TL;DR If you would like to create ESXi local account using vRO, download this package (in.co.cloudblogger.crudEsxiLocalUser.package) to get started.
- Introduction
- Classes & Methods
- Script for creating a local admin account in ESXi
- Demo Video
- vRO Package for CRUD operation
Introduction
Many organization uses vRO for Host Provisioning. Various hardware vendors provide vRO Scripting APIs via plugins or REST APIs to manage and provision bare-metal servers. While doing so, there is always a possibility that post-provisioning, you would like to access your ESXi host from an account other than root for several reasons like security restrictions, limited access etc. In that case, the best way is to create a fresh new account using vRO with the kind of access mode or lets call it, role that suits the needs. In this post, we will see how to create an ESXi local user account using vRO Scripting API.
Classes & Methods
As shown below, we have used following classes and methods for retrieval of existing accounts, creation, updating & deletion of accounts as well as change access or Role of those accounts.

Script
if you just want the script, the link to it is here.
/**
*
* @version 0.0.0
*
* @param {VC:HostSystem} host
* @param {string} localUserName
* @param {SecureString} localUserPassword
* @param {string} accessMode
* @param {string} localUserDescription
*
* @outputType void
*
*/
function createEsxiLocalUser(host, localUserName, localUserPassword, accessMode, localUserDescription) {
if(!host) throw "host parameter not set";
if(!localUserName || !localUserPassword) throw "Either username or password parameter not set";
if(!localUserDescription) localUserDescription = "***Account created using vRO***";
if(localUserDescription.indexOf(localUserPassword) != -1) throw 'Weak Credentials! Avoid putting password string in description';
// Retrieve all system and custom user accounts
var arrExistingLocalusers = host.configManager.hostAccessManager.retrieveHostAccessControlEntries();
var accountSpecs = new VcHostAccountSpec(localUserName,localUserPassword,localUserDescription);
host.configManager.accountManager.createUser(accountSpecs);
switch(accessMode){
case 'Admin': //Full access rights
host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessAdmin);
break;
case 'ReadOnly': //See details of objects, but not make changes
host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessReadOnly);
break;
case 'NoAccess': //Used for restricting granted access
host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessNoAccess);
break;
default: //No access assigned. Note: Role assigned is accessNone
host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessNone);
}
System.warn(" >>> Local user "+localUserName+" created with accessMode "+accessMode+" on host "+host.name);
}
Demo Video
In this demo, we can see how the workflow is utilized to create a local account testuser1
through which we logged in to ESXi and check if it has required permissions.
vRO Package for CRUD operation
I have created a vRO Workflow to create and manage your ESXi local accounts directly from the input form itself. Please find the vRO package that contains the master workflow and associated actions.
- Workflow: CRUD Operation on ESXi Local Users
- Actions:
- getEsxiLocalUser
- deleteEsxiLocalUser
- updateEsxiLocalUser
- createEsxiLocalUser
- getAllEsxiLocalUsers
- getAllEsxiLocalUsersWithRoles
Link to vRO package: in.co.cloudblogger.crudEsxiLocalUser.package
That’s all in this post. Thanks for reading.
Leave a Reply