Skip to main content

Delegate Administration of Hyper-V

In small environments, one individual may be charged with managing your Hyper-V environment.  In larger organizations, the tasks of maintaining Hyper-V may need to be distributed.  In order to stick to the Principal of Least Privilege, you have the ability to delegate out the management tasks of Hyper-V to multiple users.

 

To do this log into your 2008 server that is hosting Hyper-V.

 

· Click Start, type MMC and press Enter

 

· Click File and then click Add/Remove Snap-in…

 

· In the Available snap-ins: list, click Authorization Manager.

 

· Click Add and then OK.

 

· In the MMC console, right click Authorization Manager and select Open Authorization Store…

 

· Verify that XML file is select and type %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store name:

 

clip_image001

· Click OK

 

From here we can define scopes to limit the Hyper-V servers that users can manage.  We can also define roles that users can participate in and what those roles can do. Below is a list of the possible delegations and a short description of each:

  • Allow Input to Virtual Machine
  • Allow Output from Virtual Machine
  • Allow Virtual Machine Snapshot
  • Bind External Ethernet Port
  • Change Virtual Machine Authorization Scope
  • Change VLAN Configuration on Port
  • Connect Virtual Switch Port
  • Connect Internal Ethernet Port
  • Create Virtual Machine
  • Create Virtual Switch
  • Create Virtual Switch Port
  • Delete Internal Ethernet Port
  • Delete Virtual Machine
  • Delete Virtual Switch
  • Delete Virtual Switch Port
  • Disconnect Virtual Switch Port
  • Modify Internal Ethernet Port
  • Modify Switch Port Settings
  • Modify Switch Settings
  • Pause and Restart Virtual Machine
  • Read Service Configuration
  • Reconfigure Service
  • Reconfigure Virtual Machine
  • Start Virtual Machine
  • Stop Virtual Machine
  • Unbind External Ethernet Ports
  • View External Ethernet Ports
  • View Internal Ethernet Ports
  • View LAN Endpoints
  • View Switch Ports
  • View Switches
  • View Virtual Machine Configuration
  • View Virtual Switch Management Service
  • View VLAN Settings

 

Creating a Scope

 

· Expand Authorization Manager \ InitialStore.xml.

 

· Right click Hyper-V Services and then click New Scope…

 

· In the New Scope window, provide a name and a description of up to 1024 characters for this scope.

 

· Click OK.

 

I called this scope, View Hyper-V Configurations.

 

We now need to define the different Role Definitions and Task Definitions. Both definitions allow you to determine what a user, or a group of users are able to do.  With Role Definitions, you can use inheritance just like in NTFS permissions.  Another difference is that you can assign both a task, and an operation to a Role Definition.  In a Task Definition, you can only assign a operation.

 

 

To create a new Role to Task Definition, expand the scope you just created.

 

· Expand Definitions.

 

· Right click either Role Definition or Task Definition and select New.

 

· Expand Authorization Manager \ Hyper-V Services \ Definitions

 

· Right click Role Definitions and select New Role Definition.

 

· Click Add…

 

· Click the Operations tab.

 

· Provide a name and a description for this Role.

 

· Click Add…

 

You can add the Role Definitions you have already created and inherited those rules into this definition.

 

clip_image002

 

In our case, no roles other than administrator have been created.  Do not check Administrator.  This will allow the users to do everything.

 

· Click the Tasks tab.

 

· If you have created any tasks, they will be available to add to this role.  Otherwise just click OK and at the warning.

 

· Click the Operations tab.

 

· Select the operations that you would like the users to perform and then click OK.

 

clip_image003

 

· Click OK once again.

 

 

We now need to assign the role to the scope and add users and groups into the role.

 

· Expand the Role Definition that you created and then right click Role Assignments

 

· Click New Role Assignment…

 

clip_image004

 

· Check the box of the Role Definitions that you want to assign to this definition.

 

· Click OK

 

clip_image005

 

· Right click the assigned definition and click Assign Users and Groups and then From Windows and Active Directory

 

clip_image006

 

· Add in Users and groups and then Click OK

 

clip_image007

 

Those users and groups are now authorized to perform the delegated tasks on that host.

Comments

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Error icon when creating a GPO Preference drive map

You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the ma...