_vcenter_name:5480/ui/entry).

vmware vcenre appliance - enable ssh access

You will want the dir-cli instrument, which is situated in /usr/lib/vmware-vmafd/bin/.

cd /usr/lib/vmware-vmafd/bin/

Check that the native consumer exists:

./dir-cli consumer find-by-name --account backup_user

Enter password for [email protected]:
Account: backup_user
UPN: [email protected]/

vmware tool dir-cli - change user password

You can change the password for this consumer:

./dir-cli password reset --account backup_user --password [email protected]$$ --new [email protected]$$

Or you possibly can set password to by no means expire:

./dir-cli consumer modify --account backup_user --password-never-expires

Enter password for [email protected]:
Password set to by no means expire for [backup_user]

Root Password Expiration on vCenter VCSA

When you put in the vCenter Server Appliance, the password lifetime for root consumer is about to 365 days (vCenter 6.5 or earlier) or 90 days (vSphere 6.7). So root can be topic to password expiration coverage.

You can view the password coverage settings within the vCSA Appliance Management (https://your_vcenter_name:5480/ui/entry). Go to the Administration part and test the values within the “Password expiration settings” part.

  • Password expires: Yes
  • Password validity (days): 90
  • Password expires on: Jun 13, 2020, 2:00:00 AM

vCSA Appliance Management - Password expiration settings

You can change the password expiration settings for root or set it to by no means expire (if its worth is zero).

Also you possibly can test the foundation password expiration setting out of your vCSA console:

chage -l root

vmware vcsa - get local user password expiration settings

Last password change : Mar 15, 2019
Password expires : Jun 20, 2019
Password inactive : by no means
Account expires : by no means
Minimum variety of days between password change : zero
Maximum variety of days between password change : 90
Number of days of warning earlier than password expires : 7

It is fascinating that the vCSA Appliance Management interface doesn’t immediate root to alter the password or present any password expiring warning.

However, in case you attempt to improve the vCenter Server Appliance you could come throughout the next error message:

Appliance (OS) root password is expired or goes to run out quickly. Please change the foundation password earlier than putting in an replace.

Or when making an attempt to alter the expired root password in vCSA Appliance Management, a warning might seem:

Permission Denied. Set the utmost variety of days when the password will expire. Administrator configuration up to date efficiently.

In this case, it’s a must to change the foundation password within the vCSA console with this command:


vsphere vCSA change root password

Changing Password Expiration Notification Settings on VMWare vCenter

By default an expiring password notification in a vCenter Client begins to seem 30 days earlier than it expires.

If customers authenticate in vCenter utilizing their AD accounts, the is utilized for consumer passwords. A consumer will see a notification prompting them to alter the password 30 days earlier than it expires. So in case your area coverage enforces password change as soon as in 30 days, VMWare vCenter customers consistently see an annoying warning Your password will expire.

In vCSA you possibly can configure what number of days earlier than the password expires a consumer will see this notification.

If you’re utilizing vSphere HTML5 shopper, this setting is specified within the configuration file on the vCenter Server Appliance server: /and so forth/vmware/vsphere-ui/webclient.properties.

Open the file and discover the sso.pending.password.expiration.notification.days parameter.


Change its worth to 7. It implies that the password expiry notification will seem 7 days earlier than it occurs. Then restart your vSphere shopper:

service-control --stop vsphere-ui
service-control --start vsphere-ui

If you’re utilizing the outdated Web Client (Flex), you’ll have to change the worth of the sso.pending.password.expiration.notification.days parameter within the /and so forth/vmware/vsphere-client/webclient.properties file.

After you’ve gotten edited the setting, restart the Web Client service:

service-control --stop vsphere-client
service-control --start vsphere-client

Check Also

How to Restore Deleted EFI System Partition in Windows 10?

In this text we’ll present you ways to manually restore an by chance deleted Windows …

Leave a Reply

Your email address will not be published. Required fields are marked *