How can I hide a Virtual Machine in the Hyper-V Manager, so that only administrators can see it?
Solution 1
I gathered from the comments to MDMarra's answer that some users need (need or want?) to be able to start and stop VMs. If users do have a valid case for having direct control over a server, such as when they are used for dev work, consider placing those VM's on the users' workstations. Use whatever virtualisation product you like for the job, such as Virtualbox, VMWare Player, Virtual PC, etc.
Your situation screams two fundamental problems:
- The rule of least privileges should always be applied.
- Never allow users to access or do anything for which you might be held accountable. It's easy enough to make mistakes. You don't need users making them for you.
Solution 2
Why on earth are your regular users allowed to log into a Hyper-V host that is running production VMs? What you need to do is not let regular users administer Hyper-V hosts. That's just crazy. They have to either belong to a group like Domain Admins or be a local admin on the host to be able to do this. You should take these privileges away immediately.
Related videos on Youtube
Mike
Updated on September 18, 2022Comments
-
Mike over 1 year
I have a domain controller that is a virtual machine, last week a user logged on to it and shut it down accidentally. I need to prevent this from happening so I would like to hide this VM in Hyper-V so that users can not see it there. I have already restricted RDP connections to it, but they can still connect locally in Hyper-V.
We have a script that we use to do this called SetScope.VBS that we found online and it usually works well, I used it for a different VM DC on a different physical server and it worked perfect, that VM no longer shows up for anyone but admins.
On this particular server and VM though, it gives me a 4096 error (in case anyone is familiar with this script: http://projectdream.org/wordpress/2008/07/03/delegating-hyper-v-virtual-machines/ )
There's really no help for this error online so I think I'm out of luck trying to use this script for this VM.
Any other ideas how I can prevent certain users from logging on locally to a Virtual Machine in Hyper-V?
-
Mike over 11 yearsI'm sorry but unfortunately I don't really have much more detail, all I get is a 4096 error running this script and that's it. I'm not sure what else I can say. I googled this too before posting here and only found one concrete idea to try which was no help. If you are finding a lot of resources on google, please pass me the links and I'd be happy to research them on my own. If there are specific questions I can answer for you or anyone else to help I am happy to as well. I'll also add that the error itself is not helpful - it simply says "4096" - which the website says indicates a failure
-
-
ceejayoz over 11 yearsI can't +1 this enough times.
-
Mike over 11 yearsWell they can't actually log on to the physical server that hosts our VM's. They can open up Hyper-V, connect the VM server, and then see all the VM's that are stored on that server, and connect to them through the Hyper-V manager this way. That's all I meant
-
ceejayoz over 11 years@Mike That's no better. Why can they access the Hyper-V manager?
-
Mike over 11 yearsHmm, I never really questioned it - been that way since I started working here. But in some cases they do need to shutdown/start up the virtual machines and they are allowed to do this.
-
MDMarra over 11 years@Mike Right, that's what I was asking. Why on earth do normal users have this ability? That's not a standard design. What business case would there be for a regular (non-IT) user to be able to power up and down servers? They shouldn't even have physical access!
-
Mike over 11 yearsI've never even realized this was abnormal - all of our users have the hyper-v manager installed on their machines and use it to work with certain machines as if they were physical machines - we've been using the script in my original post to hide the important ones from them - but I can't get it to work for this one DC
-
MDMarra over 11 years@Mike What you're describing is not normal at all. Typically, if a user needs access to a remote workstation, it's done via Remote Desktop, not Hyper-V Manager, precisely because of what you're seeing. If your regular users need centralized resources, you should be using Remote Desktop Services (formerly Terminal Services) and they should be using Remote Desktop for access. It's rare (to the point that I've never ever seen it) for users to have console access to a server hosting VMs, whether it be Hyper-V, ESXi, etc.
-
MDMarra over 11 yearsIn short: While your problem can likely be fixed via technical means, you do not have a technical problem, you have a fundamental design problem. You should be working to fix that instead.
-
Mike over 11 yearsOk thanks for that - we do have users connect to most of our resources using Remote Desktop - They've just always had access to the VM's to for certain machines - I'll re-assess this
-
MDMarra over 11 years@Rex I didn't say that it did, but managing the virtual machines on that host does (or close to it).
-
MDMarra over 11 yearsOhh, ok. I see now :)
-
Dan Is Fiddling By Firelight over 11 yearsThe only plausible business case I can see for that sort of access would be to let users create vms for test/dev/etc use without needing to go through an admin (being able to do this would make my life easier at times). However, those VMs should be isolated on separate hardware and a separate admin console so that the developers/etc can't accidentally screw up any production systems.