locked
Delegation of Hyper-V Management Access For 2012 R2? RRS feed

  • Question

  • Instead of only the two choices of full Hyper-V Administrator with unlimited access or else no access at all, is there a way to manage fine grained control of access?

    There was for Hyper-V Server 2008 R2, but the article specifically says it is for 2008 R2 only.

    http://social.technet.microsoft.com/wiki/contents/articles/2323.hyper-v-2008-r2-delegate-access-control-and-management.aspx

    Is there an updated equivalent for what's described in that link that works with 2012 R2?

    We would like to create a Hyper-V Users security group or delegated role that allows members to open Hyper-V Manager and access VMs from the console and also create and revert snapshots for these VMs, but not be able to do things like edit the hardware properties of the VM, change network or virtual switch settings or create new VMs.

    Thursday, July 16, 2015 4:08 AM

Answers

  • AzMan itself is still available, but AzMan support for Hyper-V was indeed removed from 2012 R2. The .xml infrastructure is still there but none of it works when targeting a 2012 R2 host. I know there are at least a few posts somewhere on these forums that were started for that very reason.

    As Tim pointed out, what Microsoft wants you to do is use VMM. It's really expensive and much more difficult to work with than AzMan, but right now it's the only Microsoft-provided GUI software solution. I don't know if any third parties have waded into these waters.

    If you're a bit industrious, you can use constrained PowerShell endpoints to grant a much higher degree of control and customization than either AzMan or VMM offer. The problem, though, is that it doesn't work with Hyper-V Manager or any other pre-built GUI tool.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.

    • Proposed as answer by BrianEhMVP Thursday, July 16, 2015 4:44 PM
    • Marked as answer by MyGposts Saturday, July 18, 2015 11:12 PM
    Thursday, July 16, 2015 1:39 PM

All replies

  • Hi,

    It is still available on Win2012 R2

    Authorization Manager

    https://technet.microsoft.com/en-us/library/cc726036.aspx

    How to delegate access in Hyper-V

    http://blog.marcosnogueira.org/how-to-delegate-access-in-hyper-v/

    Planning for Hyper-V Security

    https://technet.microsoft.com/en-us/library/dd283088(v=ws.10).aspx


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.



    • Edited by Satyajit321 Thursday, July 16, 2015 5:31 AM
    Thursday, July 16, 2015 5:28 AM
  • Hi,

    It is still available on Win2012 R2

    How to delegate access in Hyper-V

    http://blog.marcosnogueira.org/how-to-delegate-access-in-hyper-v/


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Looks like that blog has a lot of false information.
    Thursday, July 16, 2015 5:32 AM
  • Hi,

    Please check my updated post. Which part do you think is false.


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Thursday, July 16, 2015 6:18 AM
    Thursday, July 16, 2015 6:18 AM
  • Azman has been deprecated.  It is still there, but it is not supposed to be used.

    "Which part do you think is false?" Starting in step 9 of Marcos' blog, things start going awry.  He is describing how things worked in 2008, not how they work in 2012.  When you try to specify a new role, you have the option to create another Administrator role.  Then on that role, instead of selecting the tasks you want the role to have, you need to remove the tasks you do not want to grant.

    I have not tried creating a second, less 'admin' administrator role to know if things still work the same.  They should because azman is deprecated and not removed.  (Deprecated means that it is still there in this release but do not expect it in 2016.  This gives you time to move away from the technology because it won't be there in the future.)  However, the Microsoft approved way of delegating different tasks has moved from azman to Virtual Machine Manager.


    . : | : . : | : . tim

    • Proposed as answer by BrianEhMVP Thursday, July 16, 2015 4:44 PM
    Thursday, July 16, 2015 1:22 PM
  • AzMan itself is still available, but AzMan support for Hyper-V was indeed removed from 2012 R2. The .xml infrastructure is still there but none of it works when targeting a 2012 R2 host. I know there are at least a few posts somewhere on these forums that were started for that very reason.

    As Tim pointed out, what Microsoft wants you to do is use VMM. It's really expensive and much more difficult to work with than AzMan, but right now it's the only Microsoft-provided GUI software solution. I don't know if any third parties have waded into these waters.

    If you're a bit industrious, you can use constrained PowerShell endpoints to grant a much higher degree of control and customization than either AzMan or VMM offer. The problem, though, is that it doesn't work with Hyper-V Manager or any other pre-built GUI tool.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.

    • Proposed as answer by BrianEhMVP Thursday, July 16, 2015 4:44 PM
    • Marked as answer by MyGposts Saturday, July 18, 2015 11:12 PM
    Thursday, July 16, 2015 1:39 PM
  • Hi Eric\Tim,

    Thanks for clarifying it.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, July 17, 2015 6:25 AM
  • AzMan itself is still available, but AzMan support for Hyper-V was indeed removed from 2012 R2. The .xml infrastructure is still there but none of it works when targeting a 2012 R2 host. I know there are at least a few posts somewhere on these forums that were started for that very reason.

    As Tim pointed out, what Microsoft wants you to do is use VMM. It's really expensive and much more difficult to work with than AzMan, but right now it's the only Microsoft-provided GUI software solution. I don't know if any third parties have waded into these waters.

    If you're a bit industrious, you can use constrained PowerShell endpoints to grant a much higher degree of control and customization than either AzMan or VMM offer. The problem, though, is that it doesn't work with Hyper-V Manager or any other pre-built GUI tool.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.

    What do you mean by it doesn't work with Hyper-V Manager?

    Would it allow us to configure workstations so that members of a specified security group would be able to open Hyper-V Manager running on their local workstation and see the VMs running, start and shut them down, log into the console, create and revert checkpoints, but not allow anything else such as adding additional VM hardware likd disks and networking cards, changing virtual switch settings etc.?

    If so, would the options go away or get grayed out in Hyper-V Manager, or would Hyper-V Manager crash if they tried to edit hardware settings in the Hyper-V Manager GUI after the constrained settings were enabled?

    Saturday, July 18, 2015 4:41 PM
  • A PowerShell endpoint can only be connected to by a PowerShell client. You can roll your own gui but that's it. The capabilities of such an endpoint are only limited by your PowerShell abilities.

    Eric Siron
    Altaro Hyper-V Blog
    I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.

    Saturday, July 18, 2015 6:13 PM
  • I'm still trying to understand how this could work in a user-friendly fashion based on what you are posting here.

    Are you saying that the Hyper-V Manager GUI would not work or not be constrained by this?

    Can we just create shortcuts to run the PowerShell commands to power on the VM and revert to the saved checkpoint?  If so, how do they see the VM console session running without having Hyper-V Manager?


    Saturday, July 18, 2015 6:38 PM
  • No hvm. Any user-friendliness comes from whatever effort you put into it. I'm traveling and using a phone so limited on answer. Start at the link I pasted above and do some searching on constrained endpoints to see if you even think it's worth exploring. As much as I dislike self-promotion, I have an example in the code download for my Hyper-V Security book that shows how to start, stop, and run get VM against one specific virtual machine and limit access to that script set to a specific group.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.

    Saturday, July 18, 2015 11:06 PM
  • OK thanks.  Sounds like this would be too crude of a workaround for the deprecated AZMan features for us.
    Saturday, July 18, 2015 11:11 PM
  • Microsoft has moved this capability into Virtual Machine Manager.  Many people consider that a pretty heavy lift for this one ability, but it is what it is.  There are a lot of other benefits to be had by putting VMM into place, so look at the entire capability to see if there is enough benefit, in addition to delegation, that would encourage you to use VMM.

    . : | : . : | : . tim

    Monday, July 20, 2015 7:05 PM
  • Dear Eric,

    Where we are standing today on this issue. When working on 2012 R2 AzMan does not seem to be working. If we are using SCVMM for Administrative purpose, is it appropriate to use SCVMM for technicians as well? If we want to delegate limited access to VM user/owner so that he may Stop/Start VM etc. but can not change VM properties related to Disk/Configuration. Is it possible to access the VM through vmconnect or hyper-v role with limited SCVMM rights? The other thing is that we require another Server 2012 R2 machine and install SCVMM console on it which has its own requirements like SQL server, just to get limited access to VM.

    Please guide in this regards. Thank you.

    Sunday, December 10, 2017 5:21 PM