Tuesday, March 1, 2011

Managing Hyper-V Permissions

Default permissions in Hyper-V

By default, Hyper-V configured to allow members of the local server's administrators group to have full permissions on the Hyper-V installation. In domain environments, domain admin group will have full permissions to create and manage VMs on host servers.

It's often necessary to grant additional permissions - such as the ability to start and stop VMs - to other users who should not also have full administrative permissions.

The way in which you assign permissions on Hyper-V servers it's a little tricky. You can't simply right-click on a host server or VM object and set permissions in a properties page like we think it supposed to be. Authorization Manager Snap-in, also known as AzMan.msc is the primary method for defining and managing permissions for Hyper-V.

The default location for the permissions settings XML file is in the following path: %ProgramData%\Microsoft\Windows\Hyper-V\InitialStore.xml.  


Using Authorization Manager
To access the AzMan Snap-In on full installations of Windows Server 2008, follow these steps:

  1. Click Start -> Run and then type Azman.msc
  2. By default, AzMan is not connected to any specific security data store. To access the default Hyper-V settings, right-click on the Authorization Manager object and select Open Authorization Store. Select the XML File option and then browse to %ProgramData%\Microsoft\Windows\Hyper-V\InitialStore.xml.

At this point, you're ready to start managing settings.


Managing hyper-V Permissions
Authorization Manager uses a role-based permissions model that should be familiar to anyone who is used to managing security in Windows. The first stop on our guided tour of Authorization Manager is the single default role assignment called Administrato

see figure 1

HyperV P 1

Despite the name, it's important not to confuse this role assignment with a built-in Windows or Active Directory user or group. To give non-administrator users full permissions on Hyper-V, simply right-click the Administrator object and select "Assign Users And Groups". Note that you can add Windows security principals, or AzMan roles.


Creating role definitions

we want to allow specific users to perform a limited set of operations on a Hyper-V server. To do this, you should start by creating new role definition objects. Each role definition can include a set of permissions that apply to members of the role

see figure 2

HyperV p2

The second stage is to add the role definition you created to a group definition, note that it is recommended to add an Active directory group as a member for an easier managing.

Congratulations you managed to set a permissions topology on your Hyper-V environment

0 comments

Post a Comment