Udostępnij za pośrednictwem


Creating a “Hyper-V Administrators” local group through PowerShell

After writing my script to allow a non-administrative user to control Hyper-V – I started thinking about how it would be nice if I could easily add and remove users from being Hyper-V administrators – without having to run a script each time.  Which lead to this:

 $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
 $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
  
 # Get the security principal for the Administrator role
 $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
  
 # Check to see if we are currently running "as Administrator"
 if ($myWindowsPrincipal.IsInRole($adminRole))
    {
    # We are running "as Administrator" - so change the title and background color to indicate this
    $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"
    $Host.UI.RawUI.BackgroundColor = "DarkBlue"
    clear-host
    }
 else
    {
    # We are not running "as Administrator" - so relaunch as administrator
    
    # Create a new process object that starts PowerShell
    $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
    
    # Specify the current script path and name as a parameter
    $newProcess.Arguments = $myInvocation.MyCommand.Definition;
    
    # Indicate that the process should be elevated
    $newProcess.Verb = "runas";
    
    # Start the new process
    [System.Diagnostics.Process]::Start($newProcess);
    
    # Exit from the current, unelevated, process
    exit
    }
  
 # Create "Hyper-V Administrators" group
 $LocalComputer = [ADSI] "WinNT://$env:computername"
 $HvAdminGroup = $LocalComputer.create("Group", "Hyper-V Administrators")
 $HvAdminGroup.setinfo()
  
 # Get the SID for the newly created group
 $HvAdminGroupSID = (gwmi Win32_Group | ?{$_.Name -eq "Hyper-V Administrators"}).sid
  
 # Add current user to Hyper-V Administrators group
 $fixedUserName = $myWindowsID.Name -replace "\\","/"
 $HvAdminGroup.add("WinNT://$env:computername/$fixedUserName")
  
 # Get the current AzMan store location from the registry
 $AzManStoreLocation = (Get-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization").StoreLocation
  
 # Open the AzMan store
 $AzManStore = new-object -ComObject "AzRoles.AzAuthorizationStore"
 $AzManStore.Initialize(2, $AzManStoreLocation)
  
 # Handle the default Hyper-V AzMan store and the SCVMM AzMan store
 if (@($AzManStore.Applications | ? {$_.Name -contains "Hyper-V services"}).count -eq 1)
    {
    $HyperVAzManStore = $AzManStore.OpenApplication("Hyper-V services")
    }
 elseif (@($AzManStore.Applications | ? {$_.Name -contains "Virtual Machine Manager"}).count -eq 1)
    {
    $HyperVAzManStore = $AzManStore.OpenApplication("Virtual Machine Manager")
    }
 else
    {
    Write-Host "Unable to find AzMan application group."
    Write-Host -NoNewLine "Press any key to continue..."
    $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
    exit
    }
  
 # Get the administrator role from the Hyper-V service in the AzMan store
 $HyperVAdministratorsRole = $HyperVAzManStore.OpenRoleAssignment("Administrator")
  
 # Add the Hyper-V Admin group to the AzMan store
 $HyperVAdministratorsRole.AddMember($HvAdminGroupSID)
 $HyperVAdministratorsRole.Submit()

What this script does is to create a local user group – called “Hyper-V Administrators” – and then configures that group to have full access to Hyper-V (it also adds the current user as a member of the “Hyper-V Administrators” group).  After running this script you can make other users Hyper-V Administrators by just adding them to the group (with no need to run the script again).  Note that the same caveats apply to this script as did to yesterdays script:

  • It must run as administrator – and will elevate itself if you run it without administrative privilege.
  • This script talks to AzMan COM objects – which means that it cannot be run remotely, and must be run directly on the Hyper-V server.
  • This script will handle the default Hyper-V and SCVMM authorization configurations – but if you run the script on a standalone Hyper-V server, which you later use SCVMM to manage – you will need to run the script again.

Cheers,

Ben

AzManGroup.zip

Comments

  • Anonymous
    September 29, 2010
    The comment has been removed
  • Anonymous
    September 29, 2010
    I have to agree with Stephen.  I'm getting an error that I'll copy below.   sadly I've not gotten into PS yet, so don't know enough to make a guess at how to correct the script. Unexpected token 'WinNT://$env:computername/$fixedUserName")HKLM:SOFTWAREMicr osoftWindows NTCurrentVersionVirtualization"' in expression or statement. At C:smagHVadmingroup.ps1:45 char:161
  • $fixedUserName = $myWindowsID.Name -replace "&quot;,"/"WinNT://$env:computername /$fixedUserName")HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionVirtualizat ion" <<<< ).StoreLocationAzRoles.AzAuthorizationStore"Hyper-V services"}).count -eq 1)Hyper-V services")Virtual Machine Manager"}).count -eq 1)Virtual Machine Manager")Unable to find AzMan application group."Press any key to continue..." NoEcho,IncludeKeyDown")Administrator")    + CategoryInfo          : ParserError: (WinNT://$env:co...Virtualization":   String) [], ParseException    + FullyQualifiedErrorId : UnexpectedToken
  • Anonymous
    October 06, 2010
    Yikes!  I do not know how the sample code got that badly mangled. It should be fixed now.  Either way - if you grap the .ZIP file attached to the post it should have the correct code. Cheers, Ben

  • Anonymous
    October 07, 2014
    It runs itself in administrator mode and then it closes itself unexpectedly.

  • Anonymous
    January 11, 2016
    I'm running Windows 10 Pro. I"m trying to properly create the "Hyper-V Administrators" group with full access to Hyper-V and include me in that group. I"m doing widows phone development, running an emulator in Hyper-V Error from "./AzManGroup.ps1" Value does not fall within the expected range. At C:usersjeffaDevelopmentAzManGroup.ps1:52 char:1

  • $AzManStore.Initialize(2, $AzManStoreLocation)

   + CategoryInfo          : OperationStopped: (:) [], ArgumentException    + FullyQualifiedErrorId : System.ArgumentException Unable to find AzMan application group. Press any key to continue...

  • Anonymous
    January 14, 2016
    Same problem as jhalbrecht. Please advise.

  • Anonymous
    January 19, 2016
    Hi, I've encountered the same problem as jhalbrecht and jacob. I need to delegate Hyper-V management to power users and can't accomplish it on Windows 10 Enterprise LTSB 2015. There is no Hyper-V Administrators group, nor it can be created running this script. Well technically it does create the group, but it doesn't do anything. Since there is no capability in Authorization Manager either, how on earth do I delegate the Hyper-V management rights, please? :-D

  • Anonymous
    January 26, 2016
    Hi All, Two part answer to the people with problems on Windows 10:

  1. As of Windows 8 and later - you do not need to do any of what is discussed in this post.  It all magically works (which is discussed here: blogs.msdn.com/.../allowing-non-administrators-to-control-hyper-v-updated.aspx)

  2. Except, when it does not work :-( - We have tracked down an issue that can cause the group to be missing when you upgrade from one Windows edition to another.  We are working on a fix right now, unfortunately there are no work arounds at this point in time.

    • Anonymous
      March 02, 2016
      Hi Ben,Is there any update on a fix for the LTSB build?
    • Anonymous
      March 14, 2016
      Any updates on a fix?
    • Anonymous
      March 18, 2016
      We are also desperately waiting this fix to one of our class rooms. Any idea how long we should wait?
      • Anonymous
        March 20, 2016
        I will update my blog when a fix is available - but I cannot comment on it at this point in time.Cheers,Ben
        • Anonymous
          April 12, 2016
          I have a PC that has had Windows 10 Pro installed and there was no upgrade performed. Still, the Hyper-V Administrators group is missing. I do hope the fix you are working on will fix the situation for me as well. Hopefully you can share some news soon, need to get the Android Emulators working.
    • Anonymous
      March 27, 2016
      "We have tracked down an issue that can cause the group to be missing when you upgrade from one Windows edition to another. "i have this problem also. Please inform us.
      • Anonymous
        April 08, 2016
        I have same issue. I have been upgraded windows from 8.1 pro to 10 home and then to 10 pro.
    • Anonymous
      March 27, 2016
      my issue is that i can't start the "Visual Studio Emulator for Android"
      • Anonymous
        April 08, 2016
        I am having the same issue as well. Patiently waiting for an update on a fix.
        • Anonymous
          May 30, 2016
          I have just encountered this issue too after upgrading from Windows 10 home to Windows 10 Pro. Is there any update on the fix???
    • Anonymous
      August 01, 2016
      Any update on this?
  • Anonymous
    April 15, 2016
    I encountered this as well, after installing the latest build of Xamarin in VS2015 and trying to start up an Android emulator...on a system that was upgraded from Win10 Home to Pro. Notably, the BUILTIN\Hyper-V Administrators group is missing, and the above PS script only creates a non-BUILTIN user group which doesn't work for the Android emulator startup. (Note the WinPhone emulator prompts during startup, but works FINE...)Looking at a Win10 Pro virtual machine, I've discerned that the missing group is a "well-known SID" of S-1-5-32-578 (aka "HYPER_V_ADMIN" as listed in https://msdn.microsoft.com/en-us/library/cc980032.aspx). Thus, what we need is a tool (script or app) to create this well-known-SID-based group. A Win32 NetLocalGroupAdd method call ignores any attempt to set a SID, as well as NetLocalGroupSetInfo. So there must be another way...Does anyone have any clue how to set SIDs during creation of a BUILTIN user group? Can this be done with a Group Policy somehow? Or only programatically? (Hint: The StackOverflow answer at http://stackoverflow.com/questions/34751196/creating-hyper-v-administrators-group-in-windows-10 is uninspiring... Certainly, BUILTIN user groups are created SOMEHOW. It's just that the Home-to-Pro upgrade package is MISSING this important task item.)Ben: Any possibility that you can chase down a security/AD/LSA/SAM expert that can advise you on how BUILTINs get created (or better yet, supply you with a script/app to create such)? And please, don't reply with "wait for the Win10 Anniversary Update"... We can't wait that long. My thrill over Microsoft buying Xamarin has been severly diminished over the discovery of this BUG. (And from what I've seen on forum searches, this BUG has been outstanding or recurring for several years now, ever since moving away from AzMan...with silly pithy so-called answers of "try using the right version of Windows" or "check your BIOS settings", etc. When the WinPhone emulator works fine, as well as several other virtual machines, those "answers" don't cut it. Waiting 2-3 years to formally fix this is long enough!)
    • Anonymous
      August 01, 2016
      +1
  • Anonymous
    August 03, 2016
    I was having this problem with the MS store upgrade from Windows 10 pro to home recently, and it looks like this is fixed by the Anniversary Upgrade that was released yesterday. The regular update on the front page of the website appears to have worked fine for me, and I have the group now.For reference: Machine came with 10 home, upgraded through MS store to pro, reinstalled from USB, no dice. Anniversary Upgrade, bingo!
    • Anonymous
      October 11, 2016
      Bought laptop with Windows Home, upgraded to Windows Pro through the store, applied all updates including Anniversary Update, still do not have Admin Group for Hyper-V.When upgrading to Pro through the store, you do not get a product key, so you do not have the option to do a clean install of Windows Pro (not that that would be desirable) . Instead, the upgrade capability is added to the machine, and the upgrade is initiated directly from the Store (this process is as ridiculous as Microsoft not fixing this HV admin problem after many months of knowing about it. This is an unacceptable situation.
  • Anonymous
    August 12, 2016
    Hi,We run the script and realize that there are a missing registry key (StoreLocation) and file (InitialStore.xml), we create the key and copied the file from another PC, run the script again, we check definitons in AzMan, seems to be ok, but still not work. Any solution?Thanks, excuse my english.