[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Hyper v manager and domain users

Posted on 2016-09-26
9
Medium Priority
?
65 Views
Last Modified: 2016-11-08
Hello,

I am trying to allow domain users the ability to manage VMs from Hyper v manager without giving them access to log on to the hyper v host remotely. I thought this is what the hyper-v administrators group was , but it doesnt work unless the users are added to the local admin's group on the hyper-v host which also gives them the ability to remote in

How can I accomplish this??
Thanks in advance
0
Comment
Question by:Curtis Booker
  • 4
  • 3
8 Comments
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1328 total points
ID: 41816215
Hyper-V has its own discreet permission system that is managed with the Authorization Manager (AZMAN) tool: https://technet.microsoft.com/en-us/library/dd283030(v=ws.10).aspx
0
 

Author Comment

by:Curtis Booker
ID: 41816314
Is azman.msc run on the hyper-v host or a Domain Contoller or does it matter??
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41816316
It's run on the Hyper-V host.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:Curtis Booker
ID: 41816330
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins
0
 

Author Comment

by:Curtis Booker
ID: 41816373
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins

Is there a way to do this?
0
 
LVL 57

Accepted Solution

by:
McKnife earned 672 total points
ID: 41816451
Not really. Using azman.msc, you can give users permission per server, not per guest. Unless you want per server, you will need to buy a management suites for hyper-v.

What you could do as a workaround (I don't know if you are the flexible type), is use event triggered tasks. To give you an idea: imagine your user would like to take a snapshot of guest System X, then we could setup a share that is writable for user X and whenever he creates  a file inside that share, a snapshot would be triggered on file creation. The same is possible for any hyper-v command that one can imagine. All commands are powershell based.
0
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1328 total points
ID: 41816468
Yes, you have to grant the permission to manage VMs in AZMan to either the user or the group that you want to be able to manage VMs remotely. Local Admins is granted VM Management rights by default, but the only way to grant that right to other users (aside from using VMM manager or other tools, which basically just make modifications to the AzMan data) is through AZMan. No other groups on the server have VM management rights by default, which is why you have to grant permissions.

If you don't want users to access the VM Host directly, you have to go into AZMAN.msc and grant the users or groups permission to manage the VMs. Once you do that, they'll be able to use any Hyper-V manager console to manage the VMs.

Now, AZMan *was* deprecated in 2012, so if you're on 2012 (No mention of OS Version here) you should be able to just manage admins with the Hyper-V Admins group on the host, *but* you will also need to make sure that the users are granted the necessary rights to access the server over the network. Run RSOP.MSC on the server and check the user rights assignment settings, particularly the Access This Computer from the Network right. If your user isn't part of a group listed there, they won't be able to manage Hyper-V remotely.
0
 

Author Comment

by:Curtis Booker
ID: 41827211
Adam & McKnife --I think that's what I been missing is giving users the right to access over network. I'll try that tomorrow when I get in.
 Oh & I'm using Windows Server 2012 R2 & Windows 10 Clients --

Thanks again
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question