locked
Hyper-V Failed to create a new virtual machine A required privilege is not held by the client RRS feed

  • Question

  • I am running Windows Server 2008 Enterprise Edition x64 with Hyper-V RTM installed.  I am testing the use of the Windows Server Security Guide settings for Specialized Security - Limited Functionality.  Hyper-V installed fine and I was able to create Virtual Machines prior to putting the physical server into an OU with the restrictive policies.  Hyper-V and all of my previously created VMs continued to work after I put the physical server into an OU with the restrictive policies.  Now, when I attempt to create a VM, I get an error that states:

    The server encountered an error while creating a new virtual machine.

    Failed to create a new virtual machine.

    An unexpected error occurred:  A required privilege is not held by the client.


    Has anyone else encountered this error?  Can anyone tell me what are the minimum privileges that need to be applied to allow me to create a new VM?  I think this is probably a User Rights Assignment issue. 

    I can create a new VM if I put the physical server back into an OU that does not have the restrictive policies applied.  I really need to figure out the minimum rights needed so that everything can work in a highly secured environment.

    Thanks,
    Jim Dahl
    Monday, September 29, 2008 3:20 PM

Answers

  • Hello,

     

    May I know how you performed this?

     

    Which users are you using to log onto these computers? Did you use the same user account? Did you join the user account into the local Administrators group?

     

    After joining the Hyper-V server into the specific OU and logging onto the Hyper-V server, would you please check the following settings?

     

    1. Check the following services to see if they are running as Local System account:

     

         Hyper-V Image Management Service;

         Hyper-V Network Management Service;

         Hyper-V Virtual Machine Service.

     

    2. Check if you have assigned the proper permissions to the specific user (current logon user):

     

    ·         For testing, join the current logon user into the local Administrators group of the Hyper-V server and restart the Hyper-V server to see if the problem remains.

     

    ·         If the problems disappears after joining the user account to local Administrators group, then it indicates that the user doesn't have proper permissions. You should do some additional jobs to give the user proper permissions if you don't want to join the account into local Administrators group:

     

    1. Please refer to the following articles for detailed information about how to use AzMan to assign a user the proper permissions to perform specific Hyper-V tasks. Dung gave the detailed steps and information on this:

     

    http://dungkhoang.spaces.live.com/blog/cns!31A50D02D661C816!269.entry   (part 1 to part 6)

     

    2. Note that if you want to assign the 'creating virtual machines' permission to a user, you should at least add the following Operations:

     

    Read Service Configuration

    Create Virtual Machine

    Change Virtual Machine Authorization Scope

    Allow Output from a Virtual Machine

     

    Best regards,

    Chang Yin
    • Marked as answer by Chang Yin Tuesday, October 7, 2008 2:29 AM
    Friday, October 3, 2008 9:08 AM

All replies

  • Hello,

     

    May I know how you performed this?

     

    Which users are you using to log onto these computers? Did you use the same user account? Did you join the user account into the local Administrators group?

     

    After joining the Hyper-V server into the specific OU and logging onto the Hyper-V server, would you please check the following settings?

     

    1. Check the following services to see if they are running as Local System account:

     

         Hyper-V Image Management Service;

         Hyper-V Network Management Service;

         Hyper-V Virtual Machine Service.

     

    2. Check if you have assigned the proper permissions to the specific user (current logon user):

     

    ·         For testing, join the current logon user into the local Administrators group of the Hyper-V server and restart the Hyper-V server to see if the problem remains.

     

    ·         If the problems disappears after joining the user account to local Administrators group, then it indicates that the user doesn't have proper permissions. You should do some additional jobs to give the user proper permissions if you don't want to join the account into local Administrators group:

     

    1. Please refer to the following articles for detailed information about how to use AzMan to assign a user the proper permissions to perform specific Hyper-V tasks. Dung gave the detailed steps and information on this:

     

    http://dungkhoang.spaces.live.com/blog/cns!31A50D02D661C816!269.entry   (part 1 to part 6)

     

    2. Note that if you want to assign the 'creating virtual machines' permission to a user, you should at least add the following Operations:

     

    Read Service Configuration

    Create Virtual Machine

    Change Virtual Machine Authorization Scope

    Allow Output from a Virtual Machine

     

    Best regards,

    Chang Yin
    • Marked as answer by Chang Yin Tuesday, October 7, 2008 2:29 AM
    Friday, October 3, 2008 9:08 AM
  • I am having the same issue.  I used to be able to create vm's no problem, but no longer can.
    Wednesday, May 6, 2009 3:26 PM
  • You are correct.  A user rights setting can cause this error. 

    If you change the default setting for “Create Symbolic Link” on a Hyper-V Server you can get this error.  This is due to the Virtual machines needing this right in order to link to the VHA storage areas.  By default, when you install the Hyper-V role, a special group called "virtual machines" is created and given the “Create Symbolic Link” right.  If you change this right with say a GPO (following a misguided STIG maybe?) you will not be able to create virtual machines and will get the above error.  This group contains all the virtual machine Service SIDs.

    Look here for more info; http://www.virtualizationadmin.com/articles-tutorials/microsoft-hyper-v-articles/storage-management/hyper-v-file-storage-permissions.html

    Check your restrictive policies GPO for this setting.

    • Proposed as answer by ZenShaze Monday, September 21, 2009 7:54 PM
    Monday, September 21, 2009 7:01 PM