Find in this documentation the step by step solution for our Hypervisor ROOT account lock due to possible password sync issues.

To apply this guide you must be granted access to IPMI and the current Root password

Unlock Root account

Step 1: From IPMI open remote console to access Esxi DCUI

• While on console, use the virtual keyboard to open direct console user interface (DCUI) by pressing CTRL+ALT+F2 or in some occasions it could be F2
  * you can open the console in htlm, java is not a must for this task
  
  
• Login to the DCUI to enable  ESXI shell console, the correct Root password is required for this step

Step 2:  Go to Troubleshooting options to enable Esxi shell console

• Press enter to access the option panel
  
  
• If the console is already enabled you would find this 
  
  
• If console is not yet enable you'll see the option available to select, simply press enter to enable it.
  

Step 3: Access Esxi shell console

• From virtual keyboard press CTRL+ALT+F1
• Log in with correct root credentials

Step 4: Show number of failed attempts to logging

• pam_tally2 --user root

Step 5: Unlock root account

• pam_tally2 --user root --reset

  
  Who is blocking the account?
• This blocking situation, often appears after a reset password where the sync process does not succeed to update all services. This could result in some addresses still having on their log the old password an will continue to do so, until someone kindly updates it 
• Use the following command to see the address involve in the locking

  grep Rejected /var/log/hostd.log

• in the above example you see 172.16.254.3 (Luna) and our address to issue : 10.1.1.29

  
  To exit press ALT+F2