Remove From My Forums

how do you allow a domain user to manage hyper-v cluster?

Question

0

Sign in to vote

Windows Server 2012 R2 hyper-v

i don't want to casually provide domain admin groups just to manage the hyper-v clusters. i have already created a domain group "hypervAdmins" to have RDP and local admin privileges on all my hypervisors. but when using the failover cluster manager, it still gives an error.

so far, on the failover cluster name permissions, i allowed "Read" (aside from what is the default) to the "hypervAdmins" group. is there any other permissions i need to give this group to the failover cluster name?

regards,

Wednesday, February 22, 2017 11:39 AM

Reply

|

Quote

All replies

0

Sign in to vote

Failover cluster management requires local administrator membership on each node. Insert your domain group into local admins. That will automatically cover Hyper-V management, which has a slightly smaller requirement. I'm not sure that any permissions are necessary on the AD objects, since they won't be manipulating those. I typically grant Full Control to the AD objects for their administrators, though. I figure that if any admins are responsible for managing resources that they cannot be trusted to manage, that is an issue best resolved by human resources.

But, you are right, domain admin level is definitely not necessary.
Eric Siron
Altaro Hyper-V Blog
I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

Wednesday, February 22, 2017 2:32 PM

Reply

|

Quote

0

Sign in to vote

Another way, if you want to limit the user to just specific aspects of cluster management instead of having all the rights associated with being a member of the local administrator group would be to implement Just Enough Administration. https://msdn.microsoft.com/en-us/library/dn896648.aspx?f=255&MSPPError=-2147217396 This allows you to tailor the specific actions permitted by a user.
. : | : . : | : . tim

Wednesday, February 22, 2017 2:50 PM

Reply

|

Quote

0

Sign in to vote

i started by adding the domain group for hyper-v admins to the local admin and hyper-v admin groups of each hypervisors. doesn't work.

yesterday, i added full permissions on the cluster AD object itself. still no luck. (i did this because this method worked with sql 2014 clusters).

Thursday, February 23, 2017 5:30 AM

Reply

|

Quote

0

Sign in to vote

Hi Reno,

Did you log off and log on again after modifying the permissions?

Best Regards,

Leo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, February 24, 2017 2:24 AM

Reply

|

Quote

Moderator

0

Sign in to vote

hi, yes and even waited until the following day to make sure everything is synced.

regards,

Reno

Monday, February 27, 2017 7:48 AM

Reply

|

Quote

0

Sign in to vote

more than a month now. so there is no way to delegate hyper-v management then?

i also can't find anything on my searches.

i guess it's official.

Sunday, April 2, 2017 6:55 AM

Reply

|

Quote

0

Sign in to vote

Did you look into Just Enough Admin?
tim

Sunday, April 2, 2017 11:41 AM

Reply

|

Quote

0

Sign in to vote

"Just Enough Admin" discusses the pros and cons of delegation. what i'm looking for is a way or method to delegate cluster management like delegating printer or account management.

Tuesday, April 4, 2017 9:10 AM

Reply

|

Quote

0

Sign in to vote

"what i'm looking for is a way or method to delegate cluster management like delegating printer or account management."

That's why I suggested looking into JEA - it is designed to allow specific tasks to be performed by specific people. It is not a simple check-box action, but it can be tailored to your needs.

tim

Tuesday, April 4, 2017 11:40 AM

Reply

|

Quote

0

Sign in to vote

Hello! Have you found a solution?

Monday, May 7, 2018 4:51 PM

Reply

|

Quote