How to specify user permissions for managing a Hyper-V machine on a LOCAL host?
Solution 1
In the end I was not able to find an effective way to restrict access exactly the way I wanted (boo Microsoft for removing granular options).
The workaround I'm using right now is to simply grant access to control the VM. I then provide two Powershell scripts files to my users which allow them to Start the VM and another to Connect to the VM.
At the same time, I have a GPO policy which disables access to the HyperV control panel to those specific users that have HyperV installed locally.
Solution 2
Role Based Access Control is the way to go.
In the days of Windows 2008, it was supported using the Authorization Manager tool. Sad to say that Authorization Manager is no longer supported in Windows 2012 R2.
The only way for you to control RBAC now with Windows 2012 R2 is to use SCVMM: https://technet.microsoft.com/en-us/library/gg696971(v=sc.12).aspx
Solution 3
this seems to be possible. https://blogs.msdn.microsoft.com/virtual_pc_guy/2008/01/17/allowing-non-administrators-to-control-hyper-v/ here is more information about it.
I have poked around a bit with it to see how it works. it seems to go like this.
- Open MMC
- Add Snapin Authorization manager
- Right click Authorization manager and select Open Authorization Store
- Browse to %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml
- Expand the items and go to Role Definitions
- Here is only a role for Administrators listed, Right click and make a new role.
- Click on Add to add a Permission Defition, and go to the Tab Operations
- Select all the permissions the user should get, and then save the new Role definition
- Go to Role Assignment and Add the role you just created.
- In the tree view select your role under Role Assignments
- Right click and choose Assign users and groups and then pick From Windows and Active directory
Related videos on Youtube
Daniel
Updated on September 18, 2022Comments
-
Daniel over 1 year
- I have
UserA
. - Working on
ComputerA
. I have setup a Virtual Machine on
ComputerA
under Hyper-V calledComputerA-VM
.ComputerA
runs Windows 10 Pro.ComputerA
is part of domain.com managed by a DC running Windows Server 2012 R2.UserA
is a domain user.
I want
UserA
to have permissions to STARTComputerA-VM
and CONNECT (access console) toComputerA-VM
and NOTHING ELSE.I don't want them to be able to create other VMs, delete VMs, edit the settings of ComputerA-VM, or to mess with snapshots or anything.
How can I do this?
- I have
-
Daniel over 7 yearsazman is deprecated in Windows Server 2012 R2 :(
-
Kage over 7 yearsim afraid you're correct :o vkernel.ro/blog/… for asfar i can find online there's no alternative..
-
Daniel over 7 yearsIt appears that there is a PowerShell command to grant access to connect to a VM: technet.microsoft.com/en-us/library/… I haven't tested it myself yet, but I'm about to. It still leaves me with the problem of how to allow UserA to START ComputerA-VM.
-
Kage over 7 yearsSometimes i wonder what microsoft is thinking.. why only a grant command to connect.. maybe more are coming in server 2016? if they ever release it
-
Daniel over 7 yearsSo... I don't understand the use of the Grant-VMConnectAccess cmdlet... I issued it from an Administrator account in Powershell, but when I go to launch VMConnect with the specified account, it tells me I don't have permissions... Oh well.
-
Kage over 7 yearsWeird.. i just tried Get-VM and it returns nothing while im sure i do have VM's on my hyper-v box lol..
-
Daniel over 7 years
Get-VM
is working here -
twconnell almost 5 yearsCould you elaborate on how you are granting access to control an individual VM without adding the user to the Hyper-V Administrators group? Are you using SC VMM? I am looking for a solution that does not require making the users full Hyper-V Admins.
-
Daniel almost 5 yearsI can't recall now and I can't easily check, but off the top of my head I think I did have to make them local Hyper-V admins. At the same time, I disabled their access to the Hyper-V control panel, so without the desire and knowledge to use Powershell (which none of them do), they can't do much damage. Even if they wanted to do something screwy, I made an off-machine backup of the original VM I created for them, so I can easily restore it if needed.
-
twconnell almost 5 yearsThanks for getting back to me. I know this was an old post, but it describes exactly what I'm going through. I wanted to use azman.msc, but it's been stripped out of the product. I swear if I hear someone tell me "VMWare can do this" just one more time....