Windows LiveWindows Live
 
 
Dung K Hoang's profileDung's spaceBlogNetwork Tools Help

Blog
    July 23

    Delegation Model in Hyper-V – Part 6

     

    In previous posts, I have shown how to create Azman scopes and roles to delegate administration of Hyper-V virtual machines to domain users. Now that we have an AzMan scope, let’s see how you can apply it to a virtual machine or set of virtual machines.

    Note:  In Hyper-V, there is no GUI interface to assign a scope to a VM, you need to use the Hyper-V WMI API

    In my example scenario, I have a set of VMs prefixed with “01_”and I want to delegate administration of those VMs to Student01 and only this account can view those VMs in Hyper-V mmc console. In Prt 4 and Part 5, I already created a scope called 01_Scope and some role definitions. Let’s apply this cope to 01_ VMs.

     

    Script

    $VM_Service = get-wmiobject -namespace root\virtualization Msvm_VirtualSystemManagementService

    $ListofVMs =get-wmiobject -namespace root\virtualization Msvm_ComputerSystem -filter  "ElementName <> Name "  | `
        where { $_.ElementName -like "01_*"}

    foreach ($VM in $ListofVMs) {
            if ( $VM -ne $Null)
            {
            $VMGlobalSetting = get-wmiobject -namespace root\virtualization Msvm_VirtualSystemGlobalSettingData | where `
               { $_.ElementName -like "*$($VM.ElementName)*" }

             $VMGlobalSetting.ScopeOfResidence = “01_Scope”

    $VM_Service.ModifyVirtualSystem($VM.__PATH, $VMGlobalSetting.psbase.Gettext(1))

    }

    }

    Et Voilà!

    /Dung

    HyperV WMI PowerShell

    7:59 AM | Blog it

    Comments (3)

    Please wait...
    Sorry, the comment you entered is too long. Please shorten it.
    You didn't enter anything. Please try again.
    Sorry, we can't add your comment right now. Please try again later.
    To add a comment, you need permission from your parent. Ask for permission
    Your parent has turned off comments.
    Sorry, we can't delete your comment right now. Please try again later.
    You've exceeded the maximum number of comments that can be left in one day. Please try again in 24 hours.
    Your account has had the ability to leave comments disabled because our systems indicate that you may be spamming other users. If you believe that your account has been disabled in error please contact Windows Live support.
    Complete the security check below to finish leaving your comment.
    The characters you type in the security check must match the characters in the picture or audio.
    Dung K Hoang has turned off comments on this page.
    Picture of Anonymous
    Steven Allen wrote:
    How does this work? According to the documentation for the Msvm_VirtualSystemManagementService class, the ModifyVirtualSystem method takes in input parameter of type VirtualSystemSettingData and not VirtualSystemGlobalSettingData (the class with the ScopeOfResidence property). I can't get it to work and receive WBemServiceEx:Invalid method Parameter(s) errors. Am I missing something?
    Aug. 19
    Dung K Hoangwrote:
    Hi
    Thanks for the feedback. As you said, in order to set delegation, you need to have admin privilege on the Hyper-V host system. In my scenario, I use the local administrator account to set the AzMan scope. Pls note that domain users who are boiund to a scope are absolutely not local admins ( Studentxx are simply donain users in my scenario).
    As for setting delegation in Hyper-V, I prefer to use local admin account as delegation operations are very security sensitive operations, I'd not give access to the HYper-V host to "remote" admins to execute those tasks. As for securtiy settings for DCOM and WMI, in my opiniion, it is more related to DCOm and WMI  rather than Hyper-V.
    I did not test snapshots with VMs in delegation so must trust your statement. Need to do some further testing!
     
    /Dung
     
     
    Aug. 8
    Samwrote:
    This is a really good ttorial, however you have missed a few crucial steps at the start. This all assumes that your users are local admins on the host machine. If they are not then they will need to be given permissions in WMI and DCOM in order to connect to the host remotely using the Hyper-V management console.
     
    Also - with regards to the scopes. This works except snapshotting can really mess this up. For example:
    create a VM, snapshot it a few times, the run the script to assign it to a scope. if you no revert back to any of your snapshots, users of that scope will not be able to manage that VM any more. - the ScopeOfResidence value gets re-set when a previous snapshot is applied.
     
    Not entirely sure how best to work around it - I suppose you could run the script every few minutes. Is there any way to register a script to be run on snapshotting, or reverting?
    Sam
    Aug. 6

    Trackbacks

    The trackback URL for this entry is:
    http://dungkhoang.spaces.live.com/blog/cns!31A50D02D661C816!305.trak
    Weblogs that reference this entry
    • None