vicfg-user - manage users and groups


vicfg-user <[conn_options>] -e <user |- group> |-o <add | modify | delete | list> [options]

Note: The syntax of this command differs from other vSphere CLI commands.


An ESX/ESXi system grants access to its resources when a known user with appropriate permissions logs on to the system with a password that matches the one stored for that user. The vicfg-user command supports creating, modifying, deleting, and listing local direct access users and groups of users on an ESX/ESXi host. You cannot run this command against a vCenter Server system.

User management is discussed in detail in the ESX Configuration Guide, the ESXi Configuration Guide, and the Basic System Administration document.


--addgroup | -g <group_list>
Comma-separated list of groups to add the user to.
--adduser | -u <user_list>
Comma-separated list of users to add to a specified group.
Specifies the target server and authentication information if required. Run vicfg-user --help for a list of all connection options.
--entity | -e [group | user]
Required. Entity to perform the operation on (user | group).
Prints a help message for each command-specific and each connection option. Calling the script with no arguments or with --help has the same effect.
--group | -d <group_name>
Group name of the group.
--groupid | -D <group_ID>
Group ID of the group.
--login | -l <login_ID>
Login ID of the user.
--newpassword | -p <password>
Password for the target user.
--newuserid | -i <UUID>
UID for the target user.
--newusername | -n <name>
User name for the target user.
--operation | -o [add | modify | delete | list]
Required. Operation to perform. Specify add, modify, delete, or list.
Prompts for a password when you make a change to a user.
--removegroup | -G <group_list>
Comma-separated list of groups to remove the target user from.
--removeuser | -U <user_list>
Comma-separated list of users to be removed from the target group.
--role | -r [admin|read-only|no-access]
Role for the target user or group. Specify admin, read-only, or no-access.
--shell | -s [yes|no]
Grant shell access to the target user. Default is no shell access. Use this command to change the default, or to revoke shell access rights after they have been granted. Valid values are yes and no.
This option is supported only for ESX. The option is meaningless for ESXi.


The following examples assume you are specifying connection options, either explicitly or, for example, by specifying the server, user name, and password. Run vicfg-user --help for a list of common options including connection options.

Add a user with login ID user27:

vicfg-user <conn_options> -e user -o add -l user27 -p 27_password

Modify password, user ID, and user name for the user with login ID user27: <conn_options> -e user -o modify -l user27 -p 27_password -i <new user id> -n <new user name>Add the user with user name user27 to a group test: 
vicfg-user <conn_options> -e user -o modify -l user27 -g test

Assign the role read-only to user27 and prompt for a password.

vicfg-user <conn_options> -e user -o modify -l user27 --role read-only --promptpassword

Remove the user with user name user27:

vicfg-user <conn_options> -e user -o delete -l user27

Add group42 as a group:

vicfg-user <conn_options> -e group -o add -d group42 -D 501

Add a user "test" to group42:

vicfg-user <conn_options> -e group -o modify -d group42 -u test

Remove group group42

vicfg-user <conn_options -e group -o delete -d group42

List groups and users:

vicfg-user <conn_options> -e group -o list

List users in group42:

vicfg-user <conn_options -e group -o list -d group42

Add group group42, with group ID 501 and role read-only: <conn_options> --entity group --operation add --group group42 - -groupid 501 --role read-only