This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Required privilege to mount a VHD?

Question
0

Sign in to vote

Hi,

We are trying to mount a VHD from a service running with "Network Service" privilege on parent partition using Msvm_ImageManagementService::Mount() method. The mount job fails with "Failed (32768)" and eventID 15280 is logged. The error description in MSVM_StorageJob indicates that "A required privilege is not held by the client".

My question is: What is the proper way to provide this privilege to a service running as "Network Service"?

I tried adding "Network Service" account to local "Administrators" group, mount method still fails with same error. I tried editing the Authorization Store XML using azman.msc: added "Network Service" to "Administrator" group using "Assign Users and Groups", but that did not help either.

The code works when i run it under local administrator privilege.

Thanks,

-AJ.

Sunday, June 27, 2010 11:51 PM

Answers

0

Sign in to vote
Hiya,

Not answering the question, but wouldnt it be better to run the job with a specifik application account rather than build-in accounts? - This way it should be more clear what is needed as you can set the right accordingly and not having to face "the unknown" of these built-in accounts.
- Proposed as answer by Vincent Hu Tuesday, June 29, 2010 8:51 AM
- Marked as answer by Vincent Hu Wednesday, June 30, 2010 6:57 AM
Monday, June 28, 2010 11:07 AM
0

Sign in to vote
You need to research using Authorization Manager with Hyper-V. This will give you the details of how Hyper-V security works.

Personally, I second Jesper. As the Network Service account is a very restricted account by design, do not open its permissions, but rather use a different account.

And yes, by default the local administrators group can do everything (this is defined in the local machine Authorization Manager settings and tied to the local administrators group).

Brian Ehlert (hopefully you have found this useful)
- Proposed as answer by Vincent Hu Tuesday, June 29, 2010 8:51 AM
- Marked as answer by Vincent Hu Wednesday, June 30, 2010 6:57 AM
Monday, June 28, 2010 3:42 PM

All replies

0

Sign in to vote
Hiya,

Not answering the question, but wouldnt it be better to run the job with a specifik application account rather than build-in accounts? - This way it should be more clear what is needed as you can set the right accordingly and not having to face "the unknown" of these built-in accounts.
- Proposed as answer by Vincent Hu Tuesday, June 29, 2010 8:51 AM
- Marked as answer by Vincent Hu Wednesday, June 30, 2010 6:57 AM
Monday, June 28, 2010 11:07 AM
0

Sign in to vote
You need to research using Authorization Manager with Hyper-V. This will give you the details of how Hyper-V security works.

Personally, I second Jesper. As the Network Service account is a very restricted account by design, do not open its permissions, but rather use a different account.

And yes, by default the local administrators group can do everything (this is defined in the local machine Authorization Manager settings and tied to the local administrators group).

Brian Ehlert (hopefully you have found this useful)
- Proposed as answer by Vincent Hu Tuesday, June 29, 2010 8:51 AM
- Marked as answer by Vincent Hu Wednesday, June 30, 2010 6:57 AM
Monday, June 28, 2010 3:42 PM