Virtualization Technology News and Information
Hyper-V Security - Virtualization Administration Delegation of Hyper-V and SCVMM

When running Hyper-V, you do not need to be at the console to manage your virtualization platform.  In fact, it is strongly recommended that you delegate these rights.  If you let someone login to a server with administrative permissions, they basically have the "keys to the kingdom."  This is not a good idea and as a best practice, shouldn't be done. 

Instead, a better approach is to give them the rights they need to administer the Hyper-V platform using rights delegation. 

How do we do this?  First, let's take a look at doing it for those implementations that don't use SCVMM and then we'll setup delegation if SCVMM is in the environment:

  • In-Box Delegation of Administration of Hyper-V
    • Open the Run dialog (launch it from the Start menu or press Windows Key + R).
    • Start mmc.exe.
    • Open the File menu, and select Add/Remove Snap-in...
    • From the Available snap-ins list, select Authorization Manager.
    • Click Add, and then click OK.
    • Click on the new Authorization Manager node in the left panel.
    • Open the Action menu, and select Open Authorization Store...
    • Choose XML file for the Select the authorization store type: option, and then use the Browse... to open \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition (programdata is a hidden directory so you will need to type it in first).
    • Click OK.
    • Expand InitialStore.xml then Microsoft Hyper-V services then Role Assignments, and finally select Administrator.
    • Open the Action menu, and select Assign Users and Groups then From Windows and Active Directory...
    • Enter the name of the user that you want to be able to control Hyper-V, and click OK.
    • Close the MMC window (you can save or discard your changes to Console 1 - this does not affect the authorization manager changes that you just made).


  • SCVMM Delegation of Administration
    • To add a Delegated Administrator user role in VMM 2008
    • In the User Roles view in the VMM Administrator Console, click New User Role in the Actions pane. The New User Role Wizard appears.
    • On the General page, type a User role name and Description, and then select Delegated Administrator in the User Role Profile list. Click Next.
    • On the Add Members page, click Add, and then type the names of the Active Directory® users or groups you want to add to this role. Click Next.
    • Select the host groups and library servers that you want to enable members of the user role to manage. Click Next.
    • On the Summary page, review the user role settings, and click Create.

Check Out Ben Armstrong’s Blog post: Hyper-V Management + Delegated Administration + SCVMM

Published Monday, April 19, 2010 5:42 AM by David Marshall
Twitter Trackbacks for Hyper-V Security - Virtualization Administration Delegation of Hyper-V and SCVMM : - Virtualization Technology News and Information for Everyone [] on - (Author's Link) - April 19, 2010 7:11 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2010>