Manage Learn to apply best practices and optimize your operations.

PowersHell - (re)setting the root account password

Explains how to reset the root account password.

I’ve been trying to port all of my post-configuration work from the older kickstart/%post method using esxcfg-...

commands to using PowerShell. The real agenda behind this is that one day they will take my COS away (that’s the Service Console to you folks!) because one day there will be only an ESXi version of ESX and nothing else. Rather than reacting to the loss of the COS in an angry way, I thought I better get working with this PowersHell thing. Why PowersHell? I’m totally convinced that it's infinitely more powerful than the RCLI or vMA appliance. You can just do so much more with it.

Anyway, last week I switched over to configuring the IP settings of my ESXi hosts with DHCP for the Management Network only (by only I mean that the vmkernel ports for VMotion/IP Storage and the HA Heartbeat are still being configured statically). So, now I never have to interact with the console of the ESXi host at all, except to set the password on the thing. You see a clean install of ESXi to a memory stick or factory reset still leaves you with a passwordless ESX host. So, I decided to look into how to set the password of the root account.

The first thing I learned was that connecting to vCenter in order to try to do a bulk password reset is not allowed by PowersHell. You have to connect directly to the ESX host, otherwise you get this error message:

Set-VMHostAccount : 8/26/2009 3:52:13 PM    Set-VMHostAccount    8E894753-1749-413B-9B4B-E9BC5DF57FF3    The requested operation can only be perfonnected directly to an ESX server.

So the correct method is to use the set-VMhostAccount cmd-let to set the initial password like so:

Connect-VIServer -username root
Set-VMHostAccount -UserAccount root -password P@ssw0rd!

Notice how in the Connect-ViServer command, I’m not using the -password parameter because a newly installed ESXi doesn’t have a password.


Also notice that my password is a complex one.

I learnt something new today. During the installation of ESX “Classic”, a password of 6 characters or more is valid. Therefore, if you set “vmware” as the root password (obviously not a very good choice) it would work. But, if you later change the password after the installation, and try something like vmware, it would fail due to a lack of complexity. It seems like there is a higher level of complexity that is enforced after the install, than is imposed during. If you set a password that is not complex enough, and you are doing the password reset via powersHell, you will get this message:

Set-VMHostAccount : 8/26/2009 7:41:42 PM    Set-VMHostAccount    52b28080-8b4f-2b1b-bbd3-400a5348a06b    A general system error occurred: passwd: Authentication token manipulation error

Anyway, all this came to light because of a comment left on this post by Rob Shaw-Fuller. Rob’s comment added a powersHell script that will go through and reset the password on all your ESX hosts (providing they have the identical root passwords to begin with). I want to reproduce here because I’m interested in single host configuration with powersHell (as if you were deploying a new ESX host) and also, I'm interested in the so-called “bulk administration” tasks that can be automated with powersHell. Here’s Rob’s script below:

# Connect to the VI Server
Write-Host "Connecting to vCenter"
Connect-VIServer "" -user administrator -password vmware
$VMHosts = Get-VMHost | Sort-Object Name
Disconnect-VIServer -Confirm:$False

ForEach ($VMHost in $VMHosts)
	$HostName = $VMHost.Name
	Connect-VIServer $HostName -User root -password P@ssw0rd
	Set-VMHostAccount -UserAccount root -password Password1
	Disconnect-VIServer -Confirm:$False


Dig Deeper on Scripting administrative tasks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.