Setting up non-administrative control of Hyper-V through PowerShell

Setting up non-administrative control of Hyper-V through PowerShell

  • Comments 1


A long time ago I talked about how to configure Hyper-V to allow a non-administrative user to control all of Hyper-V. As a security conscious user I never use an administrative account – unless it is absolutely critical.  But lately I have been getting annoyed by the need to follow the manual process documented above to configure this.

This weekend I finally sat down and put together a PowerShell script to do this for me:

# Get current users account information
$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
 
# Get the security principal for the Administrator role
$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
 
# Check to see if we are currently running "as Administrator"
if ($myWindowsPrincipal.IsInRole($adminRole))
   {
   # We are running "as Administrator" - so change the title and background color to indicate this
   $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"
   $Host.UI.RawUI.BackgroundColor = "DarkBlue"
   clear-host
   }
else
   {
   # We are not running "as Administrator" - so relaunch as administrator
   
   # Create a new process object that starts PowerShell
   $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
   
   # Specify the current script path and name as a parameter
   $newProcess.Arguments = $myInvocation.MyCommand.Definition;
   
   # Indicate that the process should be elevated
   $newProcess.Verb = "runas";
   
   # Start the new process
   [System.Diagnostics.Process]::Start($newProcess);
   
   # Exit from the current, unelevated, process
   exit
   }
 
# Get the current AzMan store location from the registry
$AzManStoreLocation = (Get-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization").StoreLocation
 
# Open the AzMan store
$AzManStore = new-object -ComObject "AzRoles.AzAuthorizationStore"
$AzManStore.Initialize(2, $AzManStoreLocation)
 
# Handle the default Hyper-V AzMan store and the SCVMM AzMan store
if (@($AzManStore.Applications | ? {$_.Name -contains "Hyper-V services"}).count -eq 1)
   {
   $HyperVAzManStore = $AzManStore.OpenApplication("Hyper-V services")
   }
elseif (@($AzManStore.Applications | ? {$_.Name -contains "Virtual Machine Manager"}).count -eq 1)
   {
   $HyperVAzManStore = $AzManStore.OpenApplication("Virtual Machine Manager")
   }
else
   {
   Write-Host "Unable to find AzMan application group."
   Write-Host -NoNewLine "Press any key to continue..."
   $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
   exit
   }
 
# Get the administrator role from the Hyper-V service in the AzMan store
$HyperVAdministratorsRole = $HyperVAzManStore.OpenRoleAssignment("Administrator")
 
# Check to see if the current user is in the Hyper-V administrator role
if (@($HyperVAdministratorsRole.Members | ? {$_ -contains $myWindowsID.User.Value}).count -eq 0)
   {
   # If no - add the user and submit the changes
   $HyperVAdministratorsRole.AddMember($myWindowsID.User.Value)
   $HyperVAdministratorsRole.Submit()
   }
Else
   {
   # If yes - inform the user that they are already a Hyper-V administrator
   Write-host $myWindowsID.Name "is already part of the Hyper-V administrators role assignment"
   Write-Host -NoNewLine "Press any key to continue..."
   $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
   }

Some key things to note about this script:

  • It must run as administrator – and will elevate itself if you run it without administrative privilege.
  • It will automatically add the current user as a Hyper-V administrator.  If you want to add different users you will need to change the script.
  • This script talks to AzMan COM objects – which means that it cannot be run remotely, and must be run directly on the Hyper-V server.
  • This script will handle the default Hyper-V and SCVMM authorization configurations – but if you run the script on a standalone Hyper-V server, which you later use SCVMM to manage – you will need to run the script again.

Cheers,
Ben

Attachment: AzMan.zip
Leave a Comment
  • Please add 7 and 2 and type the answer here:
  • Post
  • Hi, would you be so kind to advice me. I have installed W2008R2 std server Core, with Hyper-V role(I need to create VM wiht termninal server), I ran script to enable HV mgmt-hvremote. But I cannot connect through HV mamag. console to server. RDP works fine. Client is W7 pro. What should I do? How can I create VM on that R2 server?

    Thank you.

Page 1 of 1 (1 items)