Managing Users with vicfg-user
A user is an individual authorized to log in to an ESXi or vCenter Server system.
vSphere does not explicitly restrict users with the same authentication credentials from accessing and taking action within the vSphere environment simultaneously.
You manage users defined on the vCenter Server system and users defined on individual hosts separately.
Even if the user lists of a host and a vCenter Server system appear to have common users (for instance, a user called devuser), these users are separate users with the same name. The attributes of devuser in vCenter Server, including permissions, passwords, and so forth, are separate from the attributes of devuser on the ESXi host. If you log in to vCenter Server as devuser, you might have permission to view and delete files from a datastore. If you log in to an ESXi host as devuser, you might not have these permissions.
Users authorized to work directly on an ESXi host are added to the internal user list when ESXi is installed or can be added by a system administrator after installation. You can use vicfg-user to add users, remove users, change passwords, set group membership, and configure permissions.
Caution See the Authentication and User Management chapter of vSphere Security for information about root users before you make any changes to the default users. Mistakes regarding root users can have serious access consequences.
Each ESXi host has several default users:
The vpxuser user is a vCenter Server entity with root rights on the ESXi host, allowing it to manage activities for that host. The system creates vpxuser when an ESXi host is attached to vCenter Server. vpxuser is not present on the ESXi host unless the host is being managed through vCenter Server.
The following example scenario illustrates some of the tasks that you can perform. Specify one of the options listed in Connection Options in place of <conn_options>.
To create, modify, and delete users
vicfg-user <conn_options> -e user -o list
The list displays all users that are predefined by the system and all users that were added later.
vicfg-user <conn_options> -e user -o add -l user27 -p 27_password
The command creates the user. By default, the command autogenerates a UID for the user.
vicfg-user <conn_options> -e user -o list
Principal -: root
Full Name -: root
UID -: 0
Shell Access -> 1
Principal -: user27
Full Name -:
UID -: 501
Shell Access -> 0
vicfg-user <conn_options> -e user -o modify -l user27 -p 27_password2
The system might return Updated user user27 successfully.
vicfg-user <conn_options> -e user -o modify -l user27 --role  read-only
The system prompts whether you want to change the password, which might be advisable if the user does not currently have a password. Answer y or n. The system then updates the user.
Updated user user27 successfully.
Assigned the role read-only
vicfg-user <conn_options> -e group -o list
The system prints an extensive list of all groups and the users in each group.
vicfg-user <conn_options> -e group -o add -d test
The system adds the group, and assigns a group ID. When you now list all groups, the new group is included.
Group Information:
Principal -: test
Full Name -:
GID -: 500
Add user user27 to the new group.
vicfg-user <conn_options> -e user -o modify -l user27 -g test
The system assigns the user to the group test. When you now list all groups, the new group and the assigned user are included.
Group Information:
Principal -: test
Full Name -:
GID -: 500
Users in group test:
Principal -: user27
Full Name -:
vicfg-user <conn_options> -e user -o delete -l user27
The system removes the user and prints a message.
Removed the user user27 successfully.