Sample Scripts for Managing Self-Service Policies

  • Article

You can experiment with the Windows PowerShell scripts in this topic to learn how to use scripts to create Virtual Machine Manager self-service policies. These policies govern the actions that users, who are not Virtual Machine Manager server administrators are allowed to take if you grant them permission to access and, optionally, create and manage their own virtual machines.

What actions a self-service user, or members of a self-service group, can take depend on which permissions you grant to the Active Directory user account or group to whom you grant self-service permissions. The mechanism you use to grant these permissions is the self-service policy. You configure self-service policies for a host group and enable an Active Directory user or group to have self-service access to virtual machines that are deployed on hosts in a given host group. A host group contains a set of physical computers, managed by Virtual Machine Manager, that host virtual machines.

The scripts in this topic are similar to each other in structure but differ depending on the level of permissions granted to self-service users. The example script names are lengthy to indicate what each script does. You might prefer to use shorter names for your scripts.

Before You Start

Before you can create functioning self-service policies, you must understand how Virtual Machine Manager self-service policies work. In addition, because self-service users access their virtual machines through a Web site called the Self-Service Portal that you configure in Virtual Machine Manager, you must set up the Web site that acts as the Self-Service Portal before granting users self-service rights.

For information about self-service policies and the Self-Service Portal, type the following commands at the Windows PowerShell - Virtual Machine Manager command and then read the "Detailed Description" section for each cmdlet:

Get-Help New-SelfServicePolicy -detailed
Get-Help Add-SelfServiceWebServer -detailed

You can also read the self-service topics in the online Help available in the Administrator Console.

CreateSelfServicePolicy_AccessVMs.ps1

You can use the CreateSelfServicePolicy_AccessVMs.ps1 script to create a self-service policy that grants members of an Active Directory group permissions to access and use their virtual machines through the Self-Service Portal.

How CreateSelfServicePolicy_AccessVMs.ps1 Works

The following sections explain each part of the script CreateSelfServicePolicy_AccessVMs.ps1.

Connect to the Virtual Machine Manager Server

The first command in the script connects to the Virtual Machine Manager server so that subsequent commands can access objects in the Virtual Machine Manager database.

####################################################################
# Connect to the Virtual Machine Manager server.
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

Define Variables for CreateSelfServicePolicy_AccessVMs.ps1

The second set of commands in the script performs the following tasks:

  • Identifies the Virtual Machine Manager host group, HGroup1, as the host group for the self-service policy and store the host group object in variable $VMHostGroup1.
  • Identifies the Active Directory user account or security group to which the self-service policy applies and stores its object in variable $ADUserOrGroup1. The following example uses the Active Directory group, SelfServGroup1, located in the Contoso.com domain.
  • Names the self-service policy and stores the name in variable $Policy1.
  • Specifies a set of self-service policy permissions and stores the permissions object in variable $ReadOnlyPermissions. The following example grants only the permission Vmrc, which refers to Virtual Machine Remote Control (VMRC). VMRC is a feature of Microsoft Virtual Server that lets a VMRC client connect to an instance of Virtual Server (a host server) to access that host's virtual machines. VMRC lets users access their virtual machines remotely.

Note

To see a list of all possible self-service permissions, type the following command on a single line:

[enum]::GetValues([Microsoft.VirtualManager.Remoting.SelfServicePermission]) 

####################################################################
# Define variables for CreateSelfServicePolicy_AccessVMs.ps1
####################################################################
$VMHostGroup1 = Get-VMHostGroup | where { $_.Name -eq "HGroup1" }
$ADUserOrGroup1 = "Contoso\SelfServGroup1" 
$Policy1 = "SelfServGroup1 on HGroup1" 
$ReadOnlyPermissions = 'Vmrc'

Create a Self-Service Policy for SelfServGroup1

The third command in the script performs the following tasks:

  • Creates and names a self-service policy.
  • Specifies that members of the Active Directory group whose object is stored in $ADUserOrGroup1 (SelfServGroup1) are governed by the policy.
  • Specifies that the policy applies to virtual machines that are deployed on hosts that belong to the host group (HGroup1) whose object is stored in $VMHostGroup1.
  • Grants users governed by the policy Read Only permissions (only the Vmrc permission is granted).
  • Specifies that all users of the policy share the ownership of the virtual machines governed by the policy.
  • Stores the object that represents the new self-service policy in variable $SSPol_ReadOnly.
####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_ReadOnly = New-SelfServicePolicy -Name $Policy1 -UserOrGroup $ADUserOrGroup1 -VMHostGroup $VMHostGroup1 -VMPermission $ReadOnlyPermissions -SharedVMOwnership $True

Make Virtual Machines Available to Members of SelfServGroup1

The last set of commands in the script performs the following tasks:

  • Gets the objects that represent the set of virtual machines whose name begins with the prefix "SSVM10" and stores the virtual machine objects in variable array $UserVMsSet1.
  • Uses the pipeline operator (|) to pass the objects in $UserVMsSet1 to the Set-VM cmdlet, which sets the members of $ADUserOrGroup1 as owners of the policy $SSPol_ReadOnly so that the virtual machines that are available to the group are displayed to its members.

Note

The following example assumes that the set of virtual machines that you want to assign to the group uses the naming convention SSVM100, SSVM102, SSVM103, and so on up to 109.

####################################################################
# Find VMs for this group and set the ownership and policy so that 
# the VMs available to this group will display to group members.
####################################################################
$UserVMsSet1 = Get-VM -Name "SSVM10*"
$UserVMsSet1 | Set-VM -Owner $ADUserOrGroup1 -SelfServicePolicy $SSPol_ReadOnly

CreateSelfServicePolicy_AccessVMs.ps1 - Complete Script

Copy the following complete version of CreateSelfServicePolicy_AccessVMs.ps1 into a Notepad file and save it as CreateSelfServicePolicy_AccessVMs.ps1:

# Filename:    CreateSelfServicePolicy_AccessVMs.ps1.
# Description: Create a self-service policy that grants System Center 
#              Virtual Machine Manager self-service users permissions 
#              to access and use their VMs, and set their VMs to be 
#              covered by that policy.

# DISCLAIMER:
# Copyright (c) Microsoft Corporation. All rights reserved. This 
# script is made available to you without any express, implied or 
# statutory warranty, not even the implied warranty of 
# merchantability or fitness for a particular purpose, or the 
# warranty of title or non-infringement. The entire risk of the 
# use or the results from the use of this script remains with you.

####################################################################
# Connect to the Virtual Machine Manager server. 
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

####################################################################
# Define variables for CreateSelfServicePolicy_AccessVMs.ps1.
####################################################################
$VMHostGroup1 = Get-VMHostGroup | where { $_.Name -eq "HGroup1" }
$ADUserOrGroup1 = "Contoso\SelfServGroup1" 
$Policy1 = "SelfServGroup1 on HGroup1" 
$ReadOnlyPermissions = 'Vmrc' 
#   To see a list of all possible self-service permissions, type: 
#   [enum]::GetValues([Microsoft.VirtualManager.Remoting.
#   SelfServicePermission])

####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_ReadOnly = New-SelfServicePolicy -Name $Policy1 -UserOrGroup $ADUserOrGroup1 -VMHostGroup $VMHostGroup1 -VMPermission $ReadOnlyPermissions -SharedVMOwnership $True 

####################################################################
# Find VMs for this group and set the ownership and policy so that 
# the VMs available to this group will display to group members.
####################################################################
$UserVMsSet1 = Get-VM -Name "SSVM10*"
$UserVMsSet1 | Set-VM -Owner $ADUserOrGroup1 -SelfServicePolicy $SSPol_ReadOnly

CreateSelfServicePolicy_ManageVMs.ps1

You can use the CreateSelfServicePolicy_ManageVMs.ps1 script to create a self-service policy that grants members of an Active Directory group permissions not only to access their virtual machines but also to have certain management privileges. These include permission to start, stop, pause and resume, and shut down their virtual machines and permission to create checkpoints for their virtual machines.

How CreateSelfServicePolicy_ManageVMs.ps1 Works

The following sections explain each part of the script CreateSelfServicePolicy_ManageVMs.ps1.

Connect to the Virtual Machine Manager Server

The first command in the script connects to the Virtual Machine Manager server so that subsequent commands can access objects in the Virtual Machine Manager database.

####################################################################
# Connect to the Virtual Machine Manager server.
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

Define Variables for CreateSelfServicePolicy_ ManageVMs.ps1

The second set of commands in the script performs the following tasks:

  • Identifies the Virtual Machine Manager host group, HGroup2, as the host group for the self-service policy and stores the host group object in variable $VMHostGroup2.
  • Identifies the Active Directory user account or security group to which the self-service policy applies and stores its object in variable $ADUserOrGroup2. The following example uses the Active Directory group, SelfServGroup2, located in the Contoso.com domain.
  • Names the self-service policy and stores the name in variable $Policy2.
  • Specifies a set of self-service policy permissions and stores the permissions object in variable $VmManagementPermissions. In addition to the Vmrc permission that enables self-service users to access a host's virtual machines, the policy grants users permissions to start, stop, pause and resume, and shut down their virtual machines, to create checkpoints for their virtual machines.

Note

To see a list of all possible self-service permissions, type the following command on a single line:

[enum]::GetValues([Microsoft.VirtualManager.Remoting.SelfServicePermission]) 

$VMHostGroup2 = Get-VMHostGroup | where { $_.Name -eq "HGroup2" }
$ADUserOrGroup2 = "Contoso\SelfServGroup2" 
$Policy2 = "SelfServGroup2 on HGroup2" 
$VmManagementPermissions = 'ResumeAndPause','Vmrc','Start','Stop','Shutdown','Checkpoint'

Create a Self-Service Policy for SelfServGroup2

The third command in the script performs the following tasks:

  • Creates and names a self-service policy.
  • Specifies that members of the Active Directory group whose object is stored in $ADUserOrGroup2 (SelfServGroup2) will be governed by the policy.
  • Specifies that the policy applies to virtual machines that are deployed on hosts that belong to the host group whose object is stored in $VMHostGroup2.
  • Grants users who are governed by the policy the permissions stored in variable $VMManagementPermissions.
  • Specifies that all users of the policy share the ownership of the virtual machines that are governed by the policy.
  • Stores the object that represents the new self-service policy in variable $SSPol_VMManage.
####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_VMManage = New-SelfServicePolicy -Name $Policy2 -UserOrGroup $ADUserOrGroup2 -VMHostGroup $VMHostGroup2 -VMPermission $VmManagementPermissions -SharedVMOwnership $True

Make Virtual Machines Available to SelfServGroup2

The last set of commands in the script performs the following tasks:

  • Gets the objects that represent the set of virtual machines whose name begins with the prefix "SSVM20" and stores the virtual machine objects in variable array $UserVMsSet2.
  • Uses the pipeline operator (|) to pass the objects in $UserVMsSet2 to the Set-VM cmdlet, which sets the members of $ADUserOrGroup2 as owners of the policy $SSPol_VMManage so that the virtual machines available to the group are displayed to its members.

Note

The following example assumes that the set of virtual machines that you want to assign to the group uses the naming convention SSVM200, SSVM202, SSVM203, and so on up to 209.

CreateSelfServicePolicy_ManageVMs.ps1 - Complete Script

Copy the following complete version of CreateSelfServicePolicy_ManageVMs.ps1 into a Notepad file and save it as CreateSelfServicePolicy_Manage.ps1:

# Filename:    CreateSelfServicePolicy_ManageVMs.ps1
# Description: Create a self-service policy that grants System Center 
#              Virtual Machine Manager self-service users a specific 
#              set of permissions for managing their VMS, and set
#              their VMs to be covered by that policy.

# DISCLAIMER:
# Copyright (c) Microsoft Corporation. All rights reserved. This 
# script is made available to you without any express, implied or 
# statutory warranty, not even the implied warranty of 
# merchantability or fitness for a particular purpose, or the 
# warranty of title or non-infringement. The entire risk of the 
# use or the results from the use of this script remains with you.

####################################################################
# Connect to the Virtual Machine Manager server. 
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

####################################################################
# Define variables for CreateSelfServicePolicy__ManageVMs.ps1.
####################################################################
$VMHostGroup2 = Get-VMHostGroup | where { $_.Name -eq "HGroup2" }
$ADUserOrGroup2 = "Contoso\SelfServGroup2" 
$Policy2 = "SelfServGroup2 on HGroup2" 
$VmManagementPermissions = 'ResumeAndPause','Vmrc','Start','Stop','Shutdown','Checkpoint' 
#   To see a list of all possible self-service permissions, type: 
#   [enum]::GetValues([Microsoft.VirtualManager.Remoting.
#   SelfServicePermission])

####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_VMManage = New-SelfServicePolicy -Name $Policy2 -UserOrGroup $ADUserOrGroup2 -VMHostGroup $VMHostGroup2 -VMPermission $VmManagementPermissions -SharedVMOwnership $True 

####################################################################
# Find VMs for this group and set the ownership and policy so that 
# the VMs available to this group will display to group members.
####################################################################
$UserVMsSet2 = Get-VM -Name "SSVM20*"
$UserVMsSet2 | Set-VM -Owner $ADUserOrGroup2 -SelfServicePolicy $SSPol_VMManage

CreateSelfServicePolicy_CreateManageVMs.ps1

You can use the CreateSelfServicePolicy_CreateManageVMs.ps1 script to create a self-service policy that grants members of an Active Directory group permissions to access, manage, and create up to 10 virtual machines.

How CreateSelfServicePolicy_CreateManageVMs.ps1 Works

The following sections explain each part of the script CreateSelfServicePolicy_CreateManageStoreVMs.ps1.

Connect to the Virtual Machine Manager Server

The first command in the script connects to the Virtual Machine Manager server so that subsequent commands can access objects in the Virtual Machine Manager database.

####################################################################
# Connect to the Virtual Machine Manager server.
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

Define Variables for CreateSelfServicePolicy_CreateManageVMs.ps1

The second set of commands in the script performs the following tasks:

  • Identifies the Virtual Machine Manager host group, HGroup3, as the host group for the self-service policy and stores the host group object in variable $VMHostGroup3.
  • Identifies the Active Directory user account or security group to which the self-service policy applies and stores its object in variable $ADUserOrGroup3. The following example uses the Active Directory group, SelfServGroup3, located in the Contoso.com domain.
  • Names the self-service policy and stores the name in variable $Policy3.
  • Specifies a set of self-service policy permissions and stores the permissions object in variable $VMCreationPermissions. In addition to the Vmrc permission that enables self-service users to access a host's virtual machines, the policy grants users permissions to create, start, stop, pause and resume, remove, and shut down their virtual machines. The policy also grants users the permission to create checkpoints for their virtual machines and to act as local Administrators on their virtual machines.

Note

To see a list of all possible self-service permissions, type the following command on a single line:

[enum]::GetValues([Microsoft.VirtualManager.Remoting.SelfServicePermission])

  • Gets the objects that represent all virtual machine templates available in your Virtual Machine Manager environment and stores the template objects in the variable array $TemplateList.

Note

Self-service users who are granted permission to create virtual machines need access to at least one template; the following example assumes that multiple templates exist and that you want to allow self-service users access to all templates.

  • Specifies a quota limit of 8 for users who are governed by the self-service policy. The quota limits the number of virtual machines that a user or group can create.
####################################################################
# Define variables for CreateSelfServicePolicy_ManageVMs.ps1.
####################################################################
$VMHostGroup3 = Get-VMHostGroup | where { $_.Name -eq "HGroup3" }
$ADUserOrGroup3 = "Contoso\SelfServGroup3" 
$Policy3 = "SelfServGroup3 on HGroup3" 
$VMCreationPermissions = 'Create','ResumeAndPause','Vmrc','Start','Stop','Remove','Shutdown','Checkpoint','AllowLocalAdmin'
$TemplateList = Get-Template
$QuotaLimit = 8

Create a Self-Service Policy for SelfServGroup3

The third command in the script performs the following tasks:

  • Creates and names a self-service policy.
  • Specifies that members of the Active Directory group whose object is stored in $ADUserOrGroup3 (SelfServGroup3) are governed by the policy.
  • Specifies that the policy applies to virtual machines that are deployed on hosts that belong to the host group (HGroup3) whose object is stored in $VMHostGroup3.
  • Grants users who are governed by the policy the permissions that are stored in variable $VMCreationPermissions.
  • Specifies that all users of the policy share the ownership of the virtual machines that are governed by the policy.
  • Specifies that all users of the policy can use the templates stored in $TemplateList to create virtual machines.
  • Specifies the quota limit stored in $QuotaLimit.
  • Stores the object that represents the new self-service policy in variable $SSPol_VMCreate.
####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_VMCreate = New-SelfServicePolicy -Name $Policy3 -UserOrGroup $ADUserOrGroup3 -VMHostGroup $VMHostGroup3 -VMPermission $VMCreationPermissions -SharedVMOwnership $True -Template $TemplateList -QuotaPoint $QuotaLimit

Make Virtual Machines Available to SelfServGroup3

The last set of commands in the script performs the following tasks:

  • Gets the objects that represent the set of virtual machines whose name begins with the prefix "SSVM30" and stores the virtual machine objects in variable array $UserVMsSet3.
  • Uses the pipeline operator (|) to pass the objects in $UserVMsSet3 to the Set-VM cmdlet, which sets the members of $ADUserOrGroup3 as owners of the policy $SSPol_VMCreate so that the virtual machines available to the group are displayed to its members.

Note

The following example assumes that the set of virtual machines that you want to assign to the group uses the naming convention SSVM300, SSVM302, SSVM303, and so on up to 309.

####################################################################
# Find VMs for this group and set the ownership and policy so that 
# the VMs available to this group will display to group members.
####################################################################
$UserVMsSet3 = Get-VM -Name "SSVM30*"
$UserVMsSet3 | Set-VM -Owner $ADUserOrGroup3 -SelfServicePolicy $SSPol_VMCreate

CreateSelfServicePolicy_CreateManageVMs.ps1 - Complete Script

Copy the following complete version of CreateSelfServicePolicy_CreateManageVMs.ps1 into a Notepad file and save it as CreateSelfServicePolicy_CreateManageVMs.ps1:

# Filename:    CreateSelfServicePolicy_CreateManageVMs.ps1.
# Description: Create a self-service policy that grants System Center 
#              Virtual Machine Manager self-service users permission 
#              to create and manage their VMs, and set their VMs to be 
#              covered by that policy.

# DISCLAIMER:
# Copyright (c) Microsoft Corporation. All rights reserved. This 
# script is made available to you without any express, implied or 
# statutory warranty, not even the implied warranty of 
# merchantability or fitness for a particular purpose, or the 
# warranty of title or non-infringement. The entire risk of the 
# use or the results from the use of this script remains with you.

####################################################################
# Connect to the Virtual Machine Manager server 
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

####################################################################
# Define variables for CreateSelfServicePolicy_ManageVMs.ps1
####################################################################
$VMHostGroup3 = Get-VMHostGroup | where { $_.Name -eq "HGroup3" }
$ADUserOrGroup3 = "Contoso\SelfServGroup3" 
$Policy3 = "SelfServGroup3 on HGroup3" 
$VMCreationPermissions = 'Create','ResumeAndPause','Vmrc','Start','Stop','Remove','Shutdown','Checkpoint','AllowLocalAdmin'
#   To see a list of all possible self-service permissions, type: 
#   [enum]::GetValues([Microsoft.VirtualManager.Remoting.
#   SelfServicePermission])
$TemplateList = Get-Template
$QuotaLimit = 8

####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_VMCreate = New-SelfServicePolicy -Name $Policy3 -UserOrGroup $ADUserOrGroup3 -VMHostGroup $VMHostGroup3 -VMPermission $VMCreationPermissions -SharedVMOwnership $True -Template $TemplateList -QuotaPoint $QuotaLimit

####################################################################
# Find VMs for this group and set the ownership and policy so that 
# the VMs available to this group will display to group members.
####################################################################
$UserVMsSet3 = Get-VM -Name "SSVM30*"
$UserVMsSet3 | Set-VM -Owner $ADUserOrGroup3 -SelfServicePolicy $SSPol_VMCreate

CreateSelfServicePolicy_CreateManageStoreVMs.ps1

You can use the CreateSelfServicePolicy_CreateManageStore.ps1 script to create a self-service policy that grants members of an Active Directory group permissions to access, manage, and create up to 10 virtual machines and also to store their virtual machines in the Virtual Machine Manager library.

How CreateSelfServicePolicy_CreateManageStoreVMs.ps1 Works

The following sections explain each part of the script CreateSelfServicePolicy_CreateManageStoreVMs.ps1.

Connect to the Virtual Machine Manager Server

The first command in the script connects to the Virtual Machine Manager server so that subsequent commands can access objects in the Virtual Machine Manager database.

####################################################################
# Connect to the Virtual Machine Manager server
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

Define Variables for CreateSelfServicePolicy_CreateManageStoreVMs.ps1

The second set of commands in the script performs the following tasks:

  • Identifies the Virtual Machine Manager host group, HGroup4, as the host group for the self-service policy and stores the host group object in variable $VMHostGroup4.
  • Identifies the Active Directory user account or security group to which the self-service policy applies and stores its object in variable $ADUserOrGroup4. The following example uses the Active Directory group, SelfServGroup4, located in the Contoso.com domain.
  • Names the self-service policy and stores the name in variable $Policy4.
  • Specifies a set of self-service policy permissions and stores the permissions object in variable $AllPermissions. In addition to the Vmrc permission that enables self-service users to access a host's virtual machines, the policy grants users permissions to create, start, stop, pause and resume, remove, and shut down their virtual machines. The policy also grants users the permission to create checkpoints for their virtual machines, to act as local Administrators on their virtual machines, and to store their virtual machines in the Virtual Machine Manager library.

Note

To see a list of all possible self-service permissions, type the following command on a single line:

[enum]::GetValues([Microsoft.VirtualManager.Remoting.SelfServicePermission])

  • Gets the objects that represent all virtual machine templates that are available in your Virtual Machine Manager environment and stores the template objects in the variable array $TemplateList.

Note

Self-service users who are granted permission to create virtual machines need access to at least one template; the following example assumes that multiple templates exist and that you want to allow self-service users access to all templates.

  • Specifies a quota limit of 10 for users who are governed by the self-service policy. The quota limits the number of virtual machines that a user or group can create.
  • Specifies the path to the Virtual Machine Manager library share called "Self Service".

Note

Users granted the "store" permission can store their virtual machines in the library, which requires that a library share path for the policy is specified. The following example assumes that a library share named "Self Service" already exists.

#######################################################################
# Define variables for CreateSelfServicePolicy_CreateManageStoreVMs.ps1
#######################################################################
$VMHostGroup4 = Get-VMHostGroup | where { $_.Name -eq "HGroup4" }
$ADUserOrGroup4 = "Contoso\SelfServGroup4" 
$Policy4 = "SelfServGroup4 on HGroup4" 
$AllPermissions = 'Create','ResumeAndPause','Vmrc','Start','Stop','Remove','Shutdown','Checkpoint','Store','AllowLocalAdmin' 
$TemplateList = Get-Template
$QuotaLimit = 10
$LibraryPath = "\\VMMServer1.Contoso.com\MSSCVMMLibrary\Self Service"

Create a Self-Service Policy for SelfServGroup4

The third command in the script performs the following tasks:

  • Creates and names a self-service policy.
  • Specifies that members of the Active Directory group whose object is stored in $ADUserOrGroup4 (SelfServGroup4) are governed by the policy.
  • Specifies that the policy applies to virtual machines that are deployed on hosts that belong to the host group (HGroup4) whose object is stored in $VMHostGroup4.
  • Grants users who are governed by the policy the permissions that are stored in variable $AllPermissions.
  • Specifies that all users of the policy share the ownership of the virtual machines that are governed by the policy.
  • Specifies that all users of the policy can use the templates stored in $TemplateList to create virtual machines.
  • Specifies the quota limit stored in $QuotaLimit.
  • Specifies that the share on a library server where users of the policy can store their virtual machines is the share whose path is stored in variable $LibraryPath.
  • Stores the object that represents the new self-service policy in variable $SSPol_All.
####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_All = New-SelfServicePolicy -Name $Policy4 -UserOrGroup $ADUserOrGroup4 -VMHostGroup $VMHostGroup4 -VMPermission $AllPermissions -SharedVMOwnership $True -Template $TemplateList -QuotaPoint $QuotaLimit -LibraryStoreSharePath $LibraryPath

Make Virtual Machines Available to SelfServGroup4

The last set of commands in the script performs the following tasks:

  • Gets the objects that represent the set of virtual machines whose name begins with the prefix "SSVM40" and stores the virtual machine objects in variable array $UserVMsSet4.
  • Uses the pipeline operator (|) to pass the objects in $UserVMsSet4 to the Set-VM cmdlet, which sets the members of $ADUserOrGroup4 as owners of the policy $SSPol_All so that the virtual machines available to the group are displayed to its members.

Note

The following example assumes that the set of virtual machines that you want to assign to the group uses the naming convention SSVM400, SSVM402, SSVM403, and so on up to 409.

####################################################################
# Find VMs for this group and set the ownership and policy so that 
# the VMs available to this group will display to group members.
####################################################################
$UserVMsSet4 = Get-VM -Name "SSVM40*"
$UserVMsSet4 | Set-VM -Owner $ADUserOrGroup4 -SelfServicePolicy $SSPol_All

CreateSelfServicePolicy_CreateManageStoreVMs.ps1 - Complete Script

Copy the following complete version of CreateSelfServicePolicy_CreateManageStoreVMs.ps1 into a Notepad file and save it as CreateSelfServicePolicy_CreateManageStoreVMs.ps1:

# Filename:    CreateSelfServicePolicy_CreateManageStoreVMs.ps1
# Description: Create a self-service policy that grants System Center 
#              Virtual Machine Manager self-service users permission 
#              to create, manage, and store their VMS, and set their 
#              VMs to be covered by that policy.

# DISCLAIMER:
# Copyright (c) Microsoft Corporation. All rights reserved. This 
# script is made available to you without any express, implied or 
# statutory warranty, not even the implied warranty of 
# merchantability or fitness for a particular purpose, or the 
# warranty of title or non-infringement. The entire risk of the 
# use or the results from the use of this script remains with you.

####################################################################
# Connect to the Virtual Machine Manager server 
####################################################################
# Substitute the name of your VMM server and domain in this command:
Get-VMMServer -ComputerName "VMMServer1.Contoso.com"

#######################################################################
# Define variables for CreateSelfServicePolicy_CreateManageStoreVMs.ps1
#######################################################################
$VMHostGroup4 = Get-VMHostGroup | where { $_.Name -eq "HGroup4" }
$ADUserOrGroup4 = "Contoso\SelfServGroup4" 
$Policy4 = "SelfServGroup4 on HGroup4" 
$AllPermissions = 'Create','ResumeAndPause','Vmrc','Start','Stop','Remove','Shutdown','Checkpoint','Store','AllowLocalAdmin' 
#   To see a list of all possible self-service permissions, type: 
#   [enum]::GetValues([Microsoft.VirtualManager.Remoting.
#   SelfServicePermission])
$TemplateList = Get-Template
$QuotaLimit = 10
$LibraryPath = "\\VMMServer1.Contoso.com\MSSCVMMLibrary\Self Service"

####################################################################
# Create a self-service policy for this set of users.
####################################################################
$SSPol_All = New-SelfServicePolicy -Name $Policy4 -UserOrGroup $ADUserOrGroup4 -VMHostGroup $VMHostGroup4 -VMPermission $AllPermissions -SharedVMOwnership $True -Template $TemplateList -QuotaPoint $QuotaLimit -LibraryStoreSharePath $LibraryPath

####################################################################
# Find VMs for this group and set the ownership and policy so that 
# the VMs available to this group will display to group members.
####################################################################
$UserVMsSet4 = Get-VM -Name "SSVM40*"
$UserVMsSet4 | Set-VM -Owner $ADUserOrGroup4 -SelfServicePolicy $SSPol_All