PowerShell for Failover Clustering: Read-Only Cluster Access

PowerShell for Failover Clustering: Read-Only Cluster Access

Rate This
  • Comments 1

Hi cluster fans,

 

Amongst the list of new features we introduced in Windows Server 2008 R2 Failover Clustering is “read-only cluster access”.

 

Before Windows Server 2008 R2, you were either given full control on the cluster or no control at all.  If you wanted to give anyone access to your cluster, you were giving full control of the cluster to that person.  Effectively, they could turn around and offline groups, evict nodes, or even tear down the entire cluster.

 

In R2, users can now be given read-only access to the cluster.  This may be helpful if your organization is departmentalized with separate owners for clustering, networking, storage and resources, allowing the cluster owners to give other owners read-only access for investigation, but not allow them to actually make any changes to the cluster.

 

Granting read-only access can be done via the Failover Cluster Manager:

 

1.       Open Failover Cluster Manager

2.       Connect to the cluster of interest.  If you open the tool on a cluster node, you should be connected to the cluster automatically.

3.       Right click on the cluster name

4.       Select Properties

5.       Add the user account of interest

6.       Allow that account to have “Read” access and make sure “Full Control” is unselected

 

Configuring Permissions in the UI

 

 

Alternatively, you can grant read-only access to the same user via PowerShell:

 

1.       From Administrative Tools, select Windows PowerShell Modules

2.       When all the modules are loaded, run the following command to view users having access to the local cluster, and notice the ClusterRights column:

Get-ClusterAccess

Or, to a remote cluster:

Get-Cluster <cluster name> | Get-ClusterAccess

3.       To grant the user read-only access, run the following command:

Grant-ClusterAccess domain\user –readonly

Or, on a remote cluster:

Get-Cluster <cluster name> | Grant-ClusterAccess domain\user -readonly

 

 

Now that you’ve granted this user read-only access, this user can connect to the cluster remotely, and perform queries to get information about the cluster. However any attempts to make changes to the cluster are not allowed, including taking resource offline, creating new clustered workloads, changing dependencies between resources, evicting nodes, etc.  Note that the read-only access user can connect to the cluster via PowerShell only.  Attempting to connect with the Failover Cluster Manager will result in an error:

 

Access denied with UI

 

Below are some related CMDlets:

 

# Set a variable

$ClusterName = "RemoteClusterName"

# Show the cluster

Get-Cluster $ClusterName

# Show the cluster properties

Get-Cluster $ClusterName | fl *

# Get the cluster nodes

Get-ClusterNode -Cluster $ClusterName

# Get the cluster resource groups

Get-ClusterGroup -Cluster $ClusterName

# Get the cluster resources

Get-ClusterResource -Cluster $ClusterName

# Get the cluster shared volumes

Get-ClusterSharedVolume -Cluster $ClusterName

# Get the cluster resource types

Get-ClusterResourceType -Cluster $ClusterName

# Get the cluster networks

Get-ClusterNetwork -Cluster $ClusterName

# Get the cluster network interfaces

Get-ClusterNetworkInterface -Cluster $ClusterName

# Get the resource properties

Get-ClusterResource -Cluster $ClusterName -Name "Cluster Name" | fl *

Get-ClusterResource -Cluster $ClusterName -Name "Cluster Name" | Get-ClusterParameter

# Get the resource dependencies

Get-ClusterResource -Cluster $ClusterName | Get-ClusterResourceDependency

# Get the dependency reports

Get-ClusterGroup -Cluster $ClusterName | Get-ClusterResourceDependencyReport | Copy-Item -Destination .

dir *.mht

# Can't set the resource properties

Get-ClusterResource -Cluster $ClusterName -Name "Cluster Name" | Set-ClusterParameter HostRecordTTL 600

# Can't add a group

Get-Cluster $ClusterName | Add-ClusterGroup tempgroup

# Can't offline cluster resources

Get-ClusterResource -Cluster $ClusterName | Stop-ClusterResource

# Can't move cluster groups

Get-ClusterGroup -Cluster $ClusterName | Move-ClusterGroup

# Can't add highly available workloads

Add-ClusterServerRole -Cluster $ClusterName

# Can't set the resource dependencies

Get-ClusterResource -Cluster $ClusterName -Name "Cluster Name" | Set-ClusterResourceDependency -Dependency ""

 

The following example adds a user to the cluster, gives them full access, then gives them read-only access, and finally blocks access:

 

Sample PowerShell output

 

Regards,

 

Ahmed Bisht

Senior Program Manager

Clustering and High Availability

Microsoft

Leave a Comment
  • Please add 4 and 2 and type the answer here:
  • Post
  • Hi,

    I have been trying to use the PS cmdlets and everything is working fine when I run them on a domain R2 machine, however, if I try to create a remote PS session from another computer, I always get the "You do not have administrative privileges on the cluster. Contact your network administrator to request access.

       Access is denied" error.

    My session script looks something like:

    $securePassword = ConvertTo-SecureString -AsPlainText -Force -String $password

    $Credential = New-Object System.Management.Automation.PSCredential $Username, $SecurePassword

    $s = new-PSSession -ComputerName $hostname -credential $credential

    enter-PSSession -Session $s

    import-module FailoverClusters

    I'd really appreciate some insight. Thanks.

Page 1 of 1 (1 items)