Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Hyper v manager and domain users

Posted on 2016-09-26
9
Medium Priority
?
62 Views
Last Modified: 2016-11-08
Hello,

I am trying to allow domain users the ability to manage VMs from Hyper v manager without giving them access to log on to the hyper v host remotely. I thought this is what the hyper-v administrators group was , but it doesnt work unless the users are added to the local admin's group on the hyper-v host which also gives them the ability to remote in

How can I accomplish this??
Thanks in advance
0
Comment
Question by:Curtis Booker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1328 total points
ID: 41816215
Hyper-V has its own discreet permission system that is managed with the Authorization Manager (AZMAN) tool: https://technet.microsoft.com/en-us/library/dd283030(v=ws.10).aspx
0
 

Author Comment

by:Curtis Booker
ID: 41816314
Is azman.msc run on the hyper-v host or a Domain Contoller or does it matter??
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41816316
It's run on the Hyper-V host.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:Curtis Booker
ID: 41816330
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins
0
 

Author Comment

by:Curtis Booker
ID: 41816373
Yeah that's what I thought. But once I remove the user from the hyper-v local admins group he can't use hyper-v manager to access vms. I want to have him access vms without him being in local admins

Is there a way to do this?
0
 
LVL 56

Accepted Solution

by:
McKnife earned 672 total points
ID: 41816451
Not really. Using azman.msc, you can give users permission per server, not per guest. Unless you want per server, you will need to buy a management suites for hyper-v.

What you could do as a workaround (I don't know if you are the flexible type), is use event triggered tasks. To give you an idea: imagine your user would like to take a snapshot of guest System X, then we could setup a share that is writable for user X and whenever he creates  a file inside that share, a snapshot would be triggered on file creation. The same is possible for any hyper-v command that one can imagine. All commands are powershell based.
0
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1328 total points
ID: 41816468
Yes, you have to grant the permission to manage VMs in AZMan to either the user or the group that you want to be able to manage VMs remotely. Local Admins is granted VM Management rights by default, but the only way to grant that right to other users (aside from using VMM manager or other tools, which basically just make modifications to the AzMan data) is through AZMan. No other groups on the server have VM management rights by default, which is why you have to grant permissions.

If you don't want users to access the VM Host directly, you have to go into AZMAN.msc and grant the users or groups permission to manage the VMs. Once you do that, they'll be able to use any Hyper-V manager console to manage the VMs.

Now, AZMan *was* deprecated in 2012, so if you're on 2012 (No mention of OS Version here) you should be able to just manage admins with the Hyper-V Admins group on the host, *but* you will also need to make sure that the users are granted the necessary rights to access the server over the network. Run RSOP.MSC on the server and check the user rights assignment settings, particularly the Access This Computer from the Network right. If your user isn't part of a group listed there, they won't be able to manage Hyper-V remotely.
0
 

Author Comment

by:Curtis Booker
ID: 41827211
Adam & McKnife --I think that's what I been missing is giving users the right to access over network. I'll try that tomorrow when I get in.
 Oh & I'm using Windows Server 2012 R2 & Windows 10 Clients --

Thanks again
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question