Here are a couple of diagrams that help clarify the path of account logon and the audit trail. You want the auditor to realize that the trail start is dependent on the origin of the account. But once LDAP/AD has validated the logon, access to vCenter is traceable.
Windows domain
This is the best option, nominal domain accounts, password authentication and policy is handled by the domain, and vCenter will indicate logon events.
SYSTEM-DOMAIN
As login in done directly with a generic account, the audit trail is difficult, to avoid issues do not give these accounts permissions in vCenter, treat them as service accounts and do not use them for regular login. NOTE: default setting is password is reset once a year.
Direct access to ESXi host
If your hosts are in domain, then use nominal accounts to logon and lock up the root password and do not use it for logon, configure sudo etc.
If your esxi hosts are not in domain, you might find it easier to not add any nominal accounts, as maintaining the password is a hassle. In a later post I’ll show how you sent up an audit trail when root is used.
