question

PaulGreen-6671 avatar image
0 Votes"
PaulGreen-6671 asked PaulGreen-6671 answered

Hyper-V Permissions

Hello

We are using Windows Server 2019 DataCenter with the Hyper-V role installed.

I would like certain users to access the Hyper-V Manager so they can connect to VM Consoles. These consoles are not accessible via Remote Desktop - they run various tasks and the tasks require that the console is always logged on.

I don't want them to be able to administer Hyper-V so the Hyper-V Administrators group is not a suitable solution.

My research suggests that outside of the admins group the options are VMM (don't use), Az Man (deprecated) and Just Enough Administration but that requires knowledge of PowerShell that myself nor the users has.

I've tried using Windows Admin Center but it offers no configuration of granular permissions for Hyper-V that I can see.

I could've sworn that there was a new feature in Server 2019 that allows easy configuring of granular Hyper-V permissions but I can't find that info anywhere to must have read the article incorrectly a while back.

Does anyone have any other ideas?

Many thanks
Paul

windows-server-hyper-v
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I would like to check if the reply could be of help? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback.

Best Regards,
Joan

0 Votes 0 ·
jiayaozhu-MSFT avatar image
0 Votes"
jiayaozhu-MSFT answered

Hi,

Thanks for your reply!

For the lost InitialStore.xml, just copy the file from another working Hyper-V server.

After my research, AzMan has been appreciated from Server 2012 and removed from Server 2012 R2 onwards, as you said. Then you can create user roles in Virtual Machine Manager (VMM) to define the objects that users can manage and the management operations that users can perform. See this blog:
https://social.technet.microsoft.com/Forums/ie/en-US/7dabcf30-0ce1-46e3-93e6-fcf5de016981/delegating-permissions-to-manage-hyperv-machines?forum=winserverhyperv

Thanks for your support!

BR,
Joan


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Evgenij-Smirnov avatar image
0 Votes"
Evgenij-Smirnov answered

Authorization Manager and the local XML authorization store?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jiayaozhu-MSFT avatar image
0 Votes"
jiayaozhu-MSFT answered

Hi,

Thanks for posting on our forum!

Based on your description, I would like to firstly enquiry: what kind of users do you have, domain users or just local users? If you have domain users then you can use Authorization Manager as @Evgenij-Smirnov suggested. Here is an article on how you can do:
https://askme4tech.com/how-delegate-access-hyper-v-management-console

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Thanks for your support!

BR,
Joan


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulGreen-6671 avatar image
0 Votes"
PaulGreen-6671 answered

Hello

Sorry I thought I had replied!

We are using an AD Domain.

So far as I can tell Authorization Manager has been deprecated (but not removed) from Server 2012R2 onwards.

There is no "InitialStore.xml" in the indicated Hyper-V folder on the host, so while I can load the Az Man snap-in I can't configure anything.

Many thanks
Paul

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulGreen-6671 avatar image
0 Votes"
PaulGreen-6671 answered

Hello

Thanks for your response and for looking into these solutions.

We don't have VMM so the only viable solution is to find an InitialStore.xml file and use that with AzMan.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.