How to specify user permissions for managing a Hyper-V machine on a LOCAL host?

windows-server-2012-r2 domain virtual-machines hyper-v windows-10

27,456

Solution 1

In the end I was not able to find an effective way to restrict access exactly the way I wanted (boo Microsoft for removing granular options).

The workaround I'm using right now is to simply grant access to control the VM. I then provide two Powershell scripts files to my users which allow them to Start the VM and another to Connect to the VM.

At the same time, I have a GPO policy which disables access to the HyperV control panel to those specific users that have HyperV installed locally.

Solution 2

Role Based Access Control is the way to go.

In the days of Windows 2008, it was supported using the Authorization Manager tool. Sad to say that Authorization Manager is no longer supported in Windows 2012 R2.

The only way for you to control RBAC now with Windows 2012 R2 is to use SCVMM: https://technet.microsoft.com/en-us/library/gg696971(v=sc.12).aspx

Solution 3

this seems to be possible. https://blogs.msdn.microsoft.com/virtual_pc_guy/2008/01/17/allowing-non-administrators-to-control-hyper-v/ here is more information about it.

I have poked around a bit with it to see how it works. it seems to go like this.

Open MMC
Add Snapin Authorization manager
Right click Authorization manager and select Open Authorization Store
Browse to %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml
Expand the items and go to Role Definitions
Here is only a role for Administrators listed, Right click and make a new role.
Click on Add to add a Permission Defition, and go to the Tab Operations
Select all the permissions the user should get, and then save the new Role definition
Go to Role Assignment and Add the role you just created.
In the tree view select your role under Role Assignments
Right click and choose Assign users and groups and then pick From Windows and Active directory

27,456

Daniel

Updated on September 18, 2022

Comments

Daniel over 1 year
- I have UserA.
- Working on ComputerA.
- I have setup a Virtual Machine on ComputerA under Hyper-V called ComputerA-VM.
- ComputerA runs Windows 10 Pro.
- ComputerA is part of domain.com managed by a DC running Windows Server 2012 R2.
- UserA is a domain user.
I want UserA to have permissions to START ComputerA-VM and CONNECT (access console) to ComputerA-VM and NOTHING ELSE.

I don't want them to be able to create other VMs, delete VMs, edit the settings of ComputerA-VM, or to mess with snapshots or anything.

How can I do this?
Daniel over 7 years

azman is deprecated in Windows Server 2012 R2 :(
Kage over 7 years

im afraid you're correct :o vkernel.ro/blog/… for asfar i can find online there's no alternative..
Daniel over 7 years

It appears that there is a PowerShell command to grant access to connect to a VM: technet.microsoft.com/en-us/library/… I haven't tested it myself yet, but I'm about to. It still leaves me with the problem of how to allow UserA to START ComputerA-VM.
Kage over 7 years

Sometimes i wonder what microsoft is thinking.. why only a grant command to connect.. maybe more are coming in server 2016? if they ever release it
Daniel over 7 years

So... I don't understand the use of the Grant-VMConnectAccess cmdlet... I issued it from an Administrator account in Powershell, but when I go to launch VMConnect with the specified account, it tells me I don't have permissions... Oh well.
Kage over 7 years

Weird.. i just tried Get-VM and it returns nothing while im sure i do have VM's on my hyper-v box lol..
Daniel over 7 years

Get-VM is working here
twconnell almost 5 years

Could you elaborate on how you are granting access to control an individual VM without adding the user to the Hyper-V Administrators group? Are you using SC VMM? I am looking for a solution that does not require making the users full Hyper-V Admins.
Daniel almost 5 years

I can't recall now and I can't easily check, but off the top of my head I think I did have to make them local Hyper-V admins. At the same time, I disabled their access to the Hyper-V control panel, so without the desire and knowledge to use Powershell (which none of them do), they can't do much damage. Even if they wanted to do something screwy, I made an off-machine backup of the original VM I created for them, so I can easily restore it if needed.
twconnell almost 5 years

Thanks for getting back to me. I know this was an old post, but it describes exactly what I'm going through. I wanted to use azman.msc, but it's been stripped out of the product. I swear if I hear someone tell me "VMWare can do this" just one more time....