Total Pageviews

My YouTube Channel

Thursday, 28 January 2016

Use of virtual accounts for services on a Windows vCenter Server 6.0 (2124709)


Starting in vCenter Server 6.0 for Windows, virtual accounts replace the Local Service Account used in vCenter Server 5.x to run the vCenter Server services. This article contains information on the impacts it will have on your environment.


Virtual accounts in vSphere 6.0 for Windows increase the security of vCenter Server by disallowing privilege escalation within the host operating system in the event that a single service becomes compromised. Because all services are placed into their own silo using virtual accounts. Even when a user gains access to a single virtual account, they are limited only to the functionality of that account and also limited to only that single service. This ensures that the vSphere 6.0 environment is running on a minimum set of privileges that is dependent on the specific service.

The following virtual accounts are now used as the service accounts to run their respective service.

ServiceService Account
VMware Component ManagerNT SERVICE\VMwareComponentManager
VMware Content Library ServiceNT SERVICE\vdcs
VMware ESX Agent ManagerNT SERVICE\EsxAgentManager
VMware Message Bus Config ServiceNT SERVICE\mbcs
VMware Performance ChartsNT SERVICE\vmware-perfcharts
VMware PostgresNT SERVICE\vPostgres
VMware vAPI EndpointNT SERVICE\vapiEndpoint
VMware vCenter workflow managerNT SERVICE\vmware-vpx-workflow
VMware vService Manager NT SERVICE\VServiceManager
VMware vSphere Audo Deploy WaiterNT SERVICE\vmware-autodeploy-waiter
VMware vSphere Web ClientNT SERVICE\vspherewebclientsvc

  • Future releases of vSphere uses unique virtual accounts for all services. However, vSphere 6.0 is limited to the preceding list.
  • Do not change these accounts after they are established.