none
Prevent changes to Hyper-V vSwitch/nics RRS feed

  • Question

  • Is there a way of preventing user from changing or adding settings on Hyper-V vSwitch?
    Or perhaps some script or settings of some sort, that can be run on 20+ machines for making changes quicker?

    User should be allowed to use the psysical server for lab remotely, with creating VMs etc. But not allowed to change the vSwitch or nic settings, due to modifying settings would terminate the remote connection and the physical machines are located elsewhere. So that would mean the administrator would need to travel to location and login locally to change the settings back to default.
    And no, just telling them not to change vSwitch or nic settings is not working.

    Not sure what best practice would be, if it's possible with some script and policy to prevent, or some script to restore if prevention is not possible.

    Any help is much appreciated!

    Thanks


    Tuesday, October 8, 2019 11:43 AM

All replies

  • Sure, it is relatively easy to write a script to restore default settings, but you still need remote access to the host in order to execute the script.  This could be provided by a connection made via a management port, like ILO on HP.  Talk to your vendor about that.  Only the system administrator would have access to that connection, so end users could not do anything to it, and that connection is not offered as a NIC on which a virtual switch could be created.

    "just telling them not to change vSwitch or nic settings is not working."

    Implement a 'salary continuation policy'.  Once is a warning.  Twice is cause for dismissal.  If the consequences are not serious enough, the rule is not obeyed.  In your case it sounds like you are making a suggestion, not a rule.

    It sounds like you are granting the user the ability to run VMconnect, the Hyper-V console.  You need to come up with a way to allow them to create VMs, but not have full control of Hyper-V.  This can be done by providing scripts to create VMs instead of allowing them to create them directly.  Something like Just Enough Admin can be used in creating the scripts to limit what the user can do.  Or you could implement something like Azure Stack or SCVMM to build a cloud-like environment which already has everything in place to control the end users.


    tim

    Tuesday, October 8, 2019 4:24 PM
  • Thanks for reply!

    The end users are brand new IT students, so there's no salary involved :)
    And they tend to go all crazy and change everything that can be changed, even if told not to, which is good in one way. But problem would be to restoring the network settings, so they can connect remotely again without too much delay and no need to travel to the location where the physical servers are stored. 

    Not sure if it's possible to get that network setting in hyper-v greyed out, or what best practice would be to only remove that option. Been looking for options online but can't find anything at all about it.
    It is just normal workstations with 1 nic in them, so not possible with running separate management ports unfortunetly.

    Cheers!

    Tuesday, October 8, 2019 9:10 PM
  • >>Not sure if it's possible to get that network setting in hyper-v greyed out,

    I'm afraid we can't achieve this goal. It seems that our ideas are crazy, but as Tim said,I think it seems feasible to write a script to restore default settings, but it's a bit difficult for us to write such a script.

    Azure Stack or SCVMM is also a way if our cost allows.

    Anyway, Although we can't turn network settings in hyper-v greyed out, there are ways to keep control in your hands, it depends on your choice.

    Regards,

    Daniel


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 9, 2019 8:43 AM
    Moderator
  • It sounds like you are trying to solve a problem that is due to lack of resources.  A workstation with a single NIC is not an adequate lab environment for students you want to allow to do anything.  That is a guarantee for what you are seeing.

    I second NIC would be very helpful.  It doesn't cost much to get a second NIC into a system.  Then I would suggest that you use Hyper-V nested virtualization capability.  That way you could manage the instance of Hyper-V on the host and provide a VM running Hyper-V to each student.  They would not be set up to have any management capabilities on the host but have full capabilities on their Hyper-V instance.

    Or, just have them set up Hyper-V on their own laptops.

    Students may not be getting paid in salary, but they are definitely getting 'paid' in their grades. <grin>  You still have leverage.


    tim

    Wednesday, October 9, 2019 1:18 PM
  • Hi,
    Just want to confirm the current situations.
    Please feel free to let us know if you need further assistance.
    Best Regards,
    Daniel

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 11, 2019 8:12 AM
    Moderator
  • Hi,
    This is Daniel and wish you all the best!
    As this thread has been quiet for a while, we will mark it as ‘ Propose answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the propose answer as you wish.
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
    Best Regards,
    Daniel

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 14, 2019 2:24 AM
    Moderator