Management

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 786 other subscribers

Social

  • LinkedIn
  • RSS Feed for Posts
  • Twitter
  • StumbleUpon

Delegate Hyper-V Access Control and Management through Authorization Manager (azman.msc)

A few weeks ago I had to delegate access control for Hyper-V.

Due to a dysfunctional System Center Virtual Machine Manger, we had to change to a different kind of security.

Therefore we used Authorization Manager :

Preparations

Add the necessary groups to the active directory prior to the installation,

Add the appropriate users to the groups

 

Configuring the Authorization Manager

Azman (1)

First startup Azman : azman.msc

Azman (2)

Standard error don’t worry.

Azman (3)

Click right button and select Open Authorization Store

Azman (4)

Select XML and add this location :
C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml,

Azman (5)

Standard there are 2 Role definitions

 

Task Definitions

Azman (6)

Add a New Task Definition

Azman (7)

Give this task a Name and select Add

Azman (8)

Click OK

Azman (9)

On the Tab Operations select al the required options for this Task

Azman (10)

Click OK and Add all the tasks you need

 

Role Definitions

Azman (11)

Click right and select New Role Definition

Azman (12)

Add a preferred name and click on Add

Azman (13)

On the tab Tasks select the preferred task, en click OK

Azman (14)

Click OK

Execute these actions for all roles

 

Role Assignment

Azman (15)

As you can see, some of the Role Definitions aren’t listed under Role Assignments

Azman (16)

Select New Role Assignment

Azman (17)

Select all of the roles, you need to use

Azman (18)

Select Assign Users and Groups => From Windows and Active Directory

Azman (20)

Put the group name, and select Check names

Azman (19)

Select the preferred group

Azman (21)

Click OK

Azman (22)

Follow these steps for every Role assignment

Enjoy Hyper-V !

4 comments to Delegate Hyper-V Access Control and Management through Authorization Manager (azman.msc)

  • Remigiusz

    Hi Richard
    I’ve a problem with delegate access to Windows Hyper-V Server 2012.
    I’ve tried as you describe, but after that I can’t connect with my Hyper-V console.
    If I add user to local Administrators group or Hyper-V Administrators then I can connect via Hyper-V console, but then I have full access to Hyper-V and I can change everything.
    I have two Hyper-V servers with failover cluster.
    Does the user who should have readonly permission should be in some local group on Hyper-V Server ?
    I need to assign readonly permission. Could you help me ?

    • Richard Voogt

      Hi Remigiusz,

      Have you created the right role assignment groups, and added the rights to this group?
      Unfortunately my test servers don’t have the azman option anymore, so I can’t recreate your situation.

  • Quintijn

    This does not work with Server 2012 R2 due to the fact that the Azman.msc utility has been deprecated (https://technet.microsoft.com/en-us/library/dn303411.aspx). Did not find another solution yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.