none
how do you allow a domain user to manage hyper-v cluster?

    Question

  • Windows Server 2012 R2 hyper-v

    i don't want to casually provide domain admin groups just to manage the hyper-v clusters. i have already created a domain group "hypervAdmins" to have RDP and local admin privileges on all my hypervisors. but when using the failover cluster manager, it still gives an error.

    so far, on the failover cluster name permissions, i allowed "Read" (aside from what is the default) to the "hypervAdmins" group. is there any other permissions i need to give this group to the failover cluster name?

    regards,

    Wednesday, February 22, 2017 11:39 AM

All replies

  • Failover cluster management requires local administrator membership on each node. Insert your domain group into local admins. That will automatically cover Hyper-V management, which has a slightly smaller requirement. I'm not sure that any permissions are necessary on the AD objects, since they won't be manipulating those. I typically grant Full Control to the AD objects for their administrators, though. I figure that if any admins are responsible for managing resources that they cannot be trusted to manage, that is an issue best resolved by human resources.

    But, you are right, domain admin level is definitely not necessary.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Wednesday, February 22, 2017 2:32 PM
  • Another way, if you want to limit the user to just specific aspects of cluster management instead of having all the rights associated with being a member of the local administrator group would be to implement Just Enough Administration.  https://msdn.microsoft.com/en-us/library/dn896648.aspx?f=255&MSPPError=-2147217396  This allows you to tailor the specific actions permitted by a user.

    . : | : . : | : . tim

    Wednesday, February 22, 2017 2:50 PM
  • i started by adding the domain group for hyper-v admins to the local admin and hyper-v admin groups of each hypervisors. doesn't work.

    yesterday, i added full permissions on the cluster AD object itself. still no luck. (i did this because this method worked with sql 2014 clusters).

    Thursday, February 23, 2017 5:30 AM
  • Hi Reno,

    Did you log off and log on again after modifying the permissions?

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 2:24 AM
    Moderator
  • hi, yes and even waited until the following day to make sure everything is synced.

    regards,

    Reno

    Monday, February 27, 2017 7:48 AM
  • more than a month now. so there is no way to delegate hyper-v management then?

    i also can't find anything on my searches.

    i guess it's official.

    Sunday, April 2, 2017 6:55 AM
  • Did you look into Just Enough Admin?

    tim

    Sunday, April 2, 2017 11:41 AM
  • "Just Enough Admin" discusses the pros and cons of delegation. what i'm looking for is a way or method to delegate cluster management like delegating printer or account management.
    Tuesday, April 4, 2017 9:10 AM
  • "what i'm looking for is a way or method to delegate cluster management like delegating printer or account management."

    That's why I suggested looking into JEA - it is designed to allow specific tasks to be performed by specific people.  It is not a simple check-box action, but it can be tailored to your needs.


    tim

    Tuesday, April 4, 2017 11:40 AM
  • Hello! Have you found a solution?
    Monday, May 7, 2018 4:51 PM