Hyper-V Program Manager
By default Hyper-V is configured such that only members of the administrators group can create and control virtual machines. Today I am going to show you how to allow a non-administrative user to create and control virtual machines.
Hyper-V uses the new authorization management framework in Windows to allow you to configure what users can and cannot do with virtual machines. This is very powerful and allows for some useful and interesting configuration options - but I will explore those on another day. To set the stage I need to explain some terms from the authorization management framework world:
Hyper-V can be configured to store it's authorization configuration in Active Directory or in a local XML file. After initial installation it will always be configured to use a local XML file located at \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition. To edit this file you will need to:
And now you are done. The user that you added will be able to completely control Hyper-V even if they are not an administrator on the physical computer.
Thanks for this great post! It was great to find that in AzMan you can also edit / define roles; e.g. I edited the "user" role so that users could pause VMs very easily. And I like that changes in AzMan seem to be reflected immediately in Hyper-V admin, so it must be checking permissions before every operation.
I don't suppose you could show us how to restrict control of specific VMs to specific users/groups?
follow up on restricting users to particular VMs: I can see how to create new scopes, and give users rights in the scope, but not how to associate VMs with particular scopes. Is this what the Authorization Rules are for? If so, as they are scripts, looks like it could be very flexible (e.g. it might be possible to write a rule that allowed users in a particular role access to all VMs with names containing "Sales"). But to be honest, I think most users would find it easier if, having defined the scope in AzMan, scope membership of a VM could be set as part of the VM settings in the Hyper-V manager.
Ben, I hope that you are writing all of this in a way that leads to future publication. How about sections on using legacy software in Hyper-V with sections on optimizing DOS networks, evaluating physical video adapters for use with VMs, etc. I was at my doctors office last week and he had a portable PC with a VM and some old database he continues to use that his var can not port.
If users use full version of win 2008 to manage VMs located on server 2008 core, what rights (permissions) they need to have on core system?
Just adding their domain account in InitalStore does'n work. They still cannot manage VMs due to authorization issues...
If we are using WMI, what permission must be granted in order to execute script?
Thank you so much, Ben. Your article above saves my day!
I am trying to grant users to control virtual machines running on Hyper-V Server 2008 R2. I've tried to run this from another machine and open up the InitialStore.xml file on the Hyper-V host machine, and it doesn't have the various tasks, etc.
Is this not compatible with the stripped down Hyper-V?
I'm setting up an environment on Server 2008 R2 to host a training envrionment. The server is in a domain, but the users (for training) are local. I've followed the process in your blog to assign my local STUDENT account to the Administrator role, and I made sure this account also has full control on the folder that contains the virtual machine files.
I still get the "You do not have the required permission to complete this task..." error when I open Hyper-V manager on the local computer logged on as the local STUDENT account.
What other permissions does this user require?
Thank you very much this is really helpful.
Hi Ben, this works very well, thanks for the good post!
I can't find Hyper v in windows file