Today, I will show you how to create an AzMan scope and role definition to manage Hyper-V Virtual machines.

As discussed in part 3, the ”Virtual Machine Manager Role” includes the following operations:

1. "Allow Input to Virtual Machine",
2. "Allow Output from Virtual Machine",
3. "Start Virtual Machine",
4. "Stop Virtual Machine",
5. "Pause and Restart Virtual Machine”

For this role, you create a new scope in AzMan, define the role  and assign it to users inside this scope.

Step-by-Step

1. Open a new MMC console. In the main window, click File –> Add/Remove snapin…. Add “Authorization Manager” to the console.
2. Back to the console, right click the node Authorization Manager and select Open Authorization Store…” In the dialog box, ensure that option “Xml file” is selected, and click Browse. In the ‘browse” window, in the “file Name’ text box, type in C:\ProgramData\Microsoft\Windows\Hyper-V  and select Initialstore.xml. Your mmc should look like this one:
   
   
   
3. Expand the hierarchy and right click Hyper-V Services and select New Scope. In the dialog box, fill out the name as  “01_scope” and click  OK.
4. Under  01_Scope –> Definitions, right click Role Definitions and select New Role Definition. In the dialog box, fill out the name a “Virtual Machine Manager Role” and click  Add…
5. In the Add Definition dialog box, click the “Operations” tab, then add the 2 operations specified above. Your screen should look like this one.
   
6. Under  01_Scope , right click Role Assignments and select New Role Assignment. In the Add Role dialog box, select “Virtual Machine  Manager Role”. Click OK.
7. Back to the console, right click   “Virtual Machine Manager Role” and select Assign Users and Groups –> From Windows and Active Directory and specify Student01 as for my scenario.

In summary ,you have defined 2 roles in Azman and assign those roles to an user called Student01

• Hyper-V Manager Role defined at the default scope ,i.e Hyper-V Services
• Virtual Machine Manager role defined inside the 01_scope.

The Hyper-V Azman configuration should look like this one:

Note: Instead of assigning roles to user accounts, you can assign roles to a Windows Security group. For example, in my training environment, I create a SG called AllStudents and assign the Hyper-V Manager role to this SG.

Enjoy!

/Dung

HyperV WMI PowerShell