Solved

Hyper v manager and domain users

Posted on 2016-09-26
9
26 Views
Last Modified: 2016-11-08
Hello,

I am trying to allow domain users the ability to manage VMs from Hyper v manager without giving them access to log on to the hyper v host remotely. I thought this is what the hyper-v administrators group was , but it doesnt work unless the users are added to the local admin's group on the hyper-v host which also gives them the ability to remote in

How can I accomplish this??
Thanks in advance
0
Comment
Question by:Curtis Booker
  • 4
  • 3
9 Comments
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 332 total points
Comment Utility
Hyper-V has its own discreet permission system that is managed with the Authorization Manager (AZMAN) tool: https://technet.microsoft.com/en-us/library/dd283030(v=ws.10).aspx
0
 

Author Comment

by:Curtis Booker
Comment Utility
Is azman.msc run on the hyper-v host or a Domain Contoller or does it matter??
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
It's run on the Hyper-V host.
0
 

Author Comment

by:Curtis Booker
Comment Utility
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Curtis Booker
Comment Utility
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins

Is there a way to do this?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 168 total points
Comment Utility
Not really. Using azman.msc, you can give users permission per server, not per guest. Unless you want per server, you will need to buy a management suites for hyper-v.

What you could do as a workaround (I don't know if you are the flexible type), is use event triggered tasks. To give you an idea: imagine your user would like to take a snapshot of guest System X, then we could setup a share that is writable for user X and whenever he creates  a file inside that share, a snapshot would be triggered on file creation. The same is possible for any hyper-v command that one can imagine. All commands are powershell based.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 332 total points
Comment Utility
Yes, you have to grant the permission to manage VMs in AZMan to either the user or the group that you want to be able to manage VMs remotely. Local Admins is granted VM Management rights by default, but the only way to grant that right to other users (aside from using VMM manager or other tools, which basically just make modifications to the AzMan data) is through AZMan. No other groups on the server have VM management rights by default, which is why you have to grant permissions.

If you don't want users to access the VM Host directly, you have to go into AZMAN.msc and grant the users or groups permission to manage the VMs. Once you do that, they'll be able to use any Hyper-V manager console to manage the VMs.

Now, AZMan *was* deprecated in 2012, so if you're on 2012 (No mention of OS Version here) you should be able to just manage admins with the Hyper-V Admins group on the host, *but* you will also need to make sure that the users are granted the necessary rights to access the server over the network. Run RSOP.MSC on the server and check the user rights assignment settings, particularly the Access This Computer from the Network right. If your user isn't part of a group listed there, they won't be able to manage Hyper-V remotely.
0
 

Author Comment

by:Curtis Booker
Comment Utility
Adam & McKnife --I think that's what I been missing is giving users the right to access over network. I'll try that tomorrow when I get in.
 Oh & I'm using Windows Server 2012 R2 & Windows 10 Clients --

Thanks again
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Why should I virtualize?  It’s a question that’s asked often enough.  My response is usually “Why SHOULDN’T you virtualize?”
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now