I’m not exactly what one would call an “Enterprise” Admin – so i don’t really know all that much about WMI.
We first started our internal virtualization stuff when both VMware GSX and Virtual Server 2005 still cost money. So we used VS2005 because we could get it for free since we were in the Microsoft Partner Program.
So, with the release of Hyper-V we finally had a chance to move to a more robust and faster virtualization solution – however, not everything has improved with Hyper-V, for example delegating permissions which was easy in VS2005 has now become much more complex. Probably because Microsoft wants to sell SCVMM 2008 that will automate a lot of this.
We have a few development VMs that are used for QA purposes by our development team – and we just have a single machine running Hyper-V. So i want to delegate a few of the VMs to the development team, without them being able to manage the Hyper-V server or virtual machines that do not belong to the development team.
I’ve found an excellent resource regarding setting up remote management for Hyper-V from John Howard. He has an excellent 5 Part series on how to enable remote management.
What is not described in these links is how to delegate specific VMs. For doing this, you’ll need a script from Andrzej.
Here’s a basic rundown of the general steps you’ll need to do:
- Create an appropriate Active Directory group for the users you want to give access to. If necessary, nest the groups according to your organizations group strategy
- The following two steps are detailed in Part IV from John Howard
- Add to the group to the local “Distributed COM Users” group on the Hyper-V host
- Grant the group permissions on the Root\CIMV2 and Root\Virtualization WMI Namespaces
- For detailed instructions for these three steps, see below.
- Run azman.msc and create a new scope
- Use the SetScope VBS script to assign the VM to scopes.
- Run azman.msc and delegate appropriate permissions to Windows Groups using newly created scope
Creating scopes in AzMan and assigning VMs to scopes
First, you’ll need to start azman.msc and open to following Authorization Store: C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml
Then, you’ll need to right click “IntialStore.xml” and choose “New Scope”. In my case, i named the new scope “Dev”.
Next, you will need to create a role in the top-level of the authorization store. This role is needed so that the Hyper-V Management tool can even connect. I called mine “View Only”, as it does not grant any specific permissions. It should look like this:
You’ll also need to add the Windows Group to this azman role in order for it to be of any use:
Next, we need to create a role that grants the necessary VM management skills to the Dev scope. It should look like this:
You’ll also need to add a Windows Group to this role.
After you’ve come so far, we will need to assign the VMs to the newly created scope. You can find the scripts here: Andrzej’s Hyper-V Scripts.
Assigning a VM to a scope is simple.
For example, if you want to assign the VM “dev-hdi-xp-01″ to the scope “Dev”, use this command.
setscope.vbs dev-hdi-xp-01 Dev
There will be three popup Windows – the first two don’t matter, and the latter will contain a single number. If the number is 4096 (or anything else), it failed. If the number is “0″, it succeeded.
You can verify scope membership using getscope.vbs
The result should look like this:
If my posting is entirely correct, and you followed it correctly, the end result should look like this:
Here, we’re logged on as an admin. All VM’s are visible:
Here, we’re logged on as a normal user. It does not have any special privileges on the Hyper-V box, except the WMI / DCOM and AzMan changes. You’ll only see the two Development VMs.
So, this is quite a bit more complex than VS2005. But also a lot more cool.
I hope there are no mistakes in this post. If you find any, please tell me. If you found this post helpful, tell me too. Thanks for reading!