Hyper-V Delegation


I had a requirement to delegate to non Hyper-V administrators the ability to run PowerShell scripts based on the “PowerShell management Library for Hyper-V” available on CodePlex. The task required a number of steps to achieve,  including giving permissions for non admins to run PowerShell remotely, and access to WMI.

I have included references to acknowledge sources.

To be able to delegate the restoring of newest snapshot of Hyper-V virtual machines there are a number of steps to configure.

1. Enable PS Remoting – Workstation

From the workstation run the following commands from within PowerShell to enable remoting. This trusted hosts command trusts all computer names, you should only use wildcard for servers you trust on your intranet.

cd wsman:localhost\Client
Set-Item AllowUnencrypted -Value $true -force
Set-Item TrustedHosts -Value * -force

 

The Following 5 steps need to be performed on a Hyper-V host

1. Create a Local Group

Create a local group called say “Hyper-V_Delegated_Admins”

2. Enable PS Remoting for Hyper-V Server

Ensure that PS Remoting is enabled on the Hyper-V server by running from a PowerShell prompt the commands;

Enable-PSRemoting -force

3. Enable PS Remote Session Support for Non-Admins

Reference http://msgoodies.blogspot.co.uk/2009/09/using-ps-session-without-having.html

From a PowerShell prompt run command;

Set-PSSessionConfiguration microsoft.powershell -ShowSecurityDescriptorUI

Enter to bring up PowerShell Permissions GUI

add the local group “Hyper-V_Delegated_Admins” and grant execute (invoke) permissions.

Enter to accept changes.

4. Delegate Hyper-V

In my environment the Hyper-V servers are managed by another Team via SCVMM, the Authorization store is in a different location with the SCVMM agent deployed, see the reference for details.

reference http://social.technet.microsoft.com/wiki/contents/articles/what-vmm-does-with-azman-role-definitions-from-hyper-v.aspx

Run MMC and add “Authorization Manager”

Right click Authorization Manager snapin and Open Authorization Store …

Select XML file store Type and paste following;

C:\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml

Expand “HyperVAuthStore.xml”

Expand “Virtual Machine Manager”

Expand “Role assignments”

Right click on “Administrator” and Choose “Assign Users and Groups” “From Windows and Active Directory…”

Change Locations to the local computer

Add local group “Hyper-V_Delegated_Admins”

5. Enable WMI Permissions to root\virtualization for non-Admins

run MMC and add “WMI Control”

Right click “WMI Control” and select Properties

Select the “Security” tab

Expand Root

Scroll down and select “virtualization” and click on Security button

Click Add and change locations to local computer

Paste the local group name “Hyper-V_Delegated_Admins”

Click on “Check Names” button

Check “Allow” for all permissions

Click on “Advanced” button and highlight “Hyper-V_Delegated_Admins”

Click Edit and change “Apply to: from “This namespace only” to “This namespace and subnamespaces”

Click OK

Click Apply button and then OK

Click OK twice to close “WMI Control”

Close the MMC and do not save MMC console.

Sample Script to test remote restore of newest  snapshot of a VM.

Invoke-Command -ComputerName “yourHostname” -Credential “your credentials”  `

-ScriptBlock {

import-module -name ‘C:\Program Files\modules\HyperV’

C:\Scripts\Restore-Snapshot.ps1
}

Posted in Hyper-V | Tagged | 3 Comments