Argh! - Remote Hyper-V admin

Vertigo · 18 Feb 2013 at 22:08

Having a nightmare with this, hope someone can help.

I'm trying to set up a Hyper-V server so certain users can perform basic tasks like starting and stopping VMs, but not full administration.

I can administer the server perfectly fine remotely myself, but then I'm the domain admin so no surprises there. At least that proves that all necessary services etc are running on the server for remote admin to work.

I've then used the Authorisation Manager to configure what these other users are allowed to do but, when I try to connect via the Hyper-V Manager when logged in as one of these users on any machine, it fails to even connect to the Hyper-V server and complains that I don't have permission.

Now I've read shedloads of stuff about how to fiddle this and muck about with WMI and DCOM and so on but this all seems to pertain to untrusted scenarios such as workgroups. On a domain, with the necessary settings made via the Authorisation Manager, that should be all I need as far as I can tell.

Can anyone shed any light? I'm losing the will to live

Markopolo · 22 Feb 2013 at 01:19

I take it those users have been given admin rights on the hyper.v host?

Baggins_451 · 22 Feb 2013 at 08:16

Vertigo1 said:
I'm losing the will to live

I feel your pain, have you tried this ?

DJMK4 · 23 Feb 2013 at 23:57

What version of hyper -v? I nearly murdered my box trying to get remote admin working from a laptop that was on my work domain and my host a server at home on a workgroup. Tried numours things and in the end switched back to ESXi 5 for now.

I was attempting hyper-v 2008 core

I don't mind doing configuring dont get me wrong just couldn't get the thing going and at the time i was busy and could have done without the hours just trying to remote admin the box!!!

Vertigo · 26 Feb 2013 at 08:19

Markopolo said:
I take it those users have been given admin rights on the hyper.v host?

Nope, that's exactly what I don't want to do as I don't want them having unfettered access to do anything they want, merely limited access to stop and start the VMs.

Baggins_451 said:
I feel your pain, have you tried this ?

Thanks for reminding me about that - I have used it before in a workgroup environment but assumed it wasn't required in a domain one. I was wrong.

Even in a domain, you still need to use the HVRemote script to add the users or security groups on the Hyper-V server itself, which I believe adds them to the relevant permissions for RPC and WMI.

One gotcha is that doing so also adds the specified users or groups to the administrators role/group in the Authorisation Manager on the server, giving them full access and overriding any lower level permissions you've configured. You just need to remove them from here again after using the script and all is good

Baggins_451 · 26 Feb 2013 at 20:09

I just came across something called VTUtilities which looks quite promising, might be worth having a look at.