Delegating Hyper-V Virtual Machines

I’m not exactly what one would call an “Enterprise” Admin – so i don’t really know all that much about WMI.

We first started our internal virtualization stuff when both VMware GSX and Virtual Server 2005 still cost money. So we used VS2005 because we could get it for free since we were in the Microsoft Partner Program.

So, with the release of Hyper-V we finally had a chance to move to a more robust and faster virtualization solution – however, not everything has improved with Hyper-V, for example delegating permissions which was easy in VS2005 has now become much more complex. Probably because Microsoft wants to sell SCVMM 2008 that will automate a lot of this.

We have a few development VMs that are used for QA purposes by our development team – and we just have a single machine running Hyper-V. So i want to delegate a few of the VMs to the development team, without them being able to manage the Hyper-V server or virtual machines that do not belong to the development team.

I’ve found an excellent resource regarding setting up remote management for Hyper-V from John Howard. He has an excellent 5 Part series on how to enable remote management.

Part 1 Part 2 Part 3 Part 4 Part 5

What is not described in these links is how to delegate specific VMs. For doing this, you’ll need a script from Andrzej.

Hyper-V Azman Scope Scripts

Here’s a basic rundown of the general steps you’ll need to do:

  • Create an appropriate Active Directory group for the users you want to give access to. If necessary, nest the groups according to your organizations group strategy
  • The following two steps are detailed in Part IV from John Howard
    • Add to the group to the local “Distributed COM Users” group on the Hyper-V host
    • Grant the group permissions on the Root\CIMV2 and Root\Virtualization WMI Namespaces
  • For detailed instructions for these three steps, see below.
    • Run azman.msc and create a new scope
    • Use the SetScope VBS script to assign the VM to scopes.
    • Run azman.msc and delegate appropriate permissions to Windows Groups using newly created scope

Creating scopes in AzMan and assigning VMs to scopes

First, you’ll need to start azman.msc and open to following Authorization Store: C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

Then, you’ll need to right click “IntialStore.xml” and choose “New Scope”. In my case, i named the new scope “Dev”.

Azman New Scope

Next, you will need to create a role in the top-level of the authorization store. This role is needed so that the Hyper-V Management tool can even connect. I called mine “View Only”, as it does not grant any specific permissions. It should look like this:

View Only Role

You’ll also need to add the Windows Group to this azman role in order for it to be of any use:

View Only Role Groups

Next, we need to create a role that grants the necessary VM management skills to the Dev scope. It should look like this:

New Scope with View Only Role

You’ll also need to add a Windows Group to this role.

After you’ve come so far, we will need to assign the VMs to the newly created scope. You can find the scripts here: Andrzej’s Hyper-V Scripts.

Assigning a VM to a scope is simple.

For example, if you want to assign the VM “dev-hdi-xp-01″ to the scope “Dev”, use this command.

setscope.vbs dev-hdi-xp-01 Dev

There will be three popup Windows – the first two don’t matter, and the latter will contain a single number. If the number is 4096 (or anything else), it failed. If the number is “0″, it succeeded.

You can verify scope membership using getscope.vbs

getscope.vbs dev-hdi-xp-01

The result should look like this:

Getscope.vbs in action

If my posting is entirely correct, and you followed it correctly, the end result should look like this:

Here, we’re logged on as an admin. All VM’s are visible:

All VM

Here, we’re logged on as a normal user. It does not have any special privileges on the Hyper-V box, except the WMI / DCOM and AzMan changes. You’ll only see the two Development VMs.

Scoped Dev VMs

So, this is quite a bit more complex than VS2005. But also a lot more cool.

I hope there are no mistakes in this post. If you find any, please tell me. If you found this post helpful, tell me too. Thanks for reading!

4 Comments

  1. The Falconic Code : Intersecting Security in a Hyper-V World:

    [...] There is a great blog post specifically on the subject on how to delegate permissions to work with VMs without host privileges, by Lukas Beeler: http://projectdream.org/wordpress/2008/07/03/delegating-hyper-v-virtual-machines/ [...]

  2. jonaB:

    Hi,

    Great info on using setscope script, however, I followed your steps but my operator still can’t see the VMs that were assigned. I noticed the addition of scope and permissions set for my operators are append towards the end of the xml file after 350. Does this seem right?

    Thanks.

  3. Lukas Beeler:

    jonaB,

    Do you get an error or a message that there are no VMs?

  4. Hyper-V vs. ESXi management : I found it on the internet:

    [...] if you just want to delegate specific VMs, you’ll need to dive into the depths of [...]

Leave a comment