For some time there has been a hidden security feature in vCloud Director that allows disabling local system administrator accounts. During vCloud Director installation a default local system administrator account is created. The user credentials are stored encrypted in the vCloud Director database but there is no way to enforce complex password policies other than Account Lockout Policy.
It is possible to configure external identity sources such us generic LDAP for basic authentication and SAML2 IdP (such as vCenter SSO). The authentication and thus also the password policies are than managed externally. However, when you try to delete or disable all local system administrator accounts you will get the following error:
Cannot delete or deactivate the last system administrator.
This is a built in protection against completely locking yourself out when the external identity sources are not available.
Some customers can have the need to enforce strict security rules on all vCloud Director system administrator logins. There is a non-documented way to disable all local system administrator accounts with a single command. The system administrator can run the following cell-management-tool command to enable config property local.sysadmin.disabled.
$VCLOUD_HOME/bin/cell-management-tool manage-config -n local.sysadmin.disabled -v true
Immediately after the property is enabled, authentication with local accounts will stop working. It means authentication for all local system administrator accounts that exist in vCloud Director (not just the default account created during installation) will be rejected. Organization local accounts will not be affected.
In case access to external IdPs is lost, the system admin can again disable the property to regain access to vCloud Director:
$VCLOUD_HOME/bin/cell-management-tool manage-config -n local.sysadmin.disabled -v false
Tom Fojta's Blog 