Virtual PC Guy's Blog

-- Ben Armstrong, Virtualization Program Manager

Talking about core virtualization at Microsoft (Hyper-V, Virtual PC and Virtual Server).
Welcome to MSDN Blogs Sign in | Join | Help

Allowing non-Administrators to control Hyper-V

By default Hyper-V is configured such that only members of the administrators group can create and control virtual machines.  Today I am going to show you how to allow a non-administrative user to create and control virtual machines.

Hyper-V uses the new authorization management framework in Windows to allow you to configure what users can and cannot do with virtual machines.  This is very powerful and allows for some useful and interesting configuration options - but I will explore those on another day.  To set the stage I need to explain some terms from the authorization management framework world:

  • Operation

    This is the basic building block of authorization manager - and represents some action that the user can perform.  Some operations that exist in our authorization store include op_Create_VM (the act of creating a new virtual machine) or op_Start_VM (the act of starting a virtual machine).

  • Task

    A task is a grouping of operations.  We do not create any tasks by default - but you could create a task that was labeled 'control_VM' and then add the operations for starting, stopping, pausing and restarting a virtual machine to that task.

  • Role

    A role defines a job / position / responsibility that is held by a user.  For instance, you might have a role called 'Virtual_Network_Admin'.  This role would have all the tasks and operations that relate to virtual networks.  Users are then assigned to roles as needed.

  • Scope

    A scope allows you to define which objects are owned by which roles.  If you had a system where you wanted to grant administrative access to a subset of the virtual machines to a specific user - you would create a scope for those virtual machines and apply your configuration change to only that scope.

  • Default Scope

    The default scope is where virtual machines are stored by default.  It is the equivalent of having no scope defined.

Hyper-V can be configured to store it's authorization configuration in Active Directory or in a local XML file.  After initial installation it will always be configured to use a local XML file located at \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition.  To edit this file you will need to:

  1. Open the Run dialog (launch it from the Start menu or press Windows Key + R).
  2. Start mmc.exe
  3. Open the File menu and select Add/Remove Snap-in...
  4. From the Available snap-ins list select Authorization Manager.
  5. Click Add > and then click OK.
  6. Click on the new Authorization Manager node in the left panel.
  7. Open the Action menu and select Open Authorization Store...
  8. Choose XML file for the Select the authorization store type: option and then use the Browse... to open \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition (programdata is a hidden directory so you will need to type it in first).
  9. Click OK.
  10. Expand InitialStore.xml then Microsoft Hyper-V services then Role Assignments and finally select Administrator.
  11. Open the Action menu and select Assign Users and Groups then From Windows and Active Directory...
  12. Enter the name of the user that you want to be able to control Hyper-V and click OK.
  13. Close the MMC window (you can save or discard your changes to Console 1 - this does not affect the authorization manager changes that you just made).

And now you are done.  The user that you added will be able to completely control Hyper-V even if they are not an administrator on the physical computer.

Cheers,
Ben

Published Thursday, January 17, 2008 7:28 PM by Virtual PC Guy
Filed under:

Comments

# re: Allowing non-Administrators to control Hyper-V

Ben,

Thanks for this great post! It was great to find that in AzMan you can also edit / define roles; e.g. I edited the "user" role so that users could pause VMs very easily. And I like that changes in AzMan seem to be reflected immediately in Hyper-V admin, so it must be checking permissions before every operation.

I don't suppose you could show us how to restrict control of specific VMs to specific users/groups?

cheers,

Aitor

Friday, January 18, 2008 7:36 AM by Aitor Ibarra

# re: Allowing non-Administrators to control Hyper-V

follow up on restricting users to particular VMs: I can see how to create new scopes, and give users rights in the scope, but not how to associate VMs with particular scopes. Is this what the Authorization Rules are for? If so, as they are scripts, looks like it could be very flexible (e.g. it might be possible to write a rule that allowed users in a particular role access to all VMs with names containing "Sales"). But to be honest, I think most users would find it easier if, having defined the scope in AzMan, scope membership of a VM could be set as part of the VM settings in the Hyper-V manager.

Friday, January 18, 2008 12:44 PM by Aitor Ibarra

# re: Allowing non-Administrators to control Hyper-V

Ben, I hope that you are writing all of this in a way that leads to future publication. How about sections on using legacy software in Hyper-V with sections on optimizing DOS networks, evaluating physical video adapters for use with VMs, etc. I was at my doctors office last week and he had a portable PC with a VM and some old database he continues to use that his var can not port.

Friday, January 18, 2008 2:49 PM by Wesley

# re: Allowing non-Administrators to control Hyper-V

If users use full version of win 2008 to manage VMs located on server 2008 core, what rights (permissions) they need to have on core system?

Just adding their domain account in InitalStore does'n work. They still cannot manage VMs due to authorization issues...

If we are using WMI, what permission must be granted in order to execute script?

Thursday, February 14, 2008 8:40 AM by Marko Jagodic
New Comments to this post are disabled
 
Page view tracker