VMware root passwordThe only method supported by VMware for resetting the root password is to reinstall an ESXi host. However, if the host is still maintained by vCenter and connected, you can reset the ESXi root password using the host profile function. In case ESXi host root password fails to authenticate and cannot be accessed through CLI. You do not want to reinstall your ESXi host. Just ensure to take a backup to avoid data loss and then follow the below methods to reset the root password.

Method 1: Reset the ESXi root password through the Host Profile

  1. Sign in to the vCenter Web client.
  2. Select Host Profiles from the Operations and Policies menu.
  3. Choose Host Profile >> Extract Host profile.
  4. Enter a name and a description for the selected Host Profile in the Extract Host Profile, then click Next and finish to complete.
  5. Now the created new host profile will appear and then right-click the host profile >> Edit settings.
  6. Search for root in Edit Host Profile and reset a new password, then confirm it.
  7. Once the password has been changed. Next, right-click the host profile >> Attach/Detach Hosts. To attach, choose the host for which you changed the password.
  8. Select Maintenance Mode >> Enter Maintenance Mode from the Action Menu. The virtual machine must be shut down at this time.
  9. Select Remediate from the menu, then choose the host to remediate.
  10. Finally check host compliance and exit the maintenance mode once after the host rebooted.

Method 2: Edit the shadow file to reset the VMware root password

Note: The following method is not supported by VMware, however, it works on various ESXi versions. Before resetting the VMware root password, ensure to make a VMware backup. In case you are unable to reset your password via vCenter then you can try this method to reset the password. You can now use a live Linux CD/DVD/USB to reset the VMware root password. Before resetting the password, you must ensure to remove the encrypted root password stored in the /etc/shadow location to create a new password in the DCUI console.

  1. First download a live CD/DVD and choose the Gparted LiveCD.
  2. Burn a USB drive or CD/DVD containing the Live CD/DVD, and boot your host from it.
  3. Find the 2 partitions that are 249.98MB in size. For example, if you placed ESXi on a USB drive or SD card. Then you can start the editing with the /dev/sda5 partition and then go on to the /dev/sda6 partition.

  A. Now open a terminal window and execute and run the commands mentioned below to access the shadow password file.

sudo su 
mkdir /boot /temp
mount /dev/sda5 /boot
cd /boot
cp state.tgz /temp
cd /temp tar -xf state.tgz
tar -xf local.tgz
rm *.tgz
cd etc

B. Then, using vi, edit the shadow password file. Go to the line that begins with the root and delete the string between the first two colons.

C. Run the following set of commands after that.

cd .. 
tar -cf local.tgz etc/
tar -cf state.tgz local.tgz
mv state.tgz /boot
umount /boot
reboot
  1. After removing the Gparted media, restart the ESXi host. Once after finished restarting the process, log in as root from the DCUI console Without entering a password, you should be able to log in. So, you can now set your new password.

Hope this helps you in resetting the VMware ESXi 6.7 root password, If you find any trouble in fixing click here for instant Tech Support.

Frequently Asked Questions

Common questions about resetting and managing the ESXi root password.

1 Does changing the ESXi root password require an immediate reboot of the host?
No. Whether you change the password via the vSphere Client, Host Profiles, or the Command Line Interface (CLI), the update takes effect immediately across all authentication daemons. Active SSH sessions, console sessions, and vCenter connections will remain completely uninterrupted.
2 What happens if I accidentally corrupt the boot partitions while trying to reset the password?
If the boot signatures are broken, the host will hang during the next initialization cycle, showing a PSOD (Purple Screen of Death) or a boot banking failure. However, your virtual machines and their configuration files are completely safe, as they live securely on your decoupled VMFS datastore partitions rather than the operating system’s boot layout.
3 Why does the Linux Live CD method fail entirely on modern ESXi deployments?
Starting with newer hypervisor system architectures, VMware changed how configuration state updates are packed. Local security assets, including shadow mappings, are heavily protected by a trusted software stack. Manually editing compressed system archives (state.tgz) from an external operating system usually breaks the boot bank’s internal checksum validation checks.
4 If I am locked out of root, can I use a non-root admin account to reset it via SSH?
Yes, but only if you previously set up an alternative user account with full shell privileges and administrative roles. If you can log in with that secondary account, you can escalate privileges using the su command or directly execute local account modification tools via the ESXi command line to update the root password.
5 Can I retrieve or decrypt the old forgotten ESXi root password from the configuration backups?
No. VMware strictly hashes administrative passwords using strong, one-way cryptographic algorithms before committing them to the configuration state database. There is no native or secure utility to decrypt or reverse the stored hash back into plaintext from an existing backup file.
6 Can a host’s local root account password lock itself out due to too many failed login attempts?
Yes. By default, modern versions of the hypervisor include built-in account lockout mechanisms for SSH and the vSphere Web Client interface. If a script or user triggers too many consecutive bad password attempts, the root account will temporarily lock for a predetermined period, though access via the physical Direct Console User Interface (DCUI) remains available.
7 Does resetting the root password disconnect the host from an active vCenter Server?
No. When a host is added to a cluster, vCenter establishes communication using its own unique internal user service account called vpxuser, which manages authentication tickets independently. Changing the primary local root credentials will not break the active management agent connections to your centralized inventory.
8 What is the cleanest way to clear a forgotten password on a standalone free license host?
If you do not have access to enterprise tools like Host Profiles and are completely locked out of the command line, the cleanest approach is running an interactive hypervisor reinstallation. The installer will automatically scan the drive and give you an option to overwrite the system partitions while cleanly preserving your local VMFS data pools.
Locked out of your ESXi host? ACTSupport’s 24/7 NOC team handles VMware ESXi recovery, password resets, and infrastructure management for hosting providers and enterprises worldwide.
Talk to Our Team →

To get more updates you can follow us on Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox
Loading

 

Related Posts