Three ways exist to reset a VMware ESXi root password. However, VMware does not support all methods presented here. I will mention in the article which methods are officially supported.

Admins often use VMware ESXi hypervisor within an enterprise environment. I have come across a few environments that replaced the IT staff and left the new admin without a password to unlock access to ESXi.

There are cases where the administrator can still access the VMware virtualized architecture through vCenter server but does not have access to the individual hosts visible through the vCenter server console. In such cases, the admin can still manage all the hosts and all the network and storage configuration of those hosts, including virtual machines (VMs) running on those hosts. However, the admin may not have shell access (via SSH) and may not have access to the local root account of each individual ESXi host. This root account is also necessary when configuring backup or monitoring solutions within the VMware environment. So this password is something every admin has to have.

Note that there's only support for Active Directory via LDAP. VMware does not support generic LDAP systems such as OpenLDAP.

Via VMware Host Profiles ^

First of all, VMware Host Profiles requires an Enterprise Plus License. Think of a host profile as a blueprint that you can apply to a host to change its configuration. You can have part of the host profile unselected to apply to only certain parts or to modify certain configuration parameters. In our case we'll apply just the new root password.

The process starts with extracting a host profile from a host. This way you'll have all the configuration of a host in one file.

Connect to your vSphere installation via the vSphere web client. On the home page, click Host profiles, and then click the plus sign (+) to extract a profile from a host.

Extract a VMware host profile

Extract a VMware host profile

Follow the steps in the assistant. On the second page, it will ask you to enter some meaningful name. Please do that and then click Finish to save and close the assistant. The process takes about one minute to extract and create a host profile.

Select the newly created host profile on the left then click on the Configure tab and the Edit Host Profile button.

Edit a VMware host profile

Edit a VMware host profile

A new assistant window appears. Click Next to get to the second page of the assistant. Then type "root" in the search box to populate the settings for the root password only.

VMware host profiles enter the new root password

VMware host profiles enter the new root password

Click Finish to save and close the assistant.

However, if we leave the host profile like this now, we can only use it on a single host—the host we extracted the host profile from.

Let's go back and click the Edit host profile option once again, and then deselect all the other branches except Security > User Configuration > root.

ESXi root password set via a host profile

ESXi root password set via a host profile

Click Finish to save and close the assistant.

Now we can apply the profile to our hosts, as the only value that will be set is the root password.

Select the host profile, and then select the Actions > Attach/Detach Hosts and Clusters menu options.

Next, we need to check compliance.

Check host profile compliance

Check host profile compliance

We'll also quickly mention other vSphere components, such as the VMware vCenter Server Appliance (VCSA) and VMware Single Sign-On (SSO) reset possibilities.

Once done, we can Remediate our host(s).

Remediate the host

Remediate the host

That's it; we have reset the host(s) with a new root password.

Joining the host to Active Directory ^

VMware also supports this method. I assume that you still have access to the vCenter server that manages this host, but perhaps you lost local root access to the host, so you're unable to connect via SSH.

Step 1: Connect to your domain controller server and create a global security group called "ESX Admins." Type this exactly as is.

Add the domain administrator to this group and any other account that will be able to connect to each individual ESXi host.

Step 2: Connect to the vCenter server via the vSphere web client and select your ESXi host, then click Configure > System > Authentication Services > Join Domain.

Join the ESXi host to Microsoft Active Directory

Join the ESXi host to Microsoft Active Directory

Once done, you should see the Directory Service Type field changed.

The ESXi host is now part of Active Directory

The ESXi host is now part of Active Directory

Now you should be able to log in to your ESXi host as a domain admin and change the local root password.

You can log in either as "domain\administrator" or in the "administrator@domain" style.

Change the root password via the vSphere client

Change the root password via the vSphere client

Mount the host file system from a second OS ^

In some environments with unmanaged ESXi hypervisors, there's no vCenter server for central management available. If an admin did not previously join these ESXi systems to Active Directory, only the local root account remains for authentication. There is no other way to connect to these hosts other than via the root account. And if this root password is lost, then you're pretty much left in the dark.

In these cases, the method explained below can be helpful. Note VMware does not officially support this procedure. Also note that you have to reboot the ESXi host, so be prepared for certain downtime for your VMs.

Basically you have to boot the host from a Linux CD and then mount the file systems and replace certain files. Depending on the installation, you first should check the partition scheme with GParted after you boot Linux.

Then you'll need to find the state.tgz file and copy it to a temp directory (for instance /tmp). Untar state.tgz, which will create a file called local.tgz.

Go to the "etc" directory and edit the file called shadow using the vi text editor. You'll need to clear the current root password, which is encrypted. After that, copy the updated state.tgz file to /mnt (where you mounted the VMware ESXi root). Unmount /mnt and reboot the ESXi host. You should be able to log in without a root password the first time, and then you can set a new password.

Wrap-up ^

VMware supports the first two methods but not the third. VMware clearly does not want us to go and modify files on ESXi installations. VMware says that the only supported way to reset an ESXi password is by reinstalling the host. This way you can preserve the local datastore with some VMs running there if you wish. However, you'll lose every other configuration setting, such as networking, storage, and so on.

Subscribe to 4sysops newsletter!

After a quick reinstallation and configuration, you'll regain access to such a host, and you can add this host to Active Directory just in case you lose the root password in the future.

  1. Sam 4 years ago

    Hi Vladan,

    Worth noting that Lockdown mode must be disabled on the ESXi host prior to using Host Profile method.



  2. MeyeAarD 4 years ago

    Thank you Vladan, I used this method to recover access to some hosts I acquired. I did have to find another workaround fro some others though where I was not able to place the hosts into maintenance mode to apply the host profile.

    My solution was to build a custom VIB file that I could install on the host via PowerCLI that ran passwd from the hosts shell when installed. Since this seems to be a different solution than I’ve seen in my searches I’ve provided the package to the public here if anyone is interested:

    Sam’s comment about lockdown mode is interesting, I haven’t attempted it, but I would expect this VIB method to work for hosts in lockdown as well and requires no interruption at all to the host or running VMs.


    • Sven 3 years ago

      Hi Aaron!

      Just to shout out a big “THANK YOU!
      You saved me from re-installing a few hosts where the original password got lost.


  3. Mayra 3 years ago

    Thus, it’s to become a stable and useful action one that can simply offer positive results.

  4. Joel H 2 years ago

    I tried the AD method but when I attempted to login as an AD user it said permissions denied. It's hitting the AD but something not right. "Permission to perform this operation was denied." Suggestions welcomed. Thanks.

  5. Damien Vergnaud 2 years ago

    Hello sir, thank you for this walkthroug, very nice.
    I loosed the root password of the Vsphere Vcenter Server appliance ( photon VM ) and it get me crazy so i proceed this way.

    1. Boot in rescue mode with a live CD
    2. Mount the system directory in /mnt/tmp
    3. Chroot to the new direction
    4. Proceed to passwd
    5. Replace the password ( this is directly the root one )
    6. Reboot

    Easy and straight forward 😉


  6. james 2 years ago

    Thank you very much.  Temporarily creating the ESX Admins global security group at the top level in AD was all that was needed after joining the esx host to the domain.  This is the only place I saw this documented.  

  7. Troy Tempest 2 years ago

    The AD join method worked perfectly, thank you very much for providing this information. Saved us a ton of work rebuilding an ESX host!

    Note to others – it may take a little while for AD to replicate the group, membership and computer account information around all DCs if you have several DCs, so just be patient – it took about 20 minutes for the replication to complete for me (4 DCs).

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account