You can specify service accounts that can access the ESXi host directly by adding them to the Exception Users list. You can specify a single user who can access the ESXi host in case of catastrophic vCenter Server failure.

What different accounts can do by default when lockdown mode is enabled, and how you can change the default behavior, depends on the version of the vSphere environment.

In versions of vSphere earlier than vSphere 5.1, only the root user can log into the Direct Console User Interface on an ESXi host that is in lockdown mode.

In vSphere 5.1 and later, you can add a user to the DCUI.Access advanced system setting for each host. The option is meant for catastrophic failure of vCenter Server, and the password for the user with this access is usually locked into a safe. A user in the DCUI.Access list does not need to have full administrative privileges on the host.

In vSphere 6.0 and later, the DCUI.Access advanced system setting is still supported. In addition, vSphere 6.0 and later supports an Exception User list, which is for service accounts that have to log in to the host directly. Accounts with administrator privileges that are on the Exception Users list can log in to the ESXi Shell. In addition, those user can log in to a host's DCUI in normal lockdown mode and can exit lockdown mode.

You specify Exception Users from the vSphere Web Client.


Exception users are host local users or Active Directory users with privileges defined locally for the ESXihost. Users that are members of an Active Directory group lose their permissions when the host is in lockdown mode.