Root users can only perform activities on the specific ESX host that they are logged in to.

For security reasons, you might not want to use the root user in the Administrator role. In this case, you can change permissions after installation so that the root user no longer has administrative privileges or you can delete the root user’s access permissions altogether through the vSphere Client as described in the VMware vSphere Datacenter Administration Guide. If you do so, you must first create another permission at the root level that has a different user assigned to the Administrator role.

Assigning the Administrator role to a different user helps you maintain security through traceability. The vSphere Client logs all actions that the Administrator role user initiates as events, providing you with an audit trail. If all administrators log in as the root user, you cannot tell which administrator performed an action. If you create multiple permissions at the root level—each associated with a different user or user group—you can track the actions of each administrator or administrative group.

After you create an alternative Administrator user, you can assign a different role to the root user. To manage the host using vCenter server, the new user you created must have full Administrator privileges on the host.


vicfg commands do not perform an access check. Therefore, even if you limit the root user’s privileges, it does not affect what that user can do using the command-line interface commands.