Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Tuesday, July 12, 2011

Delegate Administration of Hyper-V

In small environments, one individual may be charged with managing your Hyper-V environment.  In larger organizations, the tasks of maintaining Hyper-V may need to be distributed.  In order to stick to the Principal of Least Privilege, you have the ability to delegate out the management tasks of Hyper-V to multiple users.

 

To do this log into your 2008 server that is hosting Hyper-V.

 

· Click Start, type MMC and press Enter

 

· Click File and then click Add/Remove Snap-in…

 

· In the Available snap-ins: list, click Authorization Manager.

 

· Click Add and then OK.

 

· In the MMC console, right click Authorization Manager and select Open Authorization Store…

 

· Verify that XML file is select and type %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store name:

 

clip_image001

· Click OK

 

From here we can define scopes to limit the Hyper-V servers that users can manage.  We can also define roles that users can participate in and what those roles can do. Below is a list of the possible delegations and a short description of each:

  • Allow Input to Virtual Machine
  • Allow Output from Virtual Machine
  • Allow Virtual Machine Snapshot
  • Bind External Ethernet Port
  • Change Virtual Machine Authorization Scope
  • Change VLAN Configuration on Port
  • Connect Virtual Switch Port
  • Connect Internal Ethernet Port
  • Create Virtual Machine
  • Create Virtual Switch
  • Create Virtual Switch Port
  • Delete Internal Ethernet Port
  • Delete Virtual Machine
  • Delete Virtual Switch
  • Delete Virtual Switch Port
  • Disconnect Virtual Switch Port
  • Modify Internal Ethernet Port
  • Modify Switch Port Settings
  • Modify Switch Settings
  • Pause and Restart Virtual Machine
  • Read Service Configuration
  • Reconfigure Service
  • Reconfigure Virtual Machine
  • Start Virtual Machine
  • Stop Virtual Machine
  • Unbind External Ethernet Ports
  • View External Ethernet Ports
  • View Internal Ethernet Ports
  • View LAN Endpoints
  • View Switch Ports
  • View Switches
  • View Virtual Machine Configuration
  • View Virtual Switch Management Service
  • View VLAN Settings

 

Creating a Scope

 

· Expand Authorization Manager \ InitialStore.xml.

 

· Right click Hyper-V Services and then click New Scope…

 

· In the New Scope window, provide a name and a description of up to 1024 characters for this scope.

 

· Click OK.

 

I called this scope, View Hyper-V Configurations.

 

We now need to define the different Role Definitions and Task Definitions. Both definitions allow you to determine what a user, or a group of users are able to do.  With Role Definitions, you can use inheritance just like in NTFS permissions.  Another difference is that you can assign both a task, and an operation to a Role Definition.  In a Task Definition, you can only assign a operation.

 

 

To create a new Role to Task Definition, expand the scope you just created.

 

· Expand Definitions.

 

· Right click either Role Definition or Task Definition and select New.

 

· Expand Authorization Manager \ Hyper-V Services \ Definitions

 

· Right click Role Definitions and select New Role Definition.

 

· Click Add…

 

· Click the Operations tab.

 

· Provide a name and a description for this Role.

 

· Click Add…

 

You can add the Role Definitions you have already created and inherited those rules into this definition.

 

clip_image002

 

In our case, no roles other than administrator have been created.  Do not check Administrator.  This will allow the users to do everything.

 

· Click the Tasks tab.

 

· If you have created any tasks, they will be available to add to this role.  Otherwise just click OK and at the warning.

 

· Click the Operations tab.

 

· Select the operations that you would like the users to perform and then click OK.

 

clip_image003

 

· Click OK once again.

 

 

We now need to assign the role to the scope and add users and groups into the role.

 

· Expand the Role Definition that you created and then right click Role Assignments

 

· Click New Role Assignment…

 

clip_image004

 

· Check the box of the Role Definitions that you want to assign to this definition.

 

· Click OK

 

clip_image005

 

· Right click the assigned definition and click Assign Users and Groups and then From Windows and Active Directory

 

clip_image006

 

· Add in Users and groups and then Click OK

 

clip_image007

 

Those users and groups are now authorized to perform the delegated tasks on that host.

No comments: