Skip to main content

Delegate Administration of Hyper-V

By

In small environments, one individual may be charged with managing your Hyper-V environment.  In larger organizations, the tasks of maintaining Hyper-V may need to be distributed.  In order to stick to the Principal of Least Privilege, you have the ability to delegate out the management tasks of Hyper-V to multiple users.

 

To do this log into your 2008 server that is hosting Hyper-V.

 

· Click Start, type MMC and press Enter

 

· Click File and then click Add/Remove Snap-in…

 

· In the Available snap-ins: list, click Authorization Manager.

 

· Click Add and then OK.

 

· In the MMC console, right click Authorization Manager and select Open Authorization Store…

 

· Verify that XML file is select and type %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store name:

 

clip_image001

· Click OK

 

From here we can define scopes to limit the Hyper-V servers that users can manage.  We can also define roles that users can participate in and what those roles can do. Below is a list of the possible delegations and a short description of each:

  • Allow Input to Virtual Machine
  • Allow Output from Virtual Machine
  • Allow Virtual Machine Snapshot
  • Bind External Ethernet Port
  • Change Virtual Machine Authorization Scope
  • Change VLAN Configuration on Port
  • Connect Virtual Switch Port
  • Connect Internal Ethernet Port
  • Create Virtual Machine
  • Create Virtual Switch
  • Create Virtual Switch Port
  • Delete Internal Ethernet Port
  • Delete Virtual Machine
  • Delete Virtual Switch
  • Delete Virtual Switch Port
  • Disconnect Virtual Switch Port
  • Modify Internal Ethernet Port
  • Modify Switch Port Settings
  • Modify Switch Settings
  • Pause and Restart Virtual Machine
  • Read Service Configuration
  • Reconfigure Service
  • Reconfigure Virtual Machine
  • Start Virtual Machine
  • Stop Virtual Machine
  • Unbind External Ethernet Ports
  • View External Ethernet Ports
  • View Internal Ethernet Ports
  • View LAN Endpoints
  • View Switch Ports
  • View Switches
  • View Virtual Machine Configuration
  • View Virtual Switch Management Service
  • View VLAN Settings

 

Creating a Scope

 

· Expand Authorization Manager \ InitialStore.xml.

 

· Right click Hyper-V Services and then click New Scope…

 

· In the New Scope window, provide a name and a description of up to 1024 characters for this scope.

 

· Click OK.

 

I called this scope, View Hyper-V Configurations.

 

We now need to define the different Role Definitions and Task Definitions. Both definitions allow you to determine what a user, or a group of users are able to do.  With Role Definitions, you can use inheritance just like in NTFS permissions.  Another difference is that you can assign both a task, and an operation to a Role Definition.  In a Task Definition, you can only assign a operation.

 

 

To create a new Role to Task Definition, expand the scope you just created.

 

· Expand Definitions.

 

· Right click either Role Definition or Task Definition and select New.

 

· Expand Authorization Manager \ Hyper-V Services \ Definitions

 

· Right click Role Definitions and select New Role Definition.

 

· Click Add…

 

· Click the Operations tab.

 

· Provide a name and a description for this Role.

 

· Click Add…

 

You can add the Role Definitions you have already created and inherited those rules into this definition.

 

clip_image002

 

In our case, no roles other than administrator have been created.  Do not check Administrator.  This will allow the users to do everything.

 

· Click the Tasks tab.

 

· If you have created any tasks, they will be available to add to this role.  Otherwise just click OK and at the warning.

 

· Click the Operations tab.

 

· Select the operations that you would like the users to perform and then click OK.

 

clip_image003

 

· Click OK once again.

 

 

We now need to assign the role to the scope and add users and groups into the role.

 

· Expand the Role Definition that you created and then right click Role Assignments

 

· Click New Role Assignment…

 

clip_image004

 

· Check the box of the Role Definitions that you want to assign to this definition.

 

· Click OK

 

clip_image005

 

· Right click the assigned definition and click Assign Users and Groups and then From Windows and Active Directory

 

clip_image006

 

· Add in Users and groups and then Click OK

 

clip_image007

 

Those users and groups are now authorized to perform the delegated tasks on that host.

Labels:

Comments

Post a Comment

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

By
As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th
Post a Comment
Read more

Return duplicate values from a collection with PowerShell

By
If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe
Post a Comment
Read more

How to list all the AD LDS instances on a server

By
AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
Post a Comment
Read more