A. Hyper-V has very granular management delegation capabilities through Authorization Manager. You can grant users and groups different operation permissions over Hyper-V, or just over specific virtual machines (VMs).

You access Authorization Manager by creating a custom MMC and adding the Authorization Manager snap-in. Follow these steps:

  1. From the Start menu, choose Run then enter mmc.exe.
  2. From the File menu, select Add/Remove Snap-in...
  3. Select Authorization Manager and click Add, as shown here, then click OK.

Click to expand

You now need to load the Hyper-V authorization configuration, named InitialStore.xml, which is located in the \%SystemDrive%:\ProgramData\Microsoft\Windows\Hyper-V folder. Select the Open Authorization Store... action at the root of Authorization Manager, select XML file, type the name of the XML file, as shown here (or browse to it), and click OK.

Click to expand

Authorization Manager will now show the Hyper-V authorization configuration, which allows the modification and creation of the various Authorization Manager components. Our default scope is for Hyper-V services, which is all VMs on the server.

In the picture here, you can see the Administrator role definition. Under Role Assignment, you can see which AD group has the role allocated.

Click to expand

A role in Authorization Manager is essentially an allocation of various operations, such as stopping or starting VMs, to the named role. For example, I could create a ControlVM role and only grant the operations to start, stop, pause, and resume VMs, as shown here.

Click to expand

Note that you also need the Allow Input to Virtual Machine, Allow Output from Virtual Machine, and Read Service Configuration permissions, as shown here, to see VMs in the Hyper-V snap-in.

Click to expand

You also have the Tasks tab, which is essentially a way for you to create a group of tasks that can then be assigned to roles more easily. For example, you could create a task containing the control operations and then just assign the task to my new role.

To give a user a role, just select Role Assignment and use Assign Users and Groups, as shown here, to select the users who should have the role capabilities. I could add normal users to the Administrator role to let them manage Hyper-V.

Click to expand

Remember, this is just delegating a user the permissions to perform certain functions. The user still requires remote access to Windows Management Instrumentation, DCOM, and the firewall exceptions for normal remote Hyper-V MMC snap-in functionality.

Related Reading

Videos:

Audio:


Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.