Hyper-V Security 101 – Virtualization Administration Delegation of Hyper-V and SCVMM

When running Hyper-V you do not need to be at the console to manage your virtualization platform.  In fact, it is strongly recommended that you delegate these rights.  If you let someone login to a server with administrative permissions they basically have the “keys to the kingdom”.  We do not usually want to do this.  A much better approach is to give them the rights they need to administer the Hyper-V platform using rights delegation.  Let’s take a look at the steps to actually do this.  First we will look at doing it for those implementations  that do not use SCVMM and then we will setup delegation if SCVMM is in the environment

  • In-Box Delegation of Administration of Hyper-V
    • Open the Run dialog (launch it from the Start menu or press Windows Key + R).
    • Start mmc.exe.
    • Open the File menu, and select Add/Remove Snap-in…
    • From the Available snap-ins list, select Authorization Manager.
    • Click Add, and then click OK.
    • Click on the new Authorization Manager node in the left panel.
    • Open the Action menu, and select Open Authorization Store…
    • Choose XML file for the Select the authorization store type: option, and then use the Browse… to open programdataMicrosoftWindowsHyper-VInitialStore.xml on the system partition (programdata is a hidden directory so you will need to type it in first).
    • Click OK.
    • Expand InitialStore.xml then Microsoft Hyper-V services then Role Assignments, and finally select Administrator.
    • Open the Action menu, and select Assign Users and Groups then From Windows and Active Directory…
    • Enter the name of the user that you want to be able to control Hyper-V, and click OK.
    • Close the MMC window (you can save or discard your changes to Console 1 – this does not affect the authorization manager changes that you just made).
  • SCVMM Delegation of Administration
    • To add a Delegated Administrator user role in VMM 2008
    • In the User Roles view in the VMM Administrator Console, click New User Role in the Actions pane. The New User Role Wizard appears.
    • On the General page, type a User role name and Description, and then select Delegated Administrator in the User Role Profile list. Click Next.
    • On the Add Members page, click Add, and then type the names of the Active Directory® users or groups you want to add to this role. Click Next.
    • Select the host groups and library servers that you want to enable members of the user role to manage. Click Next.
    • On the Summary page, review the user role settings, and click Create.


More info needed?  Check Out Ben Armstrong’s Blog post: Hyper-V Management + Delegated Administration + SCVMM