I had a requirement to delegate to non Hyper-V administrators the ability to run PowerShell scripts based on the “PowerShell management Library for Hyper-V” available on CodePlex. The task required a number of steps to achieve, including giving permissions for non admins to run PowerShell remotely, and access to WMI.
I have included references to acknowledge sources.
To be able to delegate the restoring of newest snapshot of Hyper-V virtual machines there are a number of steps to configure.
1. Enable PS Remoting – Workstation
From the workstation run the following commands from within PowerShell to enable remoting. This trusted hosts command trusts all computer names, you should only use wildcard for servers you trust on your intranet.
cd wsman:localhost\Client
Set-Item AllowUnencrypted -Value $true -force
Set-Item TrustedHosts -Value * -force
The Following 5 steps need to be performed on a Hyper-V host
1. Create a Local Group
Create a local group called say “Hyper-V_Delegated_Admins”
2. Enable PS Remoting for Hyper-V Server
Ensure that PS Remoting is enabled on the Hyper-V server by running from a PowerShell prompt the commands;
Enable-PSRemoting -force
3. Enable PS Remote Session Support for Non-Admins
Reference http://msgoodies.blogspot.co.uk/2009/09/using-ps-session-without-having.html
From a PowerShell prompt run command;
Set-PSSessionConfiguration microsoft.powershell -ShowSecurityDescriptorUI
Enter to bring up PowerShell Permissions GUI
add the local group “Hyper-V_Delegated_Admins” and grant execute (invoke) permissions.
Enter to accept changes.
4. Delegate Hyper-V
In my environment the Hyper-V servers are managed by another Team via SCVMM, the Authorization store is in a different location with the SCVMM agent deployed, see the reference for details.
Run MMC and add “Authorization Manager”
Right click Authorization Manager snapin and Open Authorization Store …
Select XML file store Type and paste following;
C:\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml
Expand “HyperVAuthStore.xml”
Expand “Virtual Machine Manager”
Expand “Role assignments”
Right click on “Administrator” and Choose “Assign Users and Groups” “From Windows and Active Directory…”
Change Locations to the local computer
Add local group “Hyper-V_Delegated_Admins”
5. Enable WMI Permissions to root\virtualization for non-Admins
run MMC and add “WMI Control”
Right click “WMI Control” and select Properties
Select the “Security” tab
Expand Root
Scroll down and select “virtualization” and click on Security button
Click Add and change locations to local computer
Paste the local group name “Hyper-V_Delegated_Admins”
Click on “Check Names” button
Check “Allow” for all permissions
Click on “Advanced” button and highlight “Hyper-V_Delegated_Admins”
Click Edit and change “Apply to: from “This namespace only” to “This namespace and subnamespaces”
Click OK
Click Apply button and then OK
Click OK twice to close “WMI Control”
Close the MMC and do not save MMC console.
Sample Script to test remote restore of newest snapshot of a VM.
Invoke-Command -ComputerName “yourHostname” -Credential “your credentials” `
-ScriptBlock {
import-module -name ‘C:\Program Files\modules\HyperV’
C:\Scripts\Restore-Snapshot.ps1
}
Great to see you on the blogosphere!
For a second post I’d love to see a summary of getting PowerShell remoting working, including possible challenges like memory exhaustion and how to mitigate the issues.
Cheers
Mike
PS…. your font is too big. 🙂
Where’s your 2nd post?