Q. How do I grant a user or group the ability to manage only specific virtual machines (VMs)?

A. By default, Authorization Manager's configuration has one scope that covers all VMs. You can define additional scopes and then create role definitions and assignments within that scope. We then need to assign the scope to specific VMs.

To create a new scope, simply select New Scope... from the Actions under Hyper-V services. Give the scope a name, such as Client_Virtuals, and a description and click OK.

Once the scope is created, you can create roles and assign them as per the normal Hyper-V services. Note that you can add the role definitions defined at the Hyper-V services level to roles within a scope to save having to duplicate the selection of operations that are related to a role. You can also directly assign roles defined at the Hyper-V services level to people within the scope, but these people will only have permission on virtuals that are part of this scope. In the example below I used the Administrator Role Definition that is part of Hyper-V services and granted it to user Clark within the Client_Virtuals scope.

Finally, link this scope to a VM. There's no way of doing this in the GUI, you must use the Hyper-V WMI interface. Use the script below:

' hvscopeset.vbs John SavillIf Wscript.Arguments.Count < 1 Then  Wscript.Echo "Arguments  [] required. For example:" & vbCrLf _  & "cscript hvscopeset.vbs savdalvs01 Client_Scope"  Wscript.Quit(0)End IfstrVMName = Trim(Wscript.Arguments(0))strComputer = "."Set objWMIService = GetObject("winmgmts:" _& "{impersonationLevel=impersonate}!\" _& strComputer & "rootVirtualization")Set objMsvm_VirtualSystemManagementService = objWMIService.ExecQuery( _ "SELECT * FROM Msvm_VirtualSystemManagementService").ItemIndex(0)Set objVM = (objWMIService.ExecQuery( _ "SELECT * FROM Msvm_ComputerSystem WHERE ElementName='" & strVMName & "'")).ItemIndex(0)Set objMSVM_VirtualSystemGlobalSettingData = (objVM.Associators_("MSVM_ElementSettingData", _ "MSVM_VirtualSystemGlobalSettingData")).ItemIndex(0) If Wscript.Arguments.Count > 1 Then  strScope = Trim(Wscript.Arguments(1))  objMSVM_VirtualSystemGlobalSettingData.ScopeOfResidence=strScope  intResult = objMsvm_VirtualSystemManagementService.ModifyVirtualSystem(objVM.Path_.Path, _   objMSVM_VirtualSystemGlobalSettingData.GetText_(1))  If intResult <> 0 Then   WScript.Echo "Error - " & intResult  End IfEnd If'List out scopesSet objMSVM_VirtualSystemGlobalSettingData = (objVM.Associators_("MSVM_ElementSettingData", _ "MSVM_VirtualSystemGlobalSettingData")).ItemIndex(0) Wscript.Echo strVMName & " in scope " & objMSVM_VirtualSystemGlobalSettingData.ScopeOfResidence

To use the script, just pass the name of the VM and the scope to add to. If you don't pass the name of a scope, it will just list out the scope the VM is currently in. If you pass two double quotes ("") as the scope, it will remove the VM from the scope.

D:Temp>cscript hvscopeset.vbs savtstdc01 Client_VirtualsMicrosoft (R) Windows Script Host Version 5.8Copyright (C) Microsoft Corporation. All rights reserved.savtstdc01 in scope Client_VirtualsD:Temp>cscript hvscopeset.vbs savtstdc01Microsoft (R) Windows Script Host Version 5.8Copyright (C) Microsoft Corporation. All rights reserved.savtstdc01 in scope Client_Virtuals

Be aware that if you set permissions on a VM scope, you still need the user to have the Allow Input to Virtual Machine, Allow Output from Virtual Machine, and Read Service Configuration operations at the Hyper-V services scope level from the Hyper-V MMC snap-in to show information correctly.

In the screenshot shown here, you can see the various scopes I created and assigned so the user named Clark can only manage one of the VMs. As you can see, I have a ViewStatus role, which has only read service and I/O to VMs, and a ControlVM role, which can stop, start, pause, resume VMs. I assign the ViewStatus at the Hyper-V Services scope level then the ControlVM role at the Client_Virtuals scope level, which means Clark can only control the VMs in the Client_Virtuals scope.

Related Reading

Videos:

Audio:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.