Asked by:
how do you allow a domain user to manage hyper-v cluster?

-
Windows Server 2012 R2 hyper-v
i don't want to casually provide domain admin groups just to manage the hyper-v clusters. i have already created a domain group "hypervAdmins" to have RDP and local admin privileges on all my hypervisors. but when using the failover cluster manager, it still gives an error.
so far, on the failover cluster name permissions, i allowed "Read" (aside from what is the default) to the "hypervAdmins" group. is there any other permissions i need to give this group to the failover cluster name?
regards,
Question
All replies
-
Failover cluster management requires local administrator membership on each node. Insert your domain group into local admins. That will automatically cover Hyper-V management, which has a slightly smaller requirement. I'm not sure that any permissions are necessary on the AD objects, since they won't be manipulating those. I typically grant Full Control to the AD objects for their administrators, though. I figure that if any admins are responsible for managing resources that they cannot be trusted to manage, that is an issue best resolved by human resources.
But, you are right, domain admin level is definitely not necessary.
Eric Siron
Altaro Hyper-V Blog
I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts. -
Another way, if you want to limit the user to just specific aspects of cluster management instead of having all the rights associated with being a member of the local administrator group would be to implement Just Enough Administration. https://msdn.microsoft.com/en-us/library/dn896648.aspx?f=255&MSPPError=-2147217396 This allows you to tailor the specific actions permitted by a user.
. : | : . : | : . tim
-
i started by adding the domain group for hyper-v admins to the local admin and hyper-v admin groups of each hypervisors. doesn't work.
yesterday, i added full permissions on the cluster AD object itself. still no luck. (i did this because this method worked with sql 2014 clusters).
-
Hi Reno,
Did you log off and log on again after modifying the permissions?
Best Regards,
Leo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
-
-
-
-
"what i'm looking for is a way or method to delegate cluster management like delegating printer or account management."
That's why I suggested looking into JEA - it is designed to allow specific tasks to be performed by specific people. It is not a simple check-box action, but it can be tailored to your needs.
tim
-