I had this question recently through an e-mail and was sure that I already wrote about it. After some research, I figured out that a blog post would clear my doubts. VMware says that it's not possible to reset ESXi password on ESXi 6.x (and 5.x) systems. However, under certain circumstances, there is a possibility to change (to reset) the root password.
There are two conditions to reset ESXi 6.x root password:
1. The ESXi host is visible and accessible through vCenter.
2. VMware vSphere Host Profiles – The organization uses vSphere Enterprise Plus licensing.
The is a VMware KB which mentions root password recovery is this one and it clearly states that it's not supported to reset passwords on ESXi 6.x and ESXi in general as there is no longer the Linux console where you would use the single-user mode for the job:
Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode do not apply.
But using host profiles to change the root password on ESXi host is supported and if you got the appropriate licensing then you should be able to change the root password.
So How to reset ESXi 6.x root password?
1. Create a Host profile from your host – first, go and click the Host profiles icon.
Click the Plus sign and select the radio button Extract profile from a host.
2. Then select the host from which you want to extract the profile. It's the host from which you'll copy all the values.
3. The next step in the assistant invites you to name the host profile. You can also put some comment in order to explain what the profile does. Quite handy.
4. The recap screen…. Click Finish to close the assistant.
5. Select the profile and click Actions > Edit settings
6. This starts the assistant again. Click next. You'll be at the screen below. Deselect all parts of the host profile except the Security configuration. There, you have the option from the drop down menu (2) to select Configure a fixed administrator password. Enter the new password and click next and finish the wizard.
7. While selecting the host profile, click on Actions > Attach/Detach hosts and clusters. This allows you to specify the host to which you want to attach this host profile.
This is showing the next screen…
8. Once attached, we need to check the host profile compliance.
9. As you can see, our host is not compliant because the root password is not the same as we entered into the host profile.
10. Put your host into maintenance mode and do a right click > All vCenter actions > Host profiles > remediate
11. That's it. You can exit maintenance mode and login to your host.
Check more articles from ESX Virtualization:
- VMware VCSA 6.5 Backup and Restore How-To
- Free Tools
- Prepare the DHCP Server for vSphere Auto Deploy Provisioning – VMware vSphere 6.5
- Patch VMware vCenter Server Appliance (VCSA) from Offline Depot ZIP file
- Upgrade Windows Server 2012R2 AD to Server 2016
Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)
Josue Maldonado says
Great article! Thanks for sharing.
Bloody genius. Thanks for sharing.
Mark Ragnar says
I was not able to use this method, as we did not have enterprise licensing. However, as I had VCenter access and the environment had an Active Directory domain, I was able to use the vSphere Client via vCenter to configure AD authentication, then to log in to the ESXi host , create an ESX Admins AD group, add Administrator to it, and then login to the host as the AD administrator and change the root password. Hope this helps someone else without Enterprise licensing.
Vladan SEGET says
Yeah, good point. The “ESX Admins” does the trick too…
The host will periodically check the domain controller for the group and will assign the role when the group exists. http://www.vladan.fr/ad-integration-for-esxi-4-1/
Another option would possibly be also to get 60 days trial of vSphere where the key should unlock the Enterprise licensing.
Thanks for the experience Mark!
Jeff Sullivan says
This AD one helped me thanks!!!
Thanks for the article, had the enterprise licensing in our environment , so followed the article and was able to reset the password. thanks again
The other docs indicate that reinstalling is the ‘right’ way to go.
Will this preserve the datastore?
I do actually have to schedule an outage to do a firmware and ESXi update in any case.
If i can do the password reset at that time, i may save myself some headaches
Vladan SEGET says
When doing a clean install, you have the option to preserve the datastores…
Herwono W Wijaya says
I make another solution
pey c says
1.We are currently having a production ESXi server’s with root password changed/lost and cannot recover password.
2. We are setting up a test environment using ESXi 5.1 and VCenter both hosted in a same physical machine.
3.After following the steps to reset the password above, we are seeing a COMPLIANT host, does this mean we cannot proceed with changing the lost password.
4. Perhaps we can give it a try on the production server to see if we can change the password.
Any clues or advise..
Vladan SEGET says
If the host is marked as compliant than the password is the same in the host profile AND on the host. Try change the password in the host profile and check again the compliance. The host should be seen as non-compliant…
Is there any way to make this work without going into Maintenance mode? I have only one host, and this is where vCenter runs.
Why would you only have 1 host and run VCenter???
How about if I have an existing profile attached to the host. Did the current settings will stay on the host?
Hi ,thanks for this helpful tutorial.
My vCenter is running on host that i forgot that’s password.
is there any way to reset without Maintenance mode?
Hi, thanks for this great article. I just want to add, if using vcenter 6.x web client no need to set host in maintenance mode, just choose remediate
Wow, thank you man, you saved my life 🙂
Btw, after exiting from the maintenance mode I still couldn’t login, I realized the username was locked 120 sec due to multiple incorrect login, so I disabled the SSH service, waited for 2 minutes and bang, I could login using the chosen password at the profile edit step.
This might help others as well.
Brilliant article Vladan.
Worth noting that lockdown mode needs to be disabled on the ESXi host prior to doing this.
Shakeel Ahmed says
Dear Vladan SEGET,
Your post to reset password of ESXi hosts (vSphere 6.0) through the “Host Profiles” method helped me a lot.
Thanks and Have great time!
Andreas Flach says
you have to reboot after aplying the profile. At least for Vsphere 6.0.x 😉