John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Part 1 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

Part 1 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

  • Comments 149
  • Likes

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

After the many emails I’ve had about this, it seemed only appropriate to write up a detailed post (or two actually) about how to resolve this.

You will hit this problem when using the Hyper-V Vista management tools connecting to a remote Windows Server 2008 machine with the Hyper-V role enabled, and where both machines are in a workgroup (or in a domain environment where you genuinely don’t have access - but that's another blog entry).

wg1
There are several additional configuration steps you need to complete to make remote management work in a workgroup environment.


Step 1 (On Client and Server)

Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience).

wg1a

Step 2A (On Server core installations)

See part 3 of this series

Step 2B (On Server full installations)

Enable the firewall rules on the server for WMI (Windows Management Instrumentation). From an elevated command prompt, enter the following:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes


Make sure the command is successful and responds Updated 4 rules(s). Ok.

wg2 

Note: The string in quotes must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is.

If you now open “Windows Firewall with Advanced Security” from Administrative Tools on the start menu, you will notice four rules, three inbound and one outbound have been enabled. (It helps to sort by Group)

wg3

wg4 

Step 3 (On Server)

This step grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. Depending on your circumstances, you can add the individual users (they must obviously have an account already on the server), a group, or you can allow all users by select the “Authenticated Users” group.

Open Component Services by typing “dcomcnfg” in the box on the start menu, and expand the menu so that “My Computer” is selected under Component Services\Computers.

wg5 Thumbnail

wg6

Right-Click on My Computer, select Properties and select the “COM Security” tab.

wg7
In the above dialog, click Edit Limits in the “Launch and Activation Permissions” area (not to be confused with the Edit Limits in the “Access Permissions” area).

wg8

Click “Add…” and enter the users (or groups including “Authenticated Users” as appropriate)

wg9

Click OK, then select the added user or group

wg11
In the Allow column, select Remote Launch and Remote Activation, then click OK.

wg12

Close Component Services

Step 4 (On Server)


This step grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces, and, as in step 3, you can add individual users, group(s) or the “Authenticated Users” group.


Open Computer Management under Start/Administrative Tools, expanding the tree down through Services and Applications\WMI Control. Select WMI Control

wg13

Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.

wg14

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the Security button. If the appropriate user or group does not already appear, use “Add…” as you did in Step 3 above to add them.

wg15

Now select the user and click the Advanced button below the “Permissions for <user>” area.

wg16

Again, make sure the user/group is selected and click Edit

wg17

You need to make three changes here:

  • In the “Apply to:” drop-down, select “This namespace and subnamespaces”
  • In the Allow column, select Remote Enable
  • Check “Apply these permissions to objects and/or containers within this container only”


The screen should look like below. If so, click OK through the open dialogs.

wg18

Repeat for the Root\virtualization namespace

wg19

Click OK as appropriate to confirm all open dialogs and close Computer Management.

Step 5 (On Server)

This step configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage.

Open Authorization Manager by typing “azman.msc” in the box on the start menu.

wg20

wg21

Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.

wg22

Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the system drive and select InitialStore.xml, then click OK.

wg23

I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.

wg24
In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.

wg25

Add the appropriate users or groups (here you can see the “john” account)

wg26
Close the Authorization Manager MMC.

IMPORTANT. You must now reboot your server for the above changes to take effect.

In part 2, I'll walk through the client configuration steps.

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 


Cheers,
John.

Comments
  • I followed this as far as step 5 but I don't have a directory

    \ProgramData\Microsoft\Windows\Hyper-V on my W2K8 Server

    I cannot find a file called InitialStore.xml

  • Step 2B fails on US English W2K8:

    "Group cannot be specified along with other identification conditions."

    Looking at the firewall rules, there are three inbound rules and one outbound rule, resembling the name, neither an exact match:

    "Windows Management Instrumentation (ASync-In)"

    "Windows Management Instrumentation (DCOM-In)"

    "Windows Management Instrumentation (WMI-In)"

    "Windows Management Instrumentation (WMI-Out)"

    I really feel spoiled by how simple is is to use VMWare Server, no need for a 5 part series on how to get the remote functionality to work.

    Will RTM make automate this manual configuration process to allow "seamless" remote management?

  • Pieter - did you copy or type the command in? If you copied, I believe the quotes are in "word" format and won't be recognised.

    Thanks,

    John.

  • Mike - that directory is hidden. Navigate to it using the address bar in Windows explorer by typing c:\programdata\..... replacing c: with your system drive.

    Thanks,

    John.

  • Mike (Brown) - are you using SCVMM or the in-box UI? I'm wondering this due to some of the terminology you are using. Currently SCVMM is incompatible with Hyper-V RC1, so that could be the cause of the issue. If you are using the inbox UI, please let me know and I'll assist you working out what's wrong.

    Thanks,

    John.

  • I'm stuck on step 5.

    I navigate to \ProgramData\Microsoft\Windows but there is no Hyper-V folder.

    Hyper-V is running on core and I'm trying to access it through VIsta SP1.

  • Ron - are you sure you're navigating to \programdata on the remote box rather than the local Vista client (ie \\<server\programdata\.....)?

    Thanks,

    John.

  • Hyper-V Monitor Gadget for Windows Sidebar

  • Hyper-V Monitor Gadget for Windows Sidebar

  • I see PingBack is't a very good feature in most blogs.

    Sorry about the spam John, feel free to remove the comments above! :)

  • With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit

  • So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

  • Se gestite (o pensate di gestire :) ) diversi server Hyper-V da una macchina Windows Vista SP1, questo

  • In the Hyper-V shiproom, we have signed off on Hyper-V RTM (Release To Manufacturing). The build and

  • and if I need to delegate one user administer one VM, not the entire Hyper-V machine...

    How should I do ?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment