Why can all Domain Users seemingly launch the VMM 2012 R2 console and modify my VMs?
Posted on 2014-12-14
Folks, I've run into something that is very concerning to me in my new VMM 2012 R2 environment. I've found that seemingly any domain user in my domain can launch the VMM 2012 R2 console (if installed on their machine of course), and they can not only connect to the VMM server but also modify properties of my VMs, start/stop them, etc. They can't connect to the console session but at any rate, this is highly concerning from an RBAC perspective.
The only built-in RBAC group in VMM that I can see is "Administrators". The membership of this group contains all the defaults (i.e. the VMM server computer account, service account, default action account, Domain Admins, etc.) It does *not* however contain any groups that would include Domain Users or any broad global/universal groups.
So why anyone can launch the console and play with my VMs, I have no idea. Where else should I be looking for access rights? Aside from my server administrators, I don't want anyone to be able to launch the console and connect, let alone make any setting changes or even see any VMs for that matter.
Ideas? What am I missing about VMM 2012 R2 versus the old VMM 2008 R2 world where this was seemingly simpler or at least more secure/functional?
Thanks in advance.
Edit - Additional Information:
My VMM environment is extremely simple at this point as it is in the early stages of configuration. Only a few hosts, about 20 VMs, a single private cloud, single domain, nothing extravagant. It is VMM 2012 R2 (Update Rollup 4) running on a fully patched Server 2012 R2 box.