?
Solved

Hyper v manager and domain users

Posted on 2016-09-26
9
Medium Priority
?
71 Views
Last Modified: 2016-11-08
Hello,

I am trying to allow domain users the ability to manage VMs from Hyper v manager without giving them access to log on to the hyper v host remotely. I thought this is what the hyper-v administrators group was , but it doesnt work unless the users are added to the local admin's group on the hyper-v host which also gives them the ability to remote in

How can I accomplish this??
Thanks in advance
0
Comment
Question by:Curtis Booker
  • 4
  • 3
8 Comments
 
LVL 44

Assisted Solution

by:Adam Brown
Adam Brown earned 1328 total points
ID: 41816215
Hyper-V has its own discreet permission system that is managed with the Authorization Manager (AZMAN) tool: https://technet.microsoft.com/en-us/library/dd283030(v=ws.10).aspx
0
 

Author Comment

by:Curtis Booker
ID: 41816314
Is azman.msc run on the hyper-v host or a Domain Contoller or does it matter??
0
 
LVL 44

Expert Comment

by:Adam Brown
ID: 41816316
It's run on the Hyper-V host.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:Curtis Booker
ID: 41816330
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins
0
 

Author Comment

by:Curtis Booker
ID: 41816373
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins

Is there a way to do this?
0
 
LVL 59

Accepted Solution

by:
McKnife earned 672 total points
ID: 41816451
Not really. Using azman.msc, you can give users permission per server, not per guest. Unless you want per server, you will need to buy a management suites for hyper-v.

What you could do as a workaround (I don't know if you are the flexible type), is use event triggered tasks. To give you an idea: imagine your user would like to take a snapshot of guest System X, then we could setup a share that is writable for user X and whenever he creates  a file inside that share, a snapshot would be triggered on file creation. The same is possible for any hyper-v command that one can imagine. All commands are powershell based.
0
 
LVL 44

Assisted Solution

by:Adam Brown
Adam Brown earned 1328 total points
ID: 41816468
Yes, you have to grant the permission to manage VMs in AZMan to either the user or the group that you want to be able to manage VMs remotely. Local Admins is granted VM Management rights by default, but the only way to grant that right to other users (aside from using VMM manager or other tools, which basically just make modifications to the AzMan data) is through AZMan. No other groups on the server have VM management rights by default, which is why you have to grant permissions.

If you don't want users to access the VM Host directly, you have to go into AZMAN.msc and grant the users or groups permission to manage the VMs. Once you do that, they'll be able to use any Hyper-V manager console to manage the VMs.

Now, AZMan *was* deprecated in 2012, so if you're on 2012 (No mention of OS Version here) you should be able to just manage admins with the Hyper-V Admins group on the host, *but* you will also need to make sure that the users are granted the necessary rights to access the server over the network. Run RSOP.MSC on the server and check the user rights assignment settings, particularly the Access This Computer from the Network right. If your user isn't part of a group listed there, they won't be able to manage Hyper-V remotely.
0
 

Author Comment

by:Curtis Booker
ID: 41827211
Adam & McKnife --I think that's what I been missing is giving users the right to access over network. I'll try that tomorrow when I get in.
 Oh & I'm using Windows Server 2012 R2 & Windows 10 Clients --

Thanks again
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question