Managing Hyper-V Permissions
Default permissions in Hyper-V
By default, Hyper-V configured to allow members of the local server's
administrators group to have full permissions on the Hyper-V installation. In
domain environments, domain admin group will have full permissions to create
and manage VMs on host servers.
It's often necessary to grant additional
permissions - such as the ability to start and stop VMs - to other users who
should not also have full administrative permissions.
The way
in which you assign permissions on Hyper-V servers it's a little tricky. You
can't simply right-click on a host server or VM object and set permissions in a
properties page like we think it supposed to be. Authorization Manager Snap-in,
also known as AzMan.msc is the primary method for defining and managing permissions
for Hyper-V.
The
default location for the permissions settings XML file is in the following path:
%ProgramData%\Microsoft\Windows\Hyper-V\InitialStore.xml.
Using Authorization Manager
To access the AzMan Snap-In on full installations of Windows Server 2008,
follow these steps:
- Click Start -> Run and then type Azman.msc
- By default, AzMan is not connected to any
specific security data store. To access the default Hyper-V settings,
right-click on the Authorization Manager object and select Open
Authorization Store. Select the XML File option and then browse to
%ProgramData%\Microsoft\Windows\Hyper-V\InitialStore.xml.
At this
point, you're ready to start managing settings.
Managing hyper-V Permissions
Authorization Manager uses a role-based permissions model that should be
familiar to anyone who is used to managing security in Windows. The first stop
on our guided tour of Authorization Manager is the single default role
assignment called Administrato
see figure 1
Despite
the name, it's important not to confuse this role assignment with a built-in
Windows or Active Directory user or group. To give non-administrator users full
permissions on Hyper-V, simply right-click the Administrator object and select
"Assign Users And Groups". Note that you can add Windows security
principals, or AzMan roles.
Creating role definitions
we want to allow specific users to perform a limited set of operations on a
Hyper-V server. To do this, you should start by creating new role definition
objects. Each role definition can include a set of permissions that apply to
members of the role
see figure 2
The second
stage is to add the role definition you created to a group definition, note that
it is recommended to add an Active directory group as a member for an easier managing.
Congratulations
you managed to set a permissions topology on your Hyper-V environment