Allowing non-Administrators to control Hyper-V

Allowing non-Administrators to control Hyper-V

  • Comments 19

By default Hyper-V is configured such that only members of the administrators group can create and control virtual machines.  Today I am going to show you how to allow a non-administrative user to create and control virtual machines.

Hyper-V uses the new authorization management framework in Windows to allow you to configure what users can and cannot do with virtual machines.  This is very powerful and allows for some useful and interesting configuration options - but I will explore those on another day.  To set the stage I need to explain some terms from the authorization management framework world:

  • Operation

    This is the basic building block of authorization manager - and represents some action that the user can perform.  Some operations that exist in our authorization store include op_Create_VM (the act of creating a new virtual machine) or op_Start_VM (the act of starting a virtual machine).

  • Task

    A task is a grouping of operations.  We do not create any tasks by default - but you could create a task that was labeled 'control_VM' and then add the operations for starting, stopping, pausing and restarting a virtual machine to that task.

  • Role

    A role defines a job / position / responsibility that is held by a user.  For instance, you might have a role called 'Virtual_Network_Admin'.  This role would have all the tasks and operations that relate to virtual networks.  Users are then assigned to roles as needed.

  • Scope

    A scope allows you to define which objects are owned by which roles.  If you had a system where you wanted to grant administrative access to a subset of the virtual machines to a specific user - you would create a scope for those virtual machines and apply your configuration change to only that scope.

  • Default Scope

    The default scope is where virtual machines are stored by default.  It is the equivalent of having no scope defined.

Hyper-V can be configured to store it's authorization configuration in Active Directory or in a local XML file.  After initial installation it will always be configured to use a local XML file located at \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition.  To edit this file you will need to:

  1. Open the Run dialog (launch it from the Start menu or press Windows Key + R).
  2. Start mmc.exe
  3. Open the File menu and select Add/Remove Snap-in...
  4. From the Available snap-ins list select Authorization Manager.
  5. Click Add > and then click OK.
  6. Click on the new Authorization Manager node in the left panel.
  7. Open the Action menu and select Open Authorization Store...
  8. Choose XML file for the Select the authorization store type: option and then use the Browse... to open \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition (programdata is a hidden directory so you will need to type it in first).
  9. Click OK.
  10. Expand InitialStore.xml then Microsoft Hyper-V services then Role Assignments and finally select Administrator.
  11. Open the Action menu and select Assign Users and Groups then From Windows and Active Directory...
  12. Enter the name of the user that you want to be able to control Hyper-V and click OK.
  13. Close the MMC window (you can save or discard your changes to Console 1 - this does not affect the authorization manager changes that you just made).

And now you are done.  The user that you added will be able to completely control Hyper-V even if they are not an administrator on the physical computer.

Cheers,
Ben

Leave a Comment
  • Please add 8 and 2 and type the answer here:
  • Post
  • Ben,

    Thanks for this great post! It was great to find that in AzMan you can also edit / define roles; e.g. I edited the "user" role so that users could pause VMs very easily. And I like that changes in AzMan seem to be reflected immediately in Hyper-V admin, so it must be checking permissions before every operation.

    I don't suppose you could show us how to restrict control of specific VMs to specific users/groups?

    cheers,

    Aitor

  • follow up on restricting users to particular VMs: I can see how to create new scopes, and give users rights in the scope, but not how to associate VMs with particular scopes. Is this what the Authorization Rules are for? If so, as they are scripts, looks like it could be very flexible (e.g. it might be possible to write a rule that allowed users in a particular role access to all VMs with names containing "Sales"). But to be honest, I think most users would find it easier if, having defined the scope in AzMan, scope membership of a VM could be set as part of the VM settings in the Hyper-V manager.

  • Ben, I hope that you are writing all of this in a way that leads to future publication. How about sections on using legacy software in Hyper-V with sections on optimizing DOS networks, evaluating physical video adapters for use with VMs, etc. I was at my doctors office last week and he had a portable PC with a VM and some old database he continues to use that his var can not port.

  • If users use full version of win 2008 to manage VMs located on server 2008 core, what rights (permissions) they need to have on core system?

    Just adding their domain account in InitalStore does'n work. They still cannot manage VMs due to authorization issues...

    If we are using WMI, what permission must be granted in order to execute script?

  • Thank you so much, Ben. Your article above saves my day!

    Cheers,

    -Fu-

  • Ben,

    I am trying to grant users to control virtual machines running on Hyper-V Server 2008 R2.  I've tried to run this from another machine and open up the InitialStore.xml file on the Hyper-V host machine, and it doesn't have the various tasks, etc.

    Is this not compatible with the stripped down Hyper-V?

    Thanks,

    Tim

  • Hi Ben,

    I'm setting up an environment on Server 2008 R2 to host a training envrionment. The server is in a domain, but the users (for training) are local. I've followed the process in your blog to assign my local STUDENT account to the Administrator role, and I made sure this account also has full control on the folder that contains the virtual machine files.

    I still get the "You do not have the required permission to complete this task..." error when I open Hyper-V manager on the local computer logged on as the local STUDENT account.

    What other permissions does this user require?

    Dave

  • Thank you very much this is really helpful.

  • Hi Ben, this works very well, thanks for the good post!

  • I can't find Hyper v in windows file

  • For those like me who struggled to make it work though I followed exactly these instructions: if you have installed SCVMM, the file to edit is different. Ben has more details here:

    blogs.msdn.com/.../hyper-v-management-delegated-administration-scvmm.aspx

    Rabb

  • Hi, I've tried to do this for hyperv on win8.1 but it doesn't seem to work.

    Can you please verify if there is a method of doing this for hyperv on 8.1?

    Thanks!

  • Hi Ben, the procedure don't work on windows 8.1. Every time I open hyper-v manager, the following message shows.

    You do not have the required permission to complete this task. contact the administrator of the authorization policy for the computer 'localhost

  • I confirming not functional status on Win8.1 :-(

  • on win 8.1 just add user to "HyperV administrators" group (this pc -> manage -> local users -> groups), no need to open XML file  :)

Page 1 of 2 (19 items) 12