共用方式為


Allowing non-Administrators to control Hyper-V

By default Hyper-V is configured such that only members of the administrators group can create and control virtual machines.  Today I am going to show you how to allow a non-administrative user to create and control virtual machines.

Hyper-V uses the new authorization management framework in Windows to allow you to configure what users can and cannot do with virtual machines.  This is very powerful and allows for some useful and interesting configuration options - but I will explore those on another day.  To set the stage I need to explain some terms from the authorization management framework world:

  • Operation
    This is the basic building block of authorization manager - and represents some action that the user can perform.  Some operations that exist in our authorization store include op_Create_VM (the act of creating a new virtual machine) or op_Start_VM (the act of starting a virtual machine).

  • Task

    A task is a grouping of operations.  We do not create any tasks by default - but you could create a task that was labeled 'control_VM' and then add the operations for starting, stopping, pausing and restarting a virtual machine to that task.

  • Role

    A role defines a job / position / responsibility that is held by a user.  For instance, you might have a role called 'Virtual_Network_Admin'.  This role would have all the tasks and operations that relate to virtual networks.  Users are then assigned to roles as needed.

  • Scope

    A scope allows you to define which objects are owned by which roles.  If you had a system where you wanted to grant administrative access to a subset of the virtual machines to a specific user - you would create a scope for those virtual machines and apply your configuration change to only that scope.

  • Default Scope

    The default scope is where virtual machines are stored by default.  It is the equivalent of having no scope defined.

Hyper-V can be configured to store it's authorization configuration in Active Directory or in a local XML file.  After initial installation it will always be configured to use a local XML file located at programdataMicrosoftWindowsHyper-VInitialStore.xml on the system partition.  To edit this file you will need to:

  1. Open the Run dialog (launch it from the Start menu or press Windows Key + R).
  2. Start mmc.exe
  3. Open the File menu and select Add/Remove Snap-in...
  4. From the Available snap-ins list select Authorization Manager.
  5. Click Add > and then click OK.
  6. Click on the new Authorization Manager node in the left panel.
  7. Open the Action menu and select Open Authorization Store...
  8. Choose XML file for the Select the authorization store type: option and then use the Browse... to open programdataMicrosoftWindowsHyper-VInitialStore.xml on the system partition (programdata is a hidden directory so you will need to type it in first).
  9. Click OK.
  10. Expand InitialStore.xml then Microsoft Hyper-V services then Role Assignments and finally select Administrator.
  11. Open the Action menu and select Assign Users and Groups then From Windows and Active Directory...
  12. Enter the name of the user that you want to be able to control Hyper-V and click OK.
  13. Close the MMC window (you can save or discard your changes to Console 1 - this does not affect the authorization manager changes that you just made).

And now you are done.  The user that you added will be able to completely control Hyper-V even if they are not an administrator on the physical computer.

Cheers,
Ben

Comments

  • Anonymous
    January 17, 2008
    Ben, Thanks for this great post! It was great to find that in AzMan you can also edit / define roles; e.g. I edited the "user" role so that users could pause VMs very easily. And I like that changes in AzMan seem to be reflected immediately in Hyper-V admin, so it must be checking permissions before every operation. I don't suppose you could show us how to restrict control of specific VMs to specific users/groups? cheers, Aitor

  • Anonymous
    January 18, 2008
    follow up on restricting users to particular VMs: I can see how to create new scopes, and give users rights in the scope, but not how to associate VMs with particular scopes. Is this what the Authorization Rules are for? If so, as they are scripts, looks like it could be very flexible (e.g. it might be possible to write a rule that allowed users in a particular role access to all VMs with names containing "Sales"). But to be honest, I think most users would find it easier if, having defined the scope in AzMan, scope membership of a VM could be set as part of the VM settings in the Hyper-V manager.

  • Anonymous
    January 18, 2008
    Ben, I hope that you are writing all of this in a way that leads to future publication. How about sections on using legacy software in Hyper-V with sections on optimizing DOS networks, evaluating physical video adapters for use with VMs, etc. I was at my doctors office last week and he had a portable PC with a VM and some old database he continues to use that his var can not port.

  • Anonymous
    February 14, 2008
    The comment has been removed

  • Anonymous
    December 15, 2010
    The comment has been removed

  • Anonymous
    December 16, 2010
    The comment has been removed

  • Anonymous
    June 26, 2012
    Hi Ben, I'm setting up an environment on Server 2008 R2 to host a training envrionment. The server is in a domain, but the users (for training) are local. I've followed the process in your blog to assign my local STUDENT account to the Administrator role, and I made sure this account also has full control on the folder that contains the virtual machine files. I still get the "You do not have the required permission to complete this task..." error when I open Hyper-V manager on the local computer logged on as the local STUDENT account. What other permissions does this user require? Dave

  • Anonymous
    September 23, 2012
    Thank you very much this is really helpful.

  • Anonymous
    February 14, 2013
    Hi Ben, this works very well, thanks for the good post!

  • Anonymous
    May 19, 2013
    I can't find Hyper v in windows file

  • Anonymous
    October 22, 2013
    For those like me who struggled to make it work though I followed exactly these instructions: if you have installed SCVMM, the file to edit is different. Ben has more details here: blogs.msdn.com/.../hyper-v-management-delegated-administration-scvmm.aspx Rabb

  • Anonymous
    January 21, 2014
    Hi, I've tried to do this for hyperv on win8.1 but it doesn't seem to work. Can you please verify if there is a method of doing this for hyperv on 8.1? Thanks!

  • Anonymous
    January 21, 2014
    Hi Ben, the procedure don't work on windows 8.1. Every time I open hyper-v manager, the following message shows. You do not have the required permission to complete this task. contact the administrator of the authorization policy for the computer 'localhost

  • Anonymous
    January 22, 2014
    I confirming not functional status on Win8.1 :-(

  • Anonymous
    March 15, 2014
    on win 8.1 just add user to "HyperV administrators" group (this pc -> manage -> local users -> groups), no need to open XML file  :)

  • Anonymous
    May 03, 2014
    > malvism 16 Mar 2014 7:16 AM >on win 8.1 just add user to "HyperV administrators" group (this pc -> manage -> local users -> groups), no need to open XML file  :) This worked for me, after I eventually figured out what malvism was talking about.  For the folks like me that aren't very familiar with Win 8.1 here's the same instructions with more detail:

  • open up "This PC", or what used to by file explorer

  • Right click "This PC" and select "Manage", entering your admin password if necessary

  • On the left, select "Local Users and Groups" then "Groups"

  • On "Hyper-V Administrators" right click "Properties"

  • "Add..." the account you want to give access

  • Anonymous
    May 15, 2014
    Can anyone confirm this works on w8.1?  I dont want to add users to Hyper-V Administrators group, but creating and setting users hyper-V group doesnt seem to work. I just want to give user on his local computer limited right to his hyper-V machines (for example: user is unable to create and change virtual switches). Thank you in advance

  • Anonymous
    May 18, 2014
    Ben,  i tried  to find the file programdataMicrosoftWindowsHyper-VInitialStore.xml but i wasnt able to do so.. rather i found this @ C:WindowsWinSxSamd64_microsoft-hyper-v-v..uthorization-policy_31bf3856ad364e35_6.3.9600.16384_none_cacbef604c43f40b/InitialStore.xml  but when i made a selection  for authorization store type: an error was raised that the file is incorrect format. Do you have any idea about my problem??/ Thanks in advance, -Sirin sirinibin2006@gmail.com skype:sirin_ibin

  • Anonymous
    May 25, 2014
    Just perfect..MS says AzMan is deprecated feature in w8 and there is two option..HyperV administrator or another virtualization.

  • Anonymous
    August 12, 2014
    Win 2008 R2 Std + Hyper-V role, joined to AD I followed the instructions in "Allowing non-Administrators to control Hyper-V" , but than when tried to connect to Hyper-V server I received "You don't have permissins.." Than followed the instructions here: blogs.technet.com/.../part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx and the problem was solved  

  • Anonymous
    October 20, 2014
    I was hoping to give users on windows 8.1 the right to start vms not allow the full control of Hyper-V. There is really no alternate for us either as we need them to run the emulators from visual studio. Anyone find a solution to give non-admin limited control?

  • Anonymous
    November 05, 2014
    Thank you, I've been fighting with it for two weeks.

  • Anonymous
    August 28, 2015
    On Windows 8.1 once I added the non-admin user to the "HyperV administrators" group (this pc -> manage -> local users -> groups) the account was able to manage the local Hyper-V service/Machine Excellent!!!!

  • Anonymous
    October 27, 2015
    Is there no work around for this in Windows 8.1 yet? I want to allow users the permissions to start/restart VMs, however adding them to the Hyper-V Administrators group grants them full control of Hyper-V!

  • Anonymous
    January 24, 2016
    hello every body my windows is windows 10 pro, and it is activated am using Visual studio 2015 and Xamarin android I installed the VS emulator but when I open a solution and run it I get the error message you do not have permission to modify internal Hyper-v network adapter settings, which are required to run the emulator anyone would help me in this issue please?? best regards

  • Anonymous
    January 26, 2016
    This functionality was removed after Windows 2008 R2.  For updated information - refer to this post: blogs.msdn.com/.../allowing-non-administrators-to-control-hyper-v-updated.aspx

  • Anonymous
    May 21, 2016
    Thanks for the guide

  • Anonymous
    November 15, 2016
    There is no InitialStore.xml file on Windows 10 Pro with the Hyper-V role installed. Now what?