Delegate permissions to specific VM in Hyper-V hosts

Microsoft recently released beta of Hyper-V Security Guide ( Unfortunately when it comes to permission delegation it only tells you how to do this on a per HOST basis.

Doing it on a per VM basis (like allow user1 stop and start and remote control VM1 but not VM2 on HOST1) is a bit tricky. Dung talks about it here:!31A50D02D661C816!305.entry, but there is not much more information about it on the web.

For initial steps refer to Dung’s blog – it details the XML files and the model of permissions. Now if you want to delegate permissions per VM you need to:

  1. SET a unique ScopeOfResidence property on a VM. This can only be done by a script. I attach all scripts in a link below.
  2. That scope is stored in the XML config file of the VM in Global_Settings/security/scope section.
  3. Next, take that unique SCOPE name and set it in azman.msc as a new scope. Then assign permissions as you would normally do. the permissions within that scope will only apply to the VM with the same ScopeOfResidence.

If you use unique naming of scopes across all your host, you can then move the Hyper-V AzMan store from XML files (local) to Active Directory (sample script also attached). This will allow you to make changes centrally for all hosts:

  1. The data cannot be moved to an application partition; it must be stored in a Windows 2003 (minimum) domain.
  2. Create the Hyper-V AzMan Store in AD. This can be done using the script CreateVMAzStoreinAD.js: cscript CreateVmAzStore.js “msxml://<path to InitialStore.xml>” “msldap://CN=VmAzStore,CN=Windows,CN=Program Data,DC=test,DC=com” Where the first parameter is the path to the Hyper-V AzMan store and second is the DN of the target container for the store.
  3. Verify that the store was created by using Active Directory Users and Computers (dsa.msc), enable Advanced Features in View):
  4. Using AzMan.msc, open the AD store and assign the Administrator and User roles (created by the script) to users defined in the domain as desired. Also change the security properties of the store, and add “Domain Computers” to the Reader role.
  5. On each hyper-v host point the server to the new location of the store: Path=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization
    Value=msldap://CN=VmAzStore, CN=Windows,CN=Program Data,DC=test,DC=com
  6. Restart the VMMS and NVSPWMI services.

It should also be possible to move the store to SQL instead of AD. I have not tried it, but be aware that SQL would be more chatty on the network, and would not re-use the site-aware AD structure that AD store can use. AzMan is frequently accessed by Hyper-V whenever checking user permissions to Hyper-V objects.

NOTE that you cannot manage your Hyper-V hosts this way if you are using VMM agent on them. The agent will overwrite your modifications on a refresh basis, and use those that are specified in VMM 2008 (unfortunately no per-VM delegation there…)

Sample scripts: 

UPDTE: FYI, I just noticed TonySo posted some scripts as well on MS forums:


~ by alipka on February 10, 2009.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: