which if you use lock down mode and configure users on your vCenter and iLO devices you can as your policy set a domain level will take precedence, you then protect your root password with physical security methods like a two user password creation policy.
ie user A enters half the password and writes it down and seals it in a envelope marks part one, user two then enters the 2nd half of the password, writes it down and seals in an envelope marked part two, this is then sealed in an third envelope called root password and the seals signed to prevent unauthorized access and placed in the company safe