다음을 통해 공유


Part 1 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

After the many emails I’ve had about this, it seemed only appropriate to write up a detailed post (or two actually) about how to resolve this.

You will hit this problem when using the Hyper-V Vista management tools connecting to a remote Windows Server 2008 machine with the Hyper-V role enabled, and where both machines are in a workgroup (or in a domain environment where you genuinely don’t have access - but that's another blog entry).

wg1
There are several additional configuration steps you need to complete to make remote management work in a workgroup environment.

Step 1 (On Client and Server)

Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience).

wg1a

Step 2A (On Server core installations)

See part 3 of this series

Step 2B (On Server full installations)
Enable the firewall rules on the server for WMI (Windows Management Instrumentation). From an elevated command prompt, enter the following:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Make sure the command is successful and responds Updated 4 rules(s). Ok.

wg2 

Note: The string in quotes must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is.

If you now open “Windows Firewall with Advanced Security” from Administrative Tools on the start menu, you will notice four rules, three inbound and one outbound have been enabled. (It helps to sort by Group)

wg3

wg4 

Step 3 (On Server)

This step grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. Depending on your circumstances, you can add the individual users (they must obviously have an account already on the server), a group, or you can allow all users by select the “Authenticated Users” group.

Open Component Services by typing “dcomcnfg” in the box on the start menu, and expand the menu so that “My Computer” is selected under Component Services\Computers.

wg5 Thumbnail

wg6

Right-Click on My Computer, select Properties and select the “COM Security” tab.

wg7
In the above dialog, click Edit Limits in the “Launch and Activation Permissions” area (not to be confused with the Edit Limits in the “Access Permissions” area).

wg8

Click “Add…” and enter the users (or groups including “Authenticated Users” as appropriate)

wg9

Click OK, then select the added user or group

wg11
In the Allow column, select Remote Launch and Remote Activation, then click OK.

wg12

Close Component Services

Step 4 (On Server)

This step grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces, and, as in step 3, you can add individual users, group(s) or the “Authenticated Users” group.

Open Computer Management under Start/Administrative Tools, expanding the tree down through Services and Applications\WMI Control. Select WMI Control

wg13

Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.

wg14

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the Security button. If the appropriate user or group does not already appear, use “Add…” as you did in Step 3 above to add them.

wg15

Now select the user and click the Advanced button below the “Permissions for <user>” area.

wg16

Again, make sure the user/group is selected and click Edit

wg17

You need to make three changes here:

  • In the “Apply to:” drop-down, select “This namespace and subnamespaces”
  • In the Allow column, select Remote Enable
  • Check “Apply these permissions to objects and/or containers within this container only”

The screen should look like below. If so, click OK through the open dialogs.

wg18

Repeat for the Root\virtualization namespace

wg19

Click OK as appropriate to confirm all open dialogs and close Computer Management.

Step 5 (On Server)
This step configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage.

Open Authorization Manager by typing “azman.msc” in the box on the start menu.

wg20

wg21

Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.

wg22

Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the system drive and select InitialStore.xml, then click OK.

wg23

I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.

wg24
In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.

wg25

Add the appropriate users or groups (here you can see the “john” account)

wg26
Close the Authorization Manager MMC.

IMPORTANT. You must now reboot your server for the above changes to take effect.

In part 2, I'll walk through the client configuration steps.

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 

Cheers,
John.

Comments

  • Anonymous
    January 01, 2003
    Hyper-V Monitor Gadget for Windows Sidebar

  • Anonymous
    January 01, 2003
    As I mentioned in my previous post , last month I built out a new virtual environment using Hyper-V on

  • Anonymous
    January 01, 2003
    So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

  • Anonymous
    January 01, 2003
    A TechNet Magazin júniusi számában megjelent cikkem teljes változata. Valamivel több képpel. Különös

  • Anonymous
    January 01, 2003
    It is time to update everyone on the issues our support engineers have been seeing for Hyper-V for the

  • Anonymous
    January 01, 2003
    Apologies for a lack of a new post on the WMI scripts, look for a new double part post Wednesday morning.&#160;

  • Anonymous
    January 01, 2003
    Announcing &quot;HVRemote&quot;...., a tool to &quot;automagically&quot; configure Hyper-V Remote Management

  • Anonymous
    January 01, 2003
    In the Hyper-V shiproom, we have signed off on Hyper-V RTM (Release To Manufacturing). The build and

  • Anonymous
    January 01, 2003
    With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit

  • Anonymous
    January 01, 2003
    Source: Microsoft Virtualization Team Blog Apologies for a lack of a new post on the WMI scripts, look

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I wanted to allow a colleague access to my Hyper-V. Following the instructions at http://blogs.technet.com/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.asp

  • Anonymous
    January 01, 2003
    I am feeling lazy today - but thankfully my colleagues have been working hard :-) Mike Kolitz has done

  • Anonymous
    January 01, 2003
    This is the one you have been waiting for, get it, install it.&#160; Enjoy :) Windows Server 2008 x64

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Hyper-V Serverをドメイン環境で使用するには特別な設定する必要は特にありませんが、ワークグループの場合は、あいにくいろいろな設定をいじることが必要になります。 まず、必要なサーバー側とクライアント側の設定があります。変更の比較的少ないサーバーの設定を先に説明します。

  • Anonymous
    January 01, 2003
    More for my own reference, as I keep having to search the Internet for this document and never bookmark

  • Anonymous
    January 01, 2003
    You may have seen from a recent post that I received a new laptop that was capable of running Hyper-V.

  • Anonymous
    January 01, 2003
    Well I just want to introduce you to a new writer who is gonna come along and help giving you great content

  • Anonymous
    January 01, 2003
    It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I've come

  • Anonymous
    January 01, 2003
    Soon, I promise, I will be publishing part 3 which is the workgroup server-core version of &#8220; Hyper-V

  • Anonymous
    January 01, 2003
    [Weekly Issue] Hyper-V Core e controllo remoto

  • Anonymous
    January 01, 2003
    Tore Lervik: I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my

  • Anonymous
    January 01, 2003
    Amir - just to follow up due to other emails I had, I've also seen this problem reported now after 3rd party AV and firewall  application have been installed on the client machine. Thanks, John

  • Anonymous
    January 01, 2003
    &#160; I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my workstation

  • Anonymous
    January 01, 2003
    Kent - there's nothing I can spot wrong with the configuration - the length of the computer name should not matter. Are you sure you have the right password set in cmdkey on the client for the account "mhyperkmorstain" on the server, and that the password is not null (blank). If you have a blank password, you need to set a password on the server, and recreate the cmdkey entry. You can verify access to the server by running wbemtest from the client and hitting connect, entering \mhyperrootcimv2 in the namespace, and entering the credentials mhyperkmorstain in the user, plus the password of the kmorstain account on the server. Does this connect OK? If so, hit the "query" button and enter (no quotes) "select * from win32_computersystem" then apply. Do you get one record returned? (Win32_computerSystem.Name="mhyper"). Thanks, John.

  • Anonymous
    January 01, 2003
    Yesterday I finally got around to installing SCVMM 2008 beta onto a virtual machine (mainly to help us

  • Anonymous
    January 01, 2003
    PingBack from http://blogs.technet.com/jhoward/archive/2008/03/28/part-2-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

  • Anonymous
    January 01, 2003
    Source: Mindre.net Tore Lervik has create a very cool Hyper-V Monitor Gadget for Windows Sidebar. The

  • Anonymous
    January 01, 2003
    @Alberto. Just finishing off the write up. Hopefully I'll have the finished post ready tomorrow. Thanks, John.

  • Anonymous
    January 01, 2003
    Tore Lervik: I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my

  • Anonymous
    January 01, 2003
    Hyper-V Monitor Gadget for Windows Sidebar

  • Anonymous
    January 01, 2003
    Mike - I'm not sure I understand your point. Hyper-V server is like Windows Server 2008 server core installation - there is no GUI. You have to manage both remotely if you want to use GUI tools which is what this (and the other 4 posts) are about. I recommend though you use HVRemote (link at top) as that makes the process much simpler. Thanks, John.

  • Anonymous
    January 01, 2003
    It is time to update everyone on the types of issues our support engineers have been seeing for Hyper-V.

  • Anonymous
    January 01, 2003
    Народ начал активно устанавливать и использовать виртуализацию Hyper-V, особенно бесплатный Microsoft

  • Anonymous
    January 01, 2003
    Hyper-V Management Console on Vista x64

  • Anonymous
    January 01, 2003
    Aujourd'hui deux outils pour Hyper-V. Pas tout neufs, mais extrêmement utiles. Le premier vous servira

  • Anonymous
    January 01, 2003
    Se gestite (o pensate di gestire :) ) diversi server Hyper-V da una macchina Windows Vista SP1, questo

  • Anonymous
    January 01, 2003
    Improvements Over Hyper-V RC0 In addition to bug fixes and stability improvements, Microsoft also made

  • Anonymous
    January 01, 2003
    Hyper-V Server First Impressions

  • Anonymous
    January 01, 2003
    Shiva - I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces. General RDP clients will not be able to connect over RDP using port 2179 - although VMConnect uses the RDP protocol, the connection establishment is not the quite the same. If you need to deploy directly to the Internet, I would recommend you look at building out a Terminal Service Web Access/Gateway protected behind an ISA server (I have previously run through configuring exactly this on my blog, last year IIRC). It would be far more secure. Thanks, John.

  • Anonymous
    January 01, 2003
    I got home from San Francisco on Friday afternoon.&#160; I had one thing in mind (this is going to be

  • Anonymous
    January 01, 2003
    So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote

  • Anonymous
    January 01, 2003
    Hyper-V Beta released as part Windows Server 2008. The final release of Hyper-V happened shortly after

  • Anonymous
    January 01, 2003
    &#922;&#945;&#955;&#951;&#963;&#960;έ&#961;&#945; &#963;&#949; ό&#955;&#959;&#965;&#962; &#964;&#959;&#965;&#962;

  • Anonymous
    January 01, 2003
    Alex - I replied to the other comment you left. Thanks, JOhn.

  • Anonymous
    January 01, 2003
    日本語だと&#8595;なエラーが出る件です。 「このタスクを完了するために必要なアクセス許可がありません。このコンピュータ &#8216;xxxxxxx&#8217; の承認ポリシーの管理者に問い合わせてください。」

  • Anonymous
    January 01, 2003
    &#160; Top Issues for Microsoft Support for Windows Server 2008 Hyper-V Hyper-V Beta released as part

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Pieter - did you copy or type the command in? If you copied, I believe the quotes are in "word" format and won't be recognised. Thanks, John.

  • Anonymous
    January 01, 2003
    Jörn - are you logging on with a smartcard? What happens if you go into Hyper-V Manager, and uncheck use default credentials under the user credentials node? Thanks, John.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Kent - please can you provide the output with /target:computername rather than /targetcomputer. Thanks, John.

  • Anonymous
    January 01, 2003
    Kent - please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards. Thanks, John.

  • Anonymous
    January 01, 2003
    Hola Una herramienta imprescindible para configurar los servidores con Hyper-V para que se puedan administra

  • Anonymous
    January 01, 2003
    Please. I have a windows Hyper-V Server Edition, and is only core mode. how i configure security options do enable remote managment ?

  • Anonymous
    January 01, 2003
    NL - No, that isn't actually necessary. Thanks, John.

  • Anonymous
    January 01, 2003
    I have gone through these steps twice now for my Win 2008 R2 datacenter cluster. I created a local and domain user of the same name and password as the local user on my Win 7 workstation (workgroup). I also destroyed the cluster and tried again, same error.  Seems there is some additional permission or policy that needs to be changed.  Has anyone been successful with 2008 R2?

  • Anonymous
    January 01, 2003
    Siavash - unfortunately this is not possible in Hyper-V today. Thanks, John.

  • Anonymous
    January 01, 2003
    Ryan - what changed from working to now getting the error - in particular, you mention about passwords being in sync, so could this be tied to that and there's been a typo on syncing the passwords, especially as you indicate you are getting MMC failures too? It doesn't sounds like it's Hyper-V specific, in other words. Are you using cmdkey to set credentials on the client to authenticate to the server? Do all users fail now? Thanks, John.

  • Anonymous
    January 01, 2003
    Lduval - I'll add it to a list, but I should be up front and say it may be some time off yet. However, you should still be able to run from the command prompt in Hyper-V server net localgroup "Distrubuted COM Users" <username> /add to solve this. Thanks, John.

  • Anonymous
    January 01, 2003
    Jerrold - unfortunately you've pasted the client bit into the server output.... Thanks, John.

  • Anonymous
    January 01, 2003
    David - there is no different in terms of remote management configuration between "v1" and Windows Server 2008 R2/Hyper-V Server R2. Thanks, John.

  • Anonymous
    January 01, 2003
    Sebastien/Alberto - see the write up, now published here: http://blogs.technet.com/jhoward/archive/2008/03/30/part-3-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx Cheers, John.

  • Anonymous
    January 01, 2003
    Scott - it would be helpful for diagnosis or ease of configuration (unless you really want to do the steps manually) to use HVRemote instead. The link is at the top of the page. Follow that, take a look at the documentation and if you still have problems, please post back the output of hvremote /show on both the client and the server. Cheers, John

  • Anonymous
    January 01, 2003
    FrankM - please post the output of hvremote /show /target:otherboxname from both boxes. (Obviously correct any suggestions it makes if you see errors first). Thanks, John.

  • Anonymous
    January 01, 2003
    Thanks John, very useful.

  • Anonymous
    January 01, 2003
    Shva - sorry, I'm not sure what you mean by "consume". What is the goal you are trying to achieve? THanks, John.

  • Anonymous
    January 01, 2003
    Fábio & Impactro - please use HVRemote (link at top of article), or see other parts of this series which explain how to perform the steps manually on core. However, I strongly recommend you use HVRemote. Thanks, John.

  • Anonymous
    January 01, 2003
    Hi Christopher - that's a good one too. Cheers, John.

  • Anonymous
    January 01, 2003
    Mike - that directory is hidden. Navigate to it using the address bar in Windows explorer by typing c:programdata..... replacing c: with your system drive. Thanks, John.

  • Anonymous
    January 01, 2003
    Olexandr - You don't need that rule enabled on the server firewall. Can you post the full output of hvremote /show /target:othercomputername from both boxes? Thanks, John.

  • Anonymous
    January 01, 2003
    @Sebastien - actually, no that is not correct. This does work on server core with a few variations. Give me a couple of days - I'm documenting the exact steps and will be posting it up soon. (And part 3 really IS a valiant effort. You'll see why when you see it!!!) Thanks, John.

  • Anonymous
    January 01, 2003
    Shiva - no this is not possible in Hyper-V through VMConnect. To the best of my knowledge, it is not possible in RDP, but that's outside of my area of authoritative expertise. You may want to ask that question on one of the Technet Windows Server forums. Thanks, John.

  • Anonymous
    January 01, 2003
    Hi Jerrold - unfortunately, you missed the bit I needed :) Can you run hvremote /show on both the server and the client? You shouldn't need to add the /debug - I'll almost certainly get everything I need from just the /show with the v0.3 version you're running. Can you also confirm you are running from an elevated command prompt? Thanks, John.

  • Anonymous
    January 01, 2003
    This is failing because you have incorrect stored credentials from the client to authenticate to the server. From the client output:


Stored Credentials

Currently stored credentials:   Target: morstainhyperv   Type: Domain Password   User: morstainhypervaccount The server output indicates that you have created and granted an account "morstainhypervkmorstain" access. On the client use cmdkey to remove the currently stored credentials and replace them with morstainhypervkmortain. Cheers, John.

  • Anonymous
    January 01, 2003
    Matthew - yes, I wrote these articles a few months before RTM came out. You want http://support.microsoft.com/kb/952627 for Vista SP1. The RTM links are on the far right of the blog page. Thanks, John

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Yes, this is expected. Saved states are not compatible between 2008 and 2008 R2. You need to cleanly shut down the machines in 2008 before export. You should also merge any online snapshots as these have an implicit saved state in them too. Thanks, John.

  • Anonymous
    January 01, 2003
    Mike - can you check that the VMMS service is actually running on the target server? (sc query vmms). If you find it is stopping, I'd be interested to see if there's something in the event logs. Thanks, John.

  • Anonymous
    January 01, 2003
    Kent - please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards. Thanks, John.

  • Anonymous
    January 01, 2003
    Jerrold You're logged on to client as zeusvmcmd, but there's several bits missing from the server side. Client looks good. You should simply need to run hvremote /add:vmcmd on the server and reboot (possibly) both sides, depending on whether there are active connections outstanding. You also need to make sure the vmcmd user password is the same on both sides as this is a workgroup. Thanks, John.

  • Anonymous
    January 01, 2003
    Franck - this is part of our Authorization Manager (AZMan) infrastructure. More information on this will be available in the official documentation very soon. It's also something that my colleague Ben (http://blogs.msdn.com/virtual_pc_guy) was looking to provide some unofficial (ie blog) information on soon. Thanks, John.

  • Anonymous
    January 01, 2003
    Amir - see part two for the client firewall settings. Essentially you need to run netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Microsoft Management Console" Also see part 5 for the domain client to workgroup server configuration. Thanks, John.

  • Anonymous
    January 01, 2003
    Asshen - yes, point well taken, but similar steps are necessary for any form of remote WMI/DCOM - it's not stricly specific to Hyper-V. We're looking to see how we can get this improved. Thanks, John.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    John, You rock! thanks a lot for this 'patch'

  • Anonymous
    January 01, 2003
    Mohsen - no, it's not going anywhere. Cheers, John.

  • Anonymous
    January 01, 2003
    Shiva - wow, I thought I'd heard every question there possibly could be was relating to remote management of Hyper-V. But you've stunned me with this one! Does this happen every time? When you say restart - as in blue screen, or graceful reboot? In either case, is there anything in the event logs? If a blue-screen, do you have a memory dump file we could analyse? Have you seen the server exhibit similar behaviour at any other time, or is only when using VMConnect? Hardware specs would be useful too. Thanks, John.

  • Anonymous
    March 29, 2008
    This is really tricky John. What if i have Hyper-v installed on a core based install?

  • Anonymous
    March 29, 2008
    This cannot work on a core install, because you need to generate the OLE registry key yourself and repalce it, as dcomcnfg is not available. I've been playing around with this for two days and resorted to creating a new AD forest. Quicker and more reliable. I wish I found your articles sooner, as they would've confirmed my suspicions much earlier and save me a day of procmon and experimenting with security settings! Thanks for the valiant effort though. Seb

  • Anonymous
    April 23, 2008
    This article saved me several days of work!  Thanks, Thanks, Thanks!!!

  • Anonymous
    May 31, 2008
    I followed this as far as step 5 but I don't have a directory ProgramDataMicrosoftWindowsHyper-V on my W2K8 Server I cannot find a file called InitialStore.xml

  • Anonymous
    June 01, 2008
    Step 2B fails on US English W2K8: "Group cannot be specified along with other identification conditions." Looking at the firewall rules, there are three inbound rules and one outbound rule, resembling the name, neither an exact match: "Windows Management Instrumentation (ASync-In)" "Windows Management Instrumentation (DCOM-In)" "Windows Management Instrumentation (WMI-In)" "Windows Management Instrumentation (WMI-Out)" I really feel spoiled by how simple is is to use VMWare Server, no need for a 5 part series on how to get the remote functionality to work. Will RTM make automate this manual configuration process to allow "seamless" remote management?

  • Anonymous
    June 05, 2008
    I'm stuck on step 5. I navigate to ProgramDataMicrosoftWindows but there is no Hyper-V folder. Hyper-V is running on core and I'm trying to access it through VIsta SP1.

  • Anonymous
    June 25, 2008
    I see PingBack is't a very good feature in most blogs. Sorry about the spam John, feel free to remove the comments above! :)

  • Anonymous
    June 27, 2008
    and if I need to delegate one user administer one VM, not the entire Hyper-V machine... How should I do ?

  • Anonymous
    July 10, 2008
    Thank you for spending the 2+ hours to capture this for us. It really made my life so much easier: I would not have figured this out myself this side of Christmas! Thank you!!!

  • Anonymous
    July 27, 2008
    Hi, Great write up! Just one question...do I need to reboot the server everytime I add a new hyper-v user in azman? Or is the reboot required only for initial setup of the remote management? Thanks!

  • Anonymous
    August 12, 2008
    John, Great detailed information and walk-through! Thank you for your time and sharing it. However, I have not been able to connect and I am getting the same "WMI:Access Denied" issue as Derek mentioned above with the difference that I am running Vista on my physical laptop. My laptop is joined to the domain of business coorporation and the Windows Server 2008 is part of a workgroup at my home.  I have followed allthe steps to the letter.  The Remote Server Administration Tools for the Hyper-V Tool is also enabled and the properly allowed through firewall extensions.  I can Remote Desktop to the server just fine and as extra caution I have added the server IP address to my "hosts" file as well.  when i try to connect to the server from Vista Hyper-V Manager, after few seconds, I get "the operation on computer '<the server IP address>' failed. Any idea, what is missing? BTW, I initially posted this comment by mistake to Part 3 which is for Core installation.  I have full WIN2K8 installation. Thanks, Amir

  • Anonymous
    August 14, 2008
    John, further to my note above, I learned that possibly the firewall setting on my laptop is blocking the inbound communication. These firewall settings are controlled by the firewall rules in the  Local Security Policy.  I even cannot ping my laptop from the WIN2K8 server and get timed out while on the other hand I can do remote desktop to the server from my laptop. Do you know what inbound or outbound firewall rules I need to enable in order to get Hyper-V Manager on my Vista laptop (joined to a domain) communicate with my WIN2K8 server (on a local work group)? Thanks for any tips. Amir

  • Anonymous
    August 14, 2008
    Is it just me, or did Microsoft make this much too complicated ???

  • Anonymous
    September 05, 2008
    Hey John just wanted to say thanks for the help but now I have run into some real problems. I am not using remote management tool, but am instead going into RDP and have tried KVM to get Hyper V to work. I have failed miserably and no matter what I try I can't create VMs and cannot do anything except "remove server" I am hopelessly lost with a "you might not have permission to perform this task error" Help ! =) Troubled Tim-

  • Anonymous
    September 14, 2008
    ow after 3rd party AV and firewall  application have been installed on the client machine. Thanks,

  • Anonymous
    September 28, 2008
    You keep posting "You do not have the "requested" permission to complete this task. " However the error actually reads: "You do not have the REQUIRED permission to complete this task". It was difficult to find this page because the correct search string in Google was not found.

  • Anonymous
    October 03, 2008
    The comment has been removed

  • Anonymous
    October 16, 2008
    Hi John, Could you please write a similar guide for "Hyper-V Server 2008" (Baremetal). I can't apply this one to connect with Vista on an Hyper-V in Workgroup BECAUSE there is nothing like DCOMCNFG in  "Hyper-V Server 2008" (which is not a real Core Server).

  • Anonymous
    November 13, 2008
    Those links to the management tools don't work, and I can't find the tools anywhere. Any ideas?

  • Anonymous
    November 22, 2008
    The comment has been removed

  • Anonymous
    November 23, 2008
    John, In the previous message I left out the response I got when I ran on the server :   'netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Microsoft Management Console" ' The response is: "The following command was not found ..." Below is the client response (ran at elevated prompt) and server response (ran as administrator) to hvremote /show. Thanks again, Jerrold Client response: Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Hyper-V Remote Management Configuration & Checkup Utility John Howard, Microsoft Corporation. http://blogs.technet.com/jhoward Version 0.3 20th Nov 2008 INFO: Computername is ZEUS INFO: Computer is in workgroup WORKGROUP INFO: Current user is zeusvmcmd INFO: Assuming /mode:client as the Hyper-V role is not installed


DACL for COM Security Access Permissions

Everyone    (S-1-1-0)     Allow: LocalLaunch RemoteLaunch (7) BUILTINPerformance Log Users    (S-1-5-32-559)     Allow: LocalLaunch RemoteLaunch (7) BUILTINDistributed COM Users    (S-1-5-32-562)     Allow: LocalLaunch RemoteLaunch (7) NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)     Allow: LocalLaunch RemoteLaunch (7)

ANONYMOUS LOGON Machine DCOM Access

WARN: ANONYMOUS LOGON does have remote access  This setting should only be enabled if required as security on this  machine has been lowered. It is needed if you need to manage Hyper-V  on a remote server which is either in an an untrusted domain from this  machine, or both machines are in a workgroup.  Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

Firewall Settings for Hyper-V Management Clients

Private Firewall Profile is active   Enabled:  Hyper-V Management Clients - WMI (Async-In)   Enabled:  Hyper-V Management Clients - WMI (TCP-Out)   Enabled:  Hyper-V Management Clients - WMI (TCP-In)   Enabled:  Hyper-V Management Clients - WMI (DCOM-In)

Windows Firewall exception rule(s) for mmc.exe

Private Firewall Profile is active   Enabled:  Microsoft Management Console (UDP)   Enabled:  Microsoft Management Console (TCP) INFO: Are running the latest version

Server response: Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Hyper-V Remote Management Configuration & Checkup Utility John Howard, Microsoft Corporation. http://blogs.technet.com/jhoward Version 0.3 20th Nov 2008 INFO: Computername is ZEUS INFO: Computer is in workgroup WORKGROUP INFO: Current user is zeusvmcmd INFO: Assuming /mode:client as the Hyper-V role is not installed

DACL for COM Security Access Permissions

Everyone    (S-1-1-0)     Allow: LocalLaunch RemoteLaunch (7) BUILTINPerformance Log Users    (S-1-5-32-559)     Allow: LocalLaunch RemoteLaunch (7) BUILTINDistributed COM Users    (S-1-5-32-562)     Allow: LocalLaunch RemoteLaunch (7) NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)     Allow: LocalLaunch RemoteLaunch (7)

ANONYMOUS LOGON Machine DCOM Access

WARN: ANONYMOUS LOGON does have remote access  This setting should only be enabled if required as security on this  machine has been lowered. It is needed if you need to manage Hyper-V  on a remote server which is either in an an untrusted domain from this  machine, or both machines are in a workgroup.  Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

Firewall Settings for Hyper-V Management Clients

Private Firewall Profile is active   Enabled:  Hyper-V Management Clients - WMI (Async-In)   Enabled:  Hyper-V Management Clients - WMI (TCP-Out)   Enabled:  Hyper-V Management Clients - WMI (TCP-In)   Enabled:  Hyper-V Management Clients - WMI (DCOM-In)

Windows Firewall exception rule(s) for mmc.exe

Private Firewall Profile is active   Enabled:  Microsoft Management Console (UDP)   Enabled:  Microsoft Management Console (TCP) INFO: Are running the latest version

  • Anonymous
    November 23, 2008
    The comment has been removed

  • Anonymous
    November 30, 2008
    John, I am having these problems connecting to vmms (Virtual Machine Management) service on server! I am running the Hyper-V Manager snap-in under the default Administrator account which is as always a member of BUILTINAdministrators group. But when I selecct in the Hyper-V Manager, I get the snap-in connecting to the service and then the notorious "You might not have permission to perform this task". (No message to contact administrator or whoever it might be) This is observed on PDC build of Windows Server 2008 R2 (Windows Server 7). Any clue? I checked all the permissions for WMI and DCOM and they are all FULL CONTROL for BUILTINAdministrators. I installed both the Hyper-V role AND the RSAT-Hyper-V feature. Could it be that I should NOT to install RSAT on the same computer where I am running the Hyper-V role? Quite interesting, I was unable to install Hyper-V role using the Server Manager snap-in. I was getting errors from UI reported by CLR debugger. I was lucky to install the role only after I tried ServerManagerCMD.exe -install Hyper-V -allSubFeatures -restart Any clue how to get this working? BTW, this is what I get in Event Viewer Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin Source:        Microsoft-Windows-Hyper-V-VMMS Date:          11/30/2008 7:32:59 AM Event ID:      14098 Task Category: None Level:         Error Keywords:       User:          SYSTEM Computer:      Server7 Description: One or more driver required by the Virtual Machine Management service is not installed or is disabled. Try reinstalling the Hyper-V role. and right after that I get Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin Source:        Microsoft-Windows-Hyper-V-VMMS Date:          11/30/2008 7:32:59 AM Event ID:      14096 Task Category: None Level:         Error Keywords:       User:          SYSTEM Computer:      Server7 Description: Virtual Machine Management service failed to start.

  • Anonymous
    December 03, 2008
    Ran through it a couple times and get the error: The Virtual Machine Management service is not available. when trying to run the Hyper-V Manager on the client. i can start the Hyper-V Manager on the server with no problem workgroup environment, no firewalls, host entries used to ensure name resolution, passwords verified to be the same, user an admin on both server and workstation. i can use the edit disk option to "view" disks on the server... just not connect to them management service. very strange. any ideas anyone?

  • Anonymous
    December 06, 2008
    John, I'm running!!! Thanks so much for the help and the great tool! If you're free we'd love to have you this year (late Oct.) at Tulsa TechFest where you could present to about 500 people.  Just let us know if you should have the time (another vacation maybe ;<) ) to be here. Thanks again, Jerrold

  • Anonymous
    December 13, 2008
    does anyone know about the standalone install of Hyper-V server? I have installed it and read everything i can, but i can not connect. I have the Hyper-V server installed, configured the name and IP (non domain) set the user and on my Vista SP1 computer with Hyper-V server tried to connect (same user name as server). I can not ping the HV server, but the HV server can ping my laptop.  I have tried the commands on these pages by my Hyper-V server does not recognise most of the commands, such as netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes Any help would be muchly appriciated. Thanks

  • Anonymous
    December 14, 2008
    This won't work in a Hyper-V server since it has no GUI, so what good is this??????????????????????????????????

  • Anonymous
    December 17, 2008
    I followed the instructions and I am able to remotely configure Hyper-V from a Vista machine that is in the same domain as the server. I can create, start and stop VMs. However, I cannot connect to one, the server asks me for username and password and rejects everything I try, even admin account. What priviledge is required to connect to a VM?

  • Anonymous
    March 20, 2009
    The comment has been removed

  • Anonymous
    April 24, 2009
    I wonder why we can't create a icon " enable remote acess" or " allow <login name>" to access this hype-v . i agreed this Hype-v are helpful, but when come to " remote administrative" task. nightmare !!!

  • Anonymous
    April 25, 2009
    i just wanted to how can i restrict "clipboard sharing" in vmconnect for a standard user it's not in operations in AZman.msc please help me THX

  • Anonymous
    May 24, 2009
    The comment has been removed

  • Anonymous
    May 25, 2009
    Hi John,  We are facing a situation in VM Connect. We have a HyperV Server hosting VM's and this Host Server is available over the internet. Therefore any client machine with RDP Client will be able to connect to a VM via port 2179. The question is if the client machine is behind a firewall, is it require that the firewall has to open port 2179? Also if the server is behind a firewall, is there any specific settings to be taken care? if you have any informaton related to this please  share with us as this will be of great help to us. Thanks and Regards Sivakumar

  • Anonymous
    July 17, 2009
    The comment has been removed

  • Anonymous
    July 20, 2009
    Hi, John, to Shive you wrote: "I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces." Er, this is exactly what I want to do with Hyper-V... Use it as the core of my three (virtual) web servers. I thought it was a common scenario to maintain them all using SCVMM/SCOM?

  • Anonymous
    July 27, 2009
    Hi John, In our environment we are using a work group server and domain connected clients.  We hacve 2 people who use a vista client to remotely manage a server core.  Everything was working.  we now both get "You do not have the required permission to complete this task. " The passwords are kept up to date from our laptops to our server.  We can not only not manage hyper-v but we cannot use any remote management mmc's.  This was originally setup using your guide and i have since tried to confirm settings using your hvremote.wsf routine on server and workstion.  I have not gotten a chance to restart the server to see if this solves the issue as there are production vm's on the system.  Any suggestions?  

  • Anonymous
    August 21, 2009
    All this is great if you have a gui.  In standalone there is no gui.  I have followed and followed again the steps for HVRemote in a workgroup with no success.   I get the dreaded "You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’ Everything I find seems to point back to GUI. Please help. Kent

  • Anonymous
    August 21, 2009
    The comment has been removed

  • Anonymous
    August 21, 2009
    The clients hvremote show has an error: Failed to connect to rootcimv2 Error: -2147024891 So I tried the first step on the server to add user. When I try and run hvremote /add:kmorstain I get access denied on the server. I did add it as a net user and that worked.  I guess they are not the same. Suggestions Kent

  • Anonymous
    August 21, 2009
    The comment has been removed

  • Anonymous
    August 21, 2009
    The comment has been removed

  • Anonymous
    September 25, 2009
    Hi John, In VMRC connections to Virtual server based VM's, multiple connections to the same virtual machine is possible. Is there a similiar feature in RDP Connectivity to Hyper-V based VM's? Please let me know if you have any information on the same. Thanks Shiva

  • Anonymous
    October 29, 2009
    Hi,  We are trying to Export Virtual machines in a saved state from Windows Server 2008 Enterprise Edition Service Pack 1-Hyper-V Manager Version: 6.0.6001.18016 to Windows Server 2008 R2 Hyper-V Manager Version: 6.1.7600.16385. We are facing a problem while trying to start the imported machine. (Error: Saved State file version is incompatible). Is this  expected? Is there a solution to this problem? Thanks Shiva

  • Anonymous
    November 11, 2009
    I've constantly recieved error at step - 5: - Simple query to rootcimv2 WMI namespace - prior I've enabled "File and Printer Sharing (Echo Request - ICMPv4-In)" firewall rule on server side (Workgroup member, Microsoft Hyper-V Server 2008 R2)

  • Anonymous
    December 03, 2009
    Re Saved State incompatibility issues of 2008 and 2008 R2, Fabien Duchene's (MSFT) comment elsewhere on the nets helped me: Just apply your snapshot. Then right-click the VM and "delete saved state". And then you are now able to start the VM.

  • Anonymous
    January 12, 2010
    The comment has been removed

  • Anonymous
    February 23, 2010
    The comment has been removed

  • Anonymous
    February 24, 2010
    Never Mind Solved it... wow, i had completely forgotten about enableling the firewall on my "CLIENT" side (Vista). fyi, the documentation everywhere shares about enabling the firewall on the server (Hyper-V) but little and small if any is there mention of enabling the firewall on the "CLIENT" side. i enabled: Start --> All Programs --> Administrative Tools --> Windows Firewall with Advanced Security --> Inbound Rules --> Remote Service Managment (RPC) Note: i enabled Remote Service Managment (RPC) for "Domain" only thx John..... Hector

  • Anonymous
    March 17, 2010
    I got the 'WMI access denied' error, and then followed all the steps as described in this wonderful article, however I never managed to fixed the problem with everything given in this article/comments... The error I got when running: netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Micros oft Management Console" Was: IMPORTANT: "netsh firewall" is deprecated A simple fix for this was: netsh advfirewall firewall add rule program=%windir%system32mmc.exe action=allow dir=in name="Microsoft Management Console" That single firewall rule solved all my problems! Chris

  • Anonymous
    September 18, 2010
    I followed everything in multiple iterations, but couldn't make remot managemtn of HyperV server work from another Windows 2008 R2 with HyperV role. The only way it can work is if I disable the firewall on HyperV Server completely. I set the WMI permissions, firewall rules and what not.

  • Anonymous
    October 02, 2010
    The comment has been removed

  • Anonymous
    January 20, 2011
    this is a very detailed and great article. is it going to be removed after some time or is it staying? because if it's going to be removed, then I'll need to copy the information to a word document for future use if that's ok with you.

  • Anonymous
    April 08, 2011
    The comment has been removed

  • Anonymous
    January 26, 2012
    The comment has been removed

  • Anonymous
    March 19, 2012
    Chris:  I first used the manual approach, then went back and used hvremote, but I can't get it to work. My client is Win 7 Ultimate x64 which is a domain member.  My domain is SBS 2011-based running as a hyper-V guest on a Server 2008 R2 host, in a workgroup. I fear the problem is that my Win7 client uses Norton Internet Security, which disables the MS firewall.

  • Anonymous
    November 13, 2012
    Hi, very helpfull! It works also for Windows 7 SP1 Hyper-V Client for Windows Server 2012. After the settings the VMs are in "Saved" mode and did not starts. More details see here: support.microsoft.com/.../2249906

  • Anonymous
    January 04, 2013
    Thank you so much. I was struggling with this for 4 hours. I was thinking my powershell script was bugged with problem with WMI, or that my DCOM security was wrong. i was in ignorance of hyperv autorizatuon. It worked like a charm!

  • Anonymous
    January 23, 2013
    Hi John, Thanks for the blog. It is really helpful. But I have one more question: Does it still work with Clients behind the NAT? Both Hyper-V Server and Client are located in the workgroup. Looking forward to your reply. Thanks in advance. Regards, Joy

  • Anonymous
    January 21, 2014
    This is a whole lot of struggling and tweaking even before this thing has been installed. With VMware, all we did was install and go - no hassles and no problems out of the gate like this product.

  • Anonymous
    May 04, 2014
    The comment has been removed