Everyone forgets a password once in a while. If you forget your ESXi root password, you can find many quick fixes online, but many of these options -- such as changing the bootbank files -- seem questionable at best. Fortunately, you can use better, less risky methods to change a forgotten root password.
If the affected host connects to vCenter, you can use Host Profiles to change the root password. If you have a standalone host, you must reinstall and reconfigure ESXi during the password reset process.
Change an ESXi root password for a vCenter server
- To prepare for a password reset, begin by migrating all VMs to alternate hosts as a belt-and-brace security measure.
- Set Distributed Resource Scheduler to manual and then open the vSphere Web Client for vCenter. In Active Directory, navigate to the Host Profiles icon.
- Next, select Extract Host Profile and choose the appropriate ESXi host.
- Choose an appropriate name and then advance to the final page; click the Finish It takes a few minutes for the Web Client to create the profile.
- Edit the finished profile to change the default password. This effectively applies it back to the problematic host.
- Open the Host Profile page and select the new profile. At the top of the page, click the Edit Host Profile Once you click through the first page, you'll see a tree of settings including Advanced Configuration Settings and General System Settings.
- Expand the Security and Services item group, then expand the Security Settings item group underneath that. Finally, expand the User Configuration item group and select root. To reset the password, select the password drop-down menu and select Fixed password configuration.
- Choose a new password for the ESXi server. Enter it into the password field to confirm it and click Finish.
- This profile should apply the new password to the affected ESXi host. Next, select Attach/Detach Hosts and Clusters from the Actions drop-down menu. This action attaches and applies the profile to the affected host.
- Continue to click through this menu. Select the appropriate ESXi host and click Finish to complete.
- Finally, navigate to the Hosts & VMs page. Select Remediate for the affected host. Remediation takes a few minutes, but once it's complete, you can open the host in your vSphere Client and log in with the root name and newly reset password.
Change an ESXi root password for a standalone host
The password reset process for a standalone host is more involved than for a vCenter-connected host. You must reinstall ESXi on top of the affected host, which removes all host configuration and network details and enables you to access VMs that might otherwise be lost.
- Start by booting from the ESXi installation media. Follow the installation prompts until the installer reaches the screen that asks you to select a disk to install or upgrade. Select the appropriate disk and press Enter.
- The installer should detect an installed ESXi setup and present several options. Select Install ESXi, preserve VMFS datastore.
- The installer should then configure the ESXi installation. When the configuration finishes, the installer prompts you to reboot. You can log back into the server after the reboot, either directly or via your web interface.
- Next, configure network port groups and other components. Since the VMs remain available, you must also recreate the port groups and all associated configurations.
- After you recreate the port groups, reattach the network to the appropriate port group. At this point, reboot again.
If you use a standalone machine, consider using a second account and reserving the root account for emergencies.
Protect your Active Directory passwords using Enzoic.
Use the command line to backup and protect your ESXi hosts.
Dive deeper into VMware security.