HowTo: Reset vCenter 7 VCSA Password or Unlock Account


We are all human (unfortunately for now) and on occasion, one might inadvertently lock themselves out of the “root” account of the VCSA. Although a seldom-used account under normal operations, access to it is critical, especially during technical emergencies.

The default wait time for the root account after three (3) failed attempts is five (5) minutes; however, resetting the root password will need a reboot for VCSA 7.


The following steps will walk through resetting the root account credentials and unlocking the account. Downtime for VCSA should be expected, so plan your change accordingly.

Disclaimer: Follow these instructions at your own risk, they are provided without warranty. Ferroque Systems nor its affiliates will be held liable for unanticipated impacts in your environment from running its commands. Strongly recommended taking a snapshot, clone, or VM backup of the VCSA prior to executing these commands.

Step 1

Take a snapshot of the VM and proceed with forcing a reboot. Once the photon OS splash screen is showing, quickly press “e” to reveal the Grub boot menu.

Move the cursor to the end of the line starting with “linux” and ending with “$systemd_cmdline”, a quick way to do that is move the cursor to the Linux line and press “Ctrl” + “e”.

Append “rw init=/bin/bash” to enter single user mode, and press “Ctrl” + “x” to boot the appliance.


Step 2

Now that you are dropped into the system, proceed with entering the ‘passwd’ command to reset the root user account.



Step 3

User accounts can be unlocked using the pam_tally2 command with switches –user and –reset.

pam_tally2 -–user=root --reset


Once completed, the user account will be unlocked and the account can be used again.

Step 3a (Optional)

The default login parameters can be changed for the module.


Parameter Explanation
file=/var/log/tallylog Log file.
deny=3 Deny counter until account is locked.
onerr=fail If $file is unable to open, default action is to fail all attempts.
even_deny_root Policy applies to root account also
unlock_time=86400 Users are locked for 24 hours.
root_unlock_time=300 Root is locked for five (5) minutes.

Step 4

The system can now be rebooted to allow VCSA to load. The -f switch can be appended to force a reboot if the first option fails.



0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Acute Reader
Acute Reader
1 year ago

pam_tally2 –user=root –reset

Step 3 command should have two dashes before user, not one, like above.

Acute Reader
Acute Reader
1 year ago

The comment auto format keeps screwing up and merging dashes.

Step 3 command should be two dashes for each option

1 year ago

hello, If we just have to unlock the root user if its locked due to multiple failed retries, no need to reboot right? Straight apply the Pam_tally2 tool correct?

1 year ago

Thank you. The pam_tally2 command was the piece I was missing. Worked to reset the account. Thanks so much!

Mashhood Kozhissery Abidali
Mashhood Kozhissery Abidali
1 year ago

If it’s for the Vcenter 7.0, if the root password is expired, you just have to take an SSH session to the centre server with your current root passwords. It will prompt you to reset the password. Enter your current and new passwords and you are done. 

Would love your thoughts, please comment.x