How to delegate access in Hyper-V

In some medium/large organizations, it is common practice to have different access levels for systems, such as administrator, help desk, support and auditor. When implementing virtual machine using Hyper-V Servers, it is also important to reflect these access levels as well.

Since Hyper-V 2012 makes this task easier when you need to specify particular users or groups to be Hyper-V Administrators, but you also might face scenarios where different levels are required. During the task, to add advanced permissions to a user, you will need to use groups (and recommended). You can create and use local groups or Active Directory groups.

NOTE: Make sure you have created them before you start.

How to do it

The following steps show how to delegate control for a user by using the local Hyper-V Administrators group and by using Authorization Manager (AzMan) for advanced delegations:

1. To add users or groups as members of the local Hyper-V Administrators, open the Start menu and type computer. From Search Results, click on Computer Management.

2. In the Computer Management console, expand System Tools > Local Users and Groups and click on Groups.

3. In the group list, double-click on the Hyper-V Administrators group, as shown in the following screenshot:

clip_image002

4. In the Hyper-V Administrators Properties window, click on Add, type the groups or users you want to add into the group, and click on OK twice.

5. To add advanced permissions for a group in Hyper-V, open the Start menu and type AzMan.msc to open the Authorization Manager console.

6. In the Authorization Manager console, right-click on Authorization Manager and select Open Authorization Store.

7. In the Open Authorization Store option, under Store Name, type the path C:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml and click on OK.

8. Under the Authorization Manager console, expand Hyper-V services > Definitions, right-click on Role Definitions, and select New Role Definition.

9. In the New Role Definition window, specify the name of the role you want to use.

10. Then, under Description, specify the role description and click on OK. Role Definitions will be listed as shown in the following screenshot:

clip_image004

11. In the Authorization Manager console, right-click on Task Definitions and select New Task Definition.

12. In the New Task Definition window, under Name, specify the task name.

13. Then, under Description, add a description for your task and click on OK. The tasks will be listed in the right-hand pane, as shown in the following screenshot:

clip_image006

14. To add a definition into a task, click on Task Definition and double-click on a task.

15. Click on the Definition tab and select Add.

16. In the Add Definition window, select the Operations tab.

17. Select the operations you want from the list, as shown in the following screenshot, and click on OK:

clip_image008

18. To add a Task Definition into a Role Definition, click on Role Definitions and select the role you want to change.

19. In the Role Definition properties, click on the Definition tab.

20. Under the Definition tab, click on Add.

21. In the Add Definition window, select the Tasks tab, select the tasks you want to link to the Role Definition, and click on OK.

22. To assign a role, right-click on Role Assignments and select New Role Assignment.

23. In the Add Role window, select the Role Definition you want to add, and click on OK.

24. To assign a user or a group to a role, right-click on the group you want, select Assign Users and Groups, and click on From Windows and Active Directory…, as shown in the following screenshot:

clip_image010

25. In the Select Users or Groups window, enter the object names and click on OK.

After that, you can log in to Hyper-V as a user who is member of a group that was assigned to a role, to check the permissions that have been added.

IMPORTANT: In Windows Server 2008, 2008 R2 and 2008 R2 SP1, there is no local group to administer Hyper-V. Normally, to be able to manage Hyper-V, users are added into the local administrator group.

Summary

Since Windows Server 2012, during Hyper-V installation, a new group is created, named Hyper-V Administrators. When a user is added to this group, they can do anything regarding Hyper-V, but they don’t have any other rights on the local server.

Even with the local Hyper-V group, sometimes different access levels are required. For those scenarios, you have to use Authorization Manager (AzMan). AzMan is a framework that is used to manage the authorization policy that allows applications to perform access control. Hyper-V uses AzMan to grant access based on roles and tasks. Hyper-V authorization policies are stored in a file named InitialStore.xml, located by the path C:ProgramDataMicrosoftWindowsHyper-V. Once loaded through AzMan, you can create and delete the access policies or apply them to groups and users.

The first things to be created on AzMan are Role Definitions. These are roles that are used to receive access policies named Operations. Hyper-V has 34 operations used to grant permissions, such as to create virtual machines, allow virtual machine snapshots, and stop virtual machines. Applying these policies to many groups can be a tough job, that’s why AzMan uses Task Definitions.

Tasks Definitions can group operations in common, so that you can apply them to more than one Role Definition, making the modifications easier to make.

Using the operations and tasks, you can grant only the necessary access for users to access Hyper-V with more security and control.

Written by Marcos Nogueira

Marcos Nogueira

With more than 18 years experience in Datacenter Architectures, Marcos Nogueira is currently working as a Principal Cloud Solution Architect. He is an expert in Private and Hybrid Cloud, with a focus on Microsoft Azure, Virtualization and System Center. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents.

Marcos was a Canadian MVP in System Center Cloud & Datacenter Managenment and he has +14 years as Microsoft Certified, with more than 100+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private & Hybrid Cloud, Azure, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd/Ignite and communities events around the world.

7 Replies to “How to delegate access in Hyper-V”

  1. Hi Marcos,

    I have read your article and tried to configure our Hyper-V in the way you described. For some reason we can not get a workstation using Windows 8.1 accessing a Virtual machine running under Hyper-V in Windows 2012R2 if the domain user does not have administrator rights and also has no Hyper-V administrative rights (e.g. not a member of domain administrators and not member of the Hyper-V administrative role). It seems at all times we need to have the domain user being member of the Hyper-V administrator role, even if we implement via AZMAN and provide the user the rights for the tasks. Is there any way we can allow a domain user accessing his Virtual box within our domain network without having these special (high elevated rights. We simply want our user to use his own virtual box and not being able to change any of the Hyper-V settings and configurations applied to his machine.
    Many thanks for any help you can give me.
    Cheers
    Hans

      1. Still no solution… our VM users must have administrative rights which allows them to do things we would like to restrict. They are able to basically configure their own VM. At least with the previous versions you could use AZMAN to provide access control rights to VM features.

        If there is any good solution to manage the VMs better it would be great !

  2. Hi Marcos,

    Like Hans on the reply above this I can’t get this to work on Windows 8.1. On Windows 8.1 I can connect with Hyper-V manager if the user is in the Hyper-V Administrators group, but this sort of defeats the purpose since it gives them full access. On Windows 10 it is even worse because you need to put the user as a Local Administrator on the Host.
    Am I doing something wrong or does this plain not work ?

    Thanks Mark.

  3. Hello,
    I have basically the same problem I need to delegate Hyper-V management to power users and can’t accomplish it on Windows 10 Enterprise LTSB 2015. There is no Hyper-V Administrators group, nor it can be created running the powerhell script by Ben Armstroing (http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/28/creating-a-hyper-v-administrators-local-group-through-powershell.aspx). Well technically it does create the group, but it doesn’t do anything. Since there is no capability in Authorization Manager either, how on earth do I delegate the Hyper-V management rights, please? 😀

    Thanks,
    Michal

  4. Hi All

    We too can’t get any access to Hyper-V 2012 unless the user is in the ‘do everything’ Hyper-V Administrators group. After searching across the web I found a post in the Hyper-V forum at social.technet that was asking the same and pointed to this ‘Features Removed or Deprecated in Windows Server 2012’ https://technet.microsoft.com/en-us/library/hh831568.aspx page at Microsoft – unfortunately it seems Azman is no longer used as before for granular Hyper-V 2012 access.

    Regards to all
    Tom

Leave a Reply

Your email address will not be published. Required fields are marked *