Solved

Windows Server -  Authorization Manager - ability to create user for specific VM's

Posted on 2016-09-13
21
59 Views
Last Modified: 2016-09-27
I am wondering if I can use Authorization Manager in Windows Server 2012 to create a user who can create and delete VMs of their own but can not delete or modify VMs created by others. If so can you please provide me with the instructions to do so.
0
Comment
Question by:lineonecorp
  • 10
  • 5
  • 5
21 Comments
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41797396
Unless you have written a custom VM manager, you cannot use Authorization Manager to do this.

You use AzMan to create roles and operations and to assign these roles permission to perform the defined operations (tasks).  AzMan integrates with AD so you can use your existing user account and group  infrastructure to utilize these roles.

Links:
1. https://technet.microsoft.com/en-us/library/cc732203(v=ws.11).aspx
2. https://msdn.microsoft.com/en-us/library/bb897401.aspx

Unless an existing application is AzMan aware, you can just use AzMan to control access.

Typically you could use AzMan to control access to functionality in a web application or custom desktop client app.

With that said:

1. What virtualization technology are you using?  VMWare, Hyper-V, Xen, Docker, etc.
2. What are you using to manage your VM infrastructure?  vShpere Client, SC VMM, etc?

Dan
1
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41798607
can't be done natively, with powershell one could engineer a solution that could accomplish this. System Center Virtual Machine manager does this natively for tenants but if your requirements are as simple as shown it would be overkill. SSVMM has a very steep learning curve.
0
 

Author Comment

by:lineonecorp
ID: 41800977
David Johnson:

"With powershell one could engineer a solution that could accomplish this"

Can you elaborate on this.  Do you know the specifics of how it would be done/have done something similar or is it a general level of confidence that usually there is a way to do 'just about anything' with Powershell?  For instance can you specify the commands that one might use?

Dan McFadden:

1. What virtualization technology are you using?  VMWare, Hyper-V, Xen, Docker, etc.

Per my original post:  
"I am wondering if I can use Authorization Manager in Windows Server 2012 to create a user who can create and delete VMs of their own but can not delete or modify VMs created by others." So Windows 2012 R2 HyperV.


2. What are you using to manage your VM infrastructure?  vShpere Client, SC VMM, etc?

No special software. Just native Windows Server 2012 R2.
0
 

Author Comment

by:lineonecorp
ID: 41810073
Some alternate routes I can think of that might work/suffice.

1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder

2) Give a user the right to create VM's but not delete them - with Authorization Manager

3) System Center Virtual Machine Manager - would it allow me to do what I want?

Thoughts?
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 250 total points
ID: 41810266
0
 

Author Comment

by:lineonecorp
ID: 41811851
Thanks for the links - they answer one of my questions - System Center Virtual Machine Manager could do this.

However I don't clearly see an answer to the other alternatives I asked:

1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder

2) Give a user the right to create VM's but not delete them - with Authorization Manager
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 250 total points
ID: 41812014
1.  I don't think this is an effective solution.  Reason being:  how will you force users to save their VMs in specific paths?  You have the ability to set a global destination directory for newly created VMs, and the option to store the VM in a different location... but there is always the question of forcing a path on a user.  This becomes a question of procedure and enforcement.

2.  You have to read thru the third link as well as doing work in AzMan.  You would have to create custom role definitions as well as build/define custom tasks in order to control the functionality you desire.  This is the pro and con of AzMan... it is flexible enough to accommodate user defined actions but it is an almost blank canvas.  In AzMan for Hyper-V, there is 1 role defined and several default tasks & operations.  If these are not enough to implement your required functionality, you will have to define the tasks yourself.

Reference Links:
- https://technet.microsoft.com/en-us/library/dd283030(v=ws.10).aspx
- https://technet.microsoft.com/en-us/library/dd282980(v=ws.10).aspx

To summarize, you would need to create a new role definition and create custom tasks that allow the needed functionality with the except of "delete" operations.

Dan
0
 

Author Comment

by:lineonecorp
ID: 41815327
Thanks for the feedback

Thanks for the links to Azman task creation - I think that might work as well.

However as far as your comment about folder permissions:
"1.  I don't think this is an effective solution.  Reason being:  how will you force users to save their VMs in specific paths?  You have the ability to set a global destination directory for newly created VMs, and the option to store the VM in a different location... but there is always the question of forcing a path on a user.  This becomes a question of procedure and enforcement.


If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own.

T
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41815333
You could implement Azure Stack and add the users as tenants
0
 

Author Comment

by:lineonecorp
ID: 41815340
Thanks.

I am not familiar with Azure stack but I did a quick read just now.  It talks about making a private cloud and hybrid cloud as well. For our purposes we would only do on-premises/our own data centre so no cloud-hosting with any third-party be it Microsoft or anybody else. Is this possible with Azure stack - it won't write-home to MS so to speak?

I have been reading of Server 2016 and it is supposed to have nested virtualization.  Similar to Azure stack - tenants /users have their own Hypvervisors?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41815346
I have been reading of Server 2016 and it is supposed to have nested virtualization.  Similar to Azure stack - tenants /users have their own Hypvervisors? not really as isolated as azure stack (private cloud is what you want) and the release date isn't fully set in stone but appears to be mid to late October
0
 

Author Comment

by:lineonecorp
ID: 41815350
Thanks for the quick reply. Can you please elaborate on 'not really as isolated'.  Thanks in advance.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41815364
Network isolation what happens if a tenant wants to use the same subnet as another tenant or use a vpn to connect. Disk Isolation - when you create the VM does the vhd exist inside of a vhd from the parent vm or does it exist on the file system? If on the file system what safeguards are there so a tenant can't create a vm using another users vhd's?
0
 

Author Comment

by:lineonecorp
ID: 41815412
Very good points. Thanks.
0
 

Author Comment

by:lineonecorp
ID: 41815414
David:

Question I asked Don McFadden

"If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own."

I know this is not as good as 'isolation out of the box' but would it work?
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 250 total points
ID: 41815458
Again... we come back to the question of enforcing a required path to save VMs.  Yes, you could grant Read/Write permissions to specific folders, but the Hyper-V manager sets only a preferred path to save the VM files and this is a global setting, not a per user setting.

If these "almost admins" follow a required procedure, then this could work.

<Minor-Rant>
But my experience tells me that people do what people want to do, not always what they're told or expected to do.  And almost admins will inevitably try and test their boundaries.

As someone who has been around the IT Admin block a few times, I am a bit pessimistic about letting
non-admins play on servers that are probably in Production.
</Minor-Rant>

In addition to David's points, there is also the concern of resource allocation.  How are you going to control the amount of resources the "AlmostAdmin" configured their various VMs with?  I foresee resource exhaustion in this server's future.  (again, the pessimist coming out)

Dan
0
 

Author Comment

by:lineonecorp
ID: 41817107
I understand the pessimism.  Point of resource allocation is an excellent one.  Would Authorization Manager have the ability to set limits as to how much CPU/RAM/Disk space almostadmin could allocate/use as part of the role definition?
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 250 total points
ID: 41817375
No, AzMan could only be used to control who has access to what based on group and role membership.  Placing constraints on configurable items would require custom tools.  AzMan is essentially a Role based access control mechanism.

Dan
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41818918
What you want realistically cannot be done without using SCVMM or Azure Pack. You create your tenants and set the restrictions appropriately

What is to stop an almost admin from spinning up 100 or 1,000 vm's with a fixed disk non-expanding of 1TB? and having 16384 startup memory.  Eventually given enough patience they will use ALL available disk space,memory, disk i/o's
0
 

Author Comment

by:lineonecorp
ID: 41819134
Thanks for all the info.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now