Quick Tip: Remove NSX-T Password Expiration

VMware NSX-T has a preconfigured password expiration policy of 90 days. When the password expiration day is near, a notification is displayed in the Web interface. There are 3 preconfigured local users: admin, audit, and root. All passwords have to be changed after 90 days. This article explains how to remove the password expiration.

The password for local user 'admin' will expire in [x] days.
The password for local user 'root' will expire in [x] days.
The password for local user 'audit' will expire in [x] days.

Please keep in mind that not only the password for NSX-T Manager expires, but also for Edge Transport Nodes (Edge VMs). When the password has expired, some functions (API / Web-Interface Login) is no longer possible, so make sure you either change the password regularly or remove the expiration policy.

The following commands can be used to remove the password expiration policy. If you have multiple manager appliances, the commands only need to be executed on one node.

  1. Connect to the NSX-T Manager with SSH
  2. Login as admin
  3. Run clear user [username] password-expiration

    nsx-mgt1> clear user admin password-expiration
    nsx-mgt1> clear user root password-expiration
    nsx-mgt1> clear user audit password-expiration
  4. Verify password expiration with get user [username] password-expiration
    nsx-mgt1> get user admin password-expiration
    Password expiration not configured for this user

Don't forget your Edge VMs. You can remove the policy with the same commands.


6 thoughts on “Quick Tip: Remove NSX-T Password Expiration”

  1. Do NOT do this in a VCF environment! Please do more research or place more details on your post before giving advice. Your SDDC upgrade prechecks will fail as it thinks you are expired because it is not configured.
    Change it to 9999 for vcf

      1. That is part of the point. You are assuming all NSX deployments are the same and are not familiar with VCF. That link is under NSX-T and NOT under VCF. I did not say VMware knew all their stuff, because I went through VCF deploys for 6months and re-deployed 3 times and fixed it outside of direct VMware help/SR. I would make a note on your blog that says it was only tested outside of VCF/SDDC then. Or you will have people following this and having SDDC pre-checks fail constantly. If you are simply just copy and pasting vmware KB's, I would just stick to that

        1. What version of VCF do you have this issue with? I have not seen this issue with updates in the 3.9 and 3.10 versions of VCF.

        2. What version of VCF are you running? I have password expiration disabled in nsx-t and have done a few updates in the VCF 3.9 and 3.10 range without issue.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.