Dung's space

In previous posts, I have shown how to create Azman scopes and roles to delegate administration of Hyper-V virtual machines to domain users. Now that we have an AzMan scope, let’s see how you can apply it to a virtual machine or set of virtual machines.

Note:  In Hyper-V, there is no GUI interface to assign a scope to a VM, you need to use the Hyper-V WMI API

In my example scenario, I have a set of VMs prefixed with “01_”and I want to delegate administration of those VMs to Student01 and only this account can view those VMs in Hyper-V mmc console. In Prt 4 and Part 5, I already created a scope called 01_Scope and some role definitions. Let’s apply this cope to 01_ VMs.

Script

$VM_Service = get-wmiobject -namespace root\virtualization Msvm_VirtualSystemManagementService

$ListofVMs =get-wmiobject -namespace root\virtualization Msvm_ComputerSystem -filter  "ElementName <> Name "  | `
    where { $_.ElementName -like "01_*"}

foreach ($VM in $ListofVMs) {
        if ( $VM -ne $Null)
        {
        $VMGlobalSetting = get-wmiobject -namespace root\virtualization Msvm_VirtualSystemGlobalSettingData | where `
           { $_.ElementName -like "*$($VM.ElementName)*" }

         $VMGlobalSetting.ScopeOfResidence = “01_Scope”

$VM_Service.ModifyVirtualSystem($VM.__PATH, $VMGlobalSetting.psbase.Gettext(1))

}

}

Et Voilà!

/Dung

HyperV WMI PowerShell

Today, I will show you how to create an AzMan scope and role definition to manage Hyper-V Virtual machines.

As discussed in part 3, the ”Virtual Machine Manager Role” includes the following operations:

1. "Allow Input to Virtual Machine",
2. "Allow Output from Virtual Machine",
3. "Start Virtual Machine",
4. "Stop Virtual Machine",
5. "Pause and Restart Virtual Machine”

For this role, you create a new scope in AzMan, define the role  and assign it to users inside this scope.

Step-by-Step

1. Open a new MMC console. In the main window, click File –> Add/Remove snapin…. Add “Authorization Manager” to the console.
2. Back to the console, right click the node Authorization Manager and select Open Authorization Store…” In the dialog box, ensure that option “Xml file” is selected, and click Browse. In the ‘browse” window, in the “file Name’ text box, type in C:\ProgramData\Microsoft\Windows\Hyper-V  and select Initialstore.xml. Your mmc should look like this one:
   
   
   
3. Expand the hierarchy and right click Hyper-V Services and select New Scope. In the dialog box, fill out the name as  “01_scope” and click  OK.
4. Under  01_Scope –> Definitions, right click Role Definitions and select New Role Definition. In the dialog box, fill out the name a “Virtual Machine Manager Role” and click  Add…
5. In the Add Definition dialog box, click the “Operations” tab, then add the 2 operations specified above. Your screen should look like this one.
   
6. Under  01_Scope , right click Role Assignments and select New Role Assignment. In the Add Role dialog box, select “Virtual Machine  Manager Role”. Click OK.
7. Back to the console, right click   “Virtual Machine Manager Role” and select Assign Users and Groups –> From Windows and Active Directory and specify Student01 as for my scenario.

In summary ,you have defined 2 roles in Azman and assign those roles to an user called Student01

• Hyper-V Manager Role defined at the default scope ,i.e Hyper-V Services
• Virtual Machine Manager role defined inside the 01_scope.

The Hyper-V Azman configuration should look like this one:

Note: Instead of assigning roles to user accounts, you can assign roles to a Windows Security group. For example, in my training environment, I create a SG called AllStudents and assign the Hyper-V Manager role to this SG.

Enjoy!

/Dung

HyperV WMI PowerShell

Now that you have a good understanding of AzMan, let’s implement a simple delegation model of Hyper-V. I use the following scenario as example. In my training labs, I have a group of students ( Student01, Student02….) to whom  I assign a set of VMs as follow: Student01 will get and can only manage 01_ VMs , Student02 will get 02_ VMs…

Basic AzMan roles

To delegate administration of a selected virtual machine to a user, an administrator needs to:

1. Create specific AzMan roles and scope
2. Apply scope to designated VMs

You need to define at least the following roles:

• “Hyper-V Manager Role”. This role includes the operations “Read Service Configuration” and “”View Virtual Switch Management”. The role is assigned to all users who want to connect to a Hyper-V host from the Hyper-V Manager Console. If a user is not assigned this role from AzMan, it will get an error message in the Hyper-V mmc stating that the credentials do not have sufficient permissions to connect to the service.
  Finally, as this role is used to define permissions to connect to the Virtual Machine Management Service, you create the role and assign users at the default scope of Hyper-V in AzMan.
  Note:  Name of the role is defined by the administrator. However, names of the operations are pre-defined and you must select the right operations when creating the role.
  
• “Virtual Machine Manager Role”.  This role includes the following operations:
1. "Allow Input to Virtual Machine",
2. "Allow Output from Virtual Machine",
3. "Start Virtual Machine",
4. "Stop Virtual Machine",
5. "Pause and Restart Virtual Machine”

For this role, you create a new scope in AzMan, define the role  and assign it to users inside this scope and not at the default scope level.

Step-by-Step

In this section,I will show you how to create the roles in AzMan.

1. Open a new MMC console. In the main window, click File –> Add/Remove snapin…. Add “Authorization Manager” to the console.
2. Back to the console, right click the node Authorization Manager and select Open Authorization Store…” In the dialog box, ensure that option “Xml file” is selected, and click Browse. In the ‘browse” window, in the “file Name’ text box, type in C:\ProgramData\Microsoft\Windows\Hyper-V  and select Initialstore.xml. Your mmc should look like this one:
   
   
   
   
3. Expand the hierarchy and right click Role Definitions and select New Role Definition. In the dialog box, fill out the name a “Hyper-V Manager Role” and click  Add…
4. In the Add Definition dialog box, click the “Operations” tab, then add the 2 operations specified above. Your screen should look like this one.
   
   
   
5. Now create a domain user named Student01. Use runas to open a MMC console with Student01’s credential. Add Hyper-V Manager snap-in to this console and try to connect to the local Hyper-V hot system. You should see the error like this one:
   
   
   
6. Switch back to the Azman console. You will now assign this role to Student01. Right click Role Assignments and select New Role Assignment. In the Add Role dialog box, select “Hyper-V Manager Role”. Click OK.
7. Back to the console, right click   “Hyper-V Manager Role” and select Assign Users and Groups –> From Windows and Active Directory and specify Student01 as for my scenario.
8. Switch back to the Hyper-V console run under Student01’s profile, hit F5  to refresh, the error message should disappear!

You have successfully created the Hyper-V Manager Role. Bravo!

Enjoy!

/Dung

HyperV WMI PowerShell

Today, let’s discuss about basic Hyper-V operations defined in AzMan.

Displaying Hyper-V Operations

As explained in previous posts, all  pre-defined Hyper-V operations are stored in the InitialStore.XML file located under C:\Programdata\Microsoft\Windows\Hyper-V. You can view the list of operations from the AzMan console. However the output is not easy to view as is is confined inside a small dialog box.

Fortunately, you can also use PowerShell to get the same list with the AzMan COM object. Here is a snippet of PS script to get the list in a CSV file

$AppName = "Hyper-V Services"

##    Open the Hyper-V AzMan Store
##
$AZStore = new-object -COMObject AzRoles.AzAuthorizationStore
$AZStore.Initialize(0, "msxml://C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml")

##
##    Access the  Default Scope
##
$HyperVApp     = $AZStore.OpenApplication($AppName)
$HyperVApp.Submit()

##
##   Get the list of operations
##

$HyperVApp | select Name, Description | export-csv c:\ListOfOperations.csv

You can then import the CSV file into Excel and create the following tables that group Hyper-V operations per category.

Enjoy!

/Dung

HyperV WMI PowerShell

In this post, I will show you how to explore the Hyper-V AzMan configuration  from the GUI

AzMan GUI interface

There is no pre-defined AzMan console in Windows Server 2008, you have to create your own one. To do this, run mmc.exe  from a command window. In the mmc, click File –> Add/Remove Snap-in  and add the snap-in named Authorization Manager.  Save your mmc console for later use.

In the AzMan mmc console, right click the node Authorization Manager and select  Open Authorization Store…. In the Open Authorization Store…, select XML file  and type in Store name:  C:\Programdata\Microsoft\Windows\Hyper-V\InitialStore.xml assuming that C: is your system drive.

Note: Be aware that the ProgramData folder is hidden, you cannot browse it.

Figure 1 shows the GUI interface of AzMan

Exploring Hyper-V Operations

To see all pre-defined operations in Hyper-V, right click Tasks Definition and select New Task Definition…. Click Add…, ignore the informational message box. In the Add Definition  dialog box, click the Operations tab, you will see the list of available Hyper-V operations as shown in Figure 2 below

Using the same technique, you can create task definitions, role definitions. Once done, you can look at the node Role Assignments to create roles and assign it to users or group of users.

Creating Scopes

Now, right click Hyper-V Services and select New Scope…  Provide a name for the new scope and you will see that a node is created under Hyper-V Services and has the following sub-hierarchy:

!------ Groups
!-------Definitions
!-------Role Assignments

All tasks, role definitions and role assignments created there will be valid only at this new scope level. On the other hand, tasks, role definitions created at the default scope level can be seen/used by the “child” scope.

Summary

It is quite easy to use the AzMan console to create tasks, roles and scopes. In the next posts, I will show how to use PowerShell scripts to automate those tasks!

Stay tuned!

Enjoy!

/Dung

HyperV WMI PowerShell