How to Reset the Root Password of a VCSA Appliance (2026)

Losing access to the root account on a VMware vCenter Server Appliance (VCSA) is a critical situation that will prevent you from managing your entire vSphere environment. Whether the password has been forgotten, expired or the account has locked out, this guide covers how to reset the root password on VCSA 7.0 and VCSA 8.0 in 2026.

Common Causes of VCSA Root Login Failure

• Forgotten password — the most common cause
• Expired password — VCSA root passwords expire after 365 days by default
• Account locked out — too many failed login attempts triggers a lockout
• Full root filesystem — if the root partition fills up, login can fail even with the correct password

Method 1 — Reset Root Password via VCSA GRUB Boot Menu

This is the standard method for resetting a forgotten or expired root password. It requires console access to the VCSA virtual machine via the vSphere Host Client or vSphere Web Client.

1. Open the vSphere Host Client and connect directly to the ESXi host running the VCSA
2. Right-click the VCSA VM and select Open Remote Console
3. Reboot the VCSA — right-click → Guest OS → Restart
4. When the GRUB boot menu appears, quickly press e to edit the boot entry — you have approximately 5 seconds
5. Find the line starting with linux — it will contain ro near the end
6. Change ro to rw and add init=/bin/bash at the end of that line
7. Press Ctrl+X or F10 to boot with the modified parameters
8. The VCSA will boot to a bash prompt
9. Run the following command to change the root password:

# Change the root password
passwd root

# Enter and confirm your new password when prompted

# Unmount and reboot
umount /
reboot -f

10. The VCSA will reboot normally — log in with your new root password

Method 2 — Unlock a Locked Root Account

If the root account is locked due to too many failed attempts but you know the password, you can unlock it without changing the password.

1. Follow steps 1-8 above to get to the bash prompt via GRUB
2. Run the following command to unlock the account:

# Unlock the root account
pam_tally2 --user root --reset

# Or on newer VCSA versions
faillock --user root --reset

Method 3 — Fix Expired Root Password via SSH

If you can still SSH to the VCSA but the password has expired and you are being forced to change it on login, simply follow the prompts at the SSH session to set a new password. If the session drops immediately after login due to expiry, use Method 1 instead.

Prevent Future Root Password Expiry

Once you have regained access, prevent this happening again by either setting the password to never expire or by setting a reminder to rotate it before expiry.

# Check current password expiry settings
chage -l root

# Set root password to never expire
chage -M -1 root

# Or set expiry to 9999 days
chage -M 9999 root

You can also manage password expiry policy in the VCSA management interface at → Administration → Password Policy.

Frequently Asked Questions

About The Author

Andrew Armstrong

Andrew Armstrong is a UK-based IT professional with 26+ years of hands-on experience in Windows, Windows Server, SCCM/ConfigMgr, Active Directory, PowerShell, and enterprise infrastructure. He founded TechyGeeksHome in 2010 and has published over 1,500 practical guides covering real-world IT problems and solutions. When not solving IT problems, Andrew develops free Windows utilities including Ultimate Settings Panel, which has been downloaded over 850,000 times.

Post Views: 1

Related