Comments

# John Howard : Part 2 - Hyper-V Remote Management: You do not have the requested permission to complete this task. Contact the administrator of the authorization policy for the computer ???COMPUTERNAME??? said:

PingBack from http://blogs.technet.com/jhoward/archive/2008/03/28/part-2-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

28 March 08 at 11:13 PM

# Virtual PC Guy's WebLog said:

I am feeling lazy today - but thankfully my colleagues have been working hard :-) Mike Kolitz has done

29 March 08 at 3:01 AM

# Alberto said:

This is really tricky John.

What if i have Hyper-v installed on a core based install?

29 March 08 at 3:37 PM

# John Howard said:

More for my own reference, as I keep having to search the Internet for this document and never bookmark

29 March 08 at 6:08 PM

# Sebastien Lambla said:

This cannot work on a core install, because you need to generate the OLE registry key yourself and repalce it, as dcomcnfg is not available.

I've been playing around with this for two days and resorted to creating a new AD forest. Quicker and more reliable.

I wish I found your articles sooner, as they would've confirmed my suspicions much earlier and save me a day of procmon and experimenting with security settings! Thanks for the valiant effort though.

Seb

29 March 08 at 7:13 PM

# jhoward said:

@Sebastien - actually, no that is not correct. This does work on server core with a few variations. Give me a couple of days - I'm documenting the exact steps and will be posting it up soon. (And part 3 really IS a valiant effort. You'll see why when you see it!!!)

Thanks,

John.

29 March 08 at 11:24 PM

# jhoward said:

@Alberto. Just finishing off the write up. Hopefully I'll have the finished post ready tomorrow.

Thanks,

John.

30 March 08 at 5:24 PM

# jhoward said:

Sebastien/Alberto - see the write up, now published here: http://blogs.technet.com/jhoward/archive/2008/03/30/part-3-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

Cheers,

John.

30 March 08 at 10:42 PM

# John Howard said:

So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote

04 April 08 at 10:49 PM

# AramSmith said:

John,

You rock! thanks a lot for this 'patch'

20 April 08 at 9:20 AM

# A. Kevin B. said:

This article saved me several days of work!  Thanks, Thanks, Thanks!!!

23 April 08 at 4:18 PM

# Windows Virtualization Team Blog said:

Apologies for a lack of a new post on the WMI scripts, look for a new double part post Wednesday morning. 

20 May 08 at 11:57 AM

# Rod Trent at myITforum.com said:

Source: Microsoft Virtualization Team Blog Apologies for a lack of a new post on the WMI scripts, look

20 May 08 at 2:03 PM

# Windows Server 2008 blog by Kurt Roggen [BE] said:

Improvements Over Hyper-V RC0 In addition to bug fixes and stability improvements, Microsoft also made

20 May 08 at 2:07 PM

# The World Simplified is a Virtual World said:

This is the one you have been waiting for, get it, install it.  Enjoy :) Windows Server 2008 x64

22 May 08 at 5:12 AM

# Mike Gibbs said:

I followed this as far as step 5 but I don't have a directory

\ProgramData\Microsoft\Windows\Hyper-V on my W2K8 Server

I cannot find a file called InitialStore.xml

31 May 08 at 3:59 PM

# Pieter said:

Step 2B fails on US English W2K8:

"Group cannot be specified along with other identification conditions."

Looking at the firewall rules, there are three inbound rules and one outbound rule, resembling the name, neither an exact match:

"Windows Management Instrumentation (ASync-In)"

"Windows Management Instrumentation (DCOM-In)"

"Windows Management Instrumentation (WMI-In)"

"Windows Management Instrumentation (WMI-Out)"

I really feel spoiled by how simple is is to use VMWare Server, no need for a 5 part series on how to get the remote functionality to work.

Will RTM make automate this manual configuration process to allow "seamless" remote management?

01 June 08 at 3:00 PM

# jhoward said:

Pieter - did you copy or type the command in? If you copied, I believe the quotes are in "word" format and won't be recognised.

Thanks,

John.

03 June 08 at 12:29 AM

# jhoward said:

Mike - that directory is hidden. Navigate to it using the address bar in Windows explorer by typing c:\programdata\..... replacing c: with your system drive.

Thanks,

John.

03 June 08 at 12:31 AM

# jhoward said:

Mike (Brown) - are you using SCVMM or the in-box UI? I'm wondering this due to some of the terminology you are using. Currently SCVMM is incompatible with Hyper-V RC1, so that could be the cause of the issue. If you are using the inbox UI, please let me know and I'll assist you working out what's wrong.

Thanks,

John.

03 June 08 at 12:32 AM

# Ron said:

I'm stuck on step 5.

I navigate to \ProgramData\Microsoft\Windows but there is no Hyper-V folder.

Hyper-V is running on core and I'm trying to access it through VIsta SP1.

05 June 08 at 1:22 PM

# jhoward said:

Ron - are you sure you're navigating to \programdata on the remote box rather than the local Vista client (ie \\<server\programdata\.....)?

Thanks,

John.

05 June 08 at 2:35 PM

# Mindre.net said:

Hyper-V Monitor Gadget for Windows Sidebar

21 June 08 at 6:56 PM

# Mindre.net said:

Hyper-V Monitor Gadget for Windows Sidebar

24 June 08 at 12:44 PM

# Tore Lervik said:

I see PingBack is't a very good feature in most blogs.

Sorry about the spam John, feel free to remove the comments above! :)

25 June 08 at 4:38 AM

# Ask the Core Team said:

With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit

25 June 08 at 7:43 AM

# John Howard said:

So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

25 June 08 at 5:48 PM

# ZenIT Blog said:

Se gestite (o pensate di gestire :) ) diversi server Hyper-V da una macchina Windows Vista SP1, questo

26 June 08 at 8:16 AM

# John Howard - Hyper-V and virtualization blog said:

In the Hyper-V shiproom, we have signed off on Hyper-V RTM (Release To Manufacturing). The build and

26 June 08 at 12:00 PM

# Franck said:

and if I need to delegate one user administer one VM, not the entire Hyper-V machine...

How should I do ?

27 June 08 at 8:10 AM

# jhoward said:

Franck - this is part of our Authorization Manager (AZMan) infrastructure. More information on this will be available in the official documentation very soon. It's also something that my colleague Ben (http://blogs.msdn.com/virtual_pc_guy) was looking to provide some unofficial (ie blog) information on soon.

Thanks,

John.

27 June 08 at 1:57 PM

# John Howard - Hyper-V and virtualization blog said:

Soon, I promise, I will be publishing part 3 which is the workgroup server-core version of &#8220; Hyper-V

29 June 08 at 7:49 PM

# Csabi IT blogja said:

A TechNet Magazin júniusi számában megjelent cikkem teljes változata. Valamivel több képpel. Különös

01 July 08 at 12:11 PM

# Hyper-v said:

Tore Lervik: I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my

02 July 08 at 3:43 PM

# Hyper-v said:

Tore Lervik: I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my

04 July 08 at 12:59 AM

# Alfred said:

Thank you for spending the 2+ hours to capture this for us. It really made my life so much easier: I would not have figured this out myself this side of Christmas!

Thank you!!!

10 July 08 at 12:10 PM

# NL said:

Hi,

Great write up! Just one question...do I need to reboot the server everytime I add a new hyper-v user in azman? Or is the reboot required only for initial setup of the remote management?

Thanks!

27 July 08 at 4:39 PM

# jhoward said:

NL - No, that isn't actually necessary.

Thanks,

John.

07 August 08 at 1:58 PM

# Richard's Weblog said:

You may have seen from a recent post that I received a new laptop that was capable of running Hyper-V.

11 August 08 at 6:20 PM

# Amir said:

John, Great detailed information and walk-through! Thank you for your time and sharing it.

However, I have not been able to connect and I am getting the same "WMI:Access Denied" issue as Derek mentioned above with the difference that I am running Vista on my physical laptop.

My laptop is joined to the domain of business coorporation and the Windows Server 2008 is part of a workgroup at my home.  I have followed allthe steps to the letter.  The Remote Server Administration Tools for the Hyper-V Tool is also enabled and the properly allowed through firewall extensions.  I can Remote Desktop to the server just fine and as extra caution I have added the server IP address to my "hosts" file as well.  when i try to connect to the server from Vista Hyper-V Manager, after few seconds, I get "the operation on computer '<the server IP address>' failed.

Any idea, what is missing?

BTW, I initially posted this comment by mistake to Part 3 which is for Core installation.  I have full WIN2K8 installation.

Thanks,

Amir

12 August 08 at 2:22 PM

# Amir said:

John, further to my note above, I learned that possibly the firewall setting on my laptop is blocking the inbound communication. These firewall settings are controlled by the firewall rules in the  Local Security Policy.  I even cannot ping my laptop from the WIN2K8 server and get timed out while on the other hand I can do remote desktop to the server from my laptop.

Do you know what inbound or outbound firewall rules I need to enable in order to get Hyper-V Manager on my Vista laptop (joined to a domain) communicate with my WIN2K8 server (on a local work group)?

Thanks for any tips.

Amir

14 August 08 at 1:37 PM

# Asshen said:

Is it just me, or did Microsoft make this much too complicated ???

14 August 08 at 1:56 PM

# jhoward said:

Amir - see part two for the client firewall settings. Essentially you need to run

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

netsh firewall add allowedprogram program=%windir%\system32\mmc.exe name="Microsoft Management Console"

Also see part 5 for the domain client to workgroup server configuration.

Thanks,

John.

14 August 08 at 1:59 PM

# jhoward said:

Asshen - yes, point well taken, but similar steps are necessary for any form of remote WMI/DCOM - it's not stricly specific to Hyper-V. We're looking to see how we can get this improved.

Thanks,

John.

14 August 08 at 2:01 PM

# Hiroshi Okunushi's Blog ☆ミ said:

日本語だと&#8595;なエラーが出る件です。 「このタスクを完了するために必要なアクセス許可がありません。このコンピュータ &#8216;xxxxxxx&#8217; の承認ポリシーの管理者に問い合わせてください。」

20 August 08 at 2:42 PM

# Random Musings of Jeremy Jameson said:

As I mentioned in my previous post , last month I built out a new virtual environment using Hyper-V on

28 August 08 at 10:29 AM

# The World Simplified is a Virtual World said:

Well I just want to introduce you to a new writer who is gonna come along and help giving you great content

29 August 08 at 8:26 PM

# Tim Chen said:

Hey John just wanted to say thanks for the help but now I have run into some real problems.

I am not using remote management tool, but am instead going into RDP and have tried KVM to get Hyper V to work.

I have failed miserably and no matter what I try I can't create VMs and cannot do anything except "remove server"

I am hopelessly lost with a "you might not have permission to perform this task error"

Help ! =)

Troubled Tim-

05 September 08 at 4:45 PM

# jhoward said:

Tim - Just so I understand your scenario. You have a box running Hyper-V which is a full install (as opposed to server core). You are using a TS session (mstsc) to log on to the server and/or using a KVM as-if you were sitting in front of the server console to log on to it. From there, you're running Hyper-V Manager and getting the permission error.

Are you an administrator on the machine, or if not, have you granted your account the appropriate permissions in AZMan?

Thanks,

John.

05 September 08 at 7:11 PM

# The World Simplified is a Virtual World said:

Well you might not be as Vista gadget crazy as I am but this is still very cool! I am a firm believer

07 September 08 at 7:13 AM

# jhoward said:

Amir - just to follow up due to other emails I had, I've also seen this problem reported now after 3rd party AV and firewall  application have been installed on the client machine.

Thanks,

John

11 September 08 at 11:57 PM

# zvzvz said:

ow after 3rd party AV and firewall  application have been installed on the client machine.

Thanks,

14 September 08 at 7:25 PM

# Joe said:

You keep posting "You do not have the "requested" permission to complete this task. "

However the error actually reads:

"You do not have the REQUIRED permission to complete this task".

It was difficult to find this page because the correct search string in Google was not found.

28 September 08 at 12:51 AM

# Chandru said:

Hi John,

I have installed Hyper-V on Windows Server 2008 Core. I have installed the Hyper-V Manager in my Windows Vista Client

The Server and Vista are connected in a domain, also I have administrator rights on both boxes.

My  Windows Firewall is turned off in Vista box, I am able to connect to the core server using Hyper-V Manager, but it alwasys says the "The Operation on Computer 'servername'  Failed". I see all the options active but I am unable to create a new Virtual Machine on the server or cofigure VM Switch

I went through all five of your series and followed all the steps and am still getting the same error.

When I tried to approach KB950050 and KB966589 patches, it says it does not apply to the system.

Please point me how to fix this issue and where I am going wrong

thanks,

Chandru

03 October 08 at 5:35 PM

# Hyper-Vangelis said:

&#922;&#945;&#955;&#951;&#963;&#960;έ&#961;&#945; &#963;&#949; ό&#955;&#959;&#965;&#962; &#964;&#959;&#965;&#962;

06 October 08 at 7:39 PM

# Andy Dawson's Blog said:

Yesterday I finally got around to installing SCVMM 2008 beta onto a virtual machine (mainly to help us

14 October 08 at 10:10 AM

# The Blog at the End of the Universe said:

I got home from San Francisco on Friday afternoon.&#160; I had one thing in mind (this is going to be

15 October 08 at 3:47 AM

# Lduval said:

Hi John,

Could you please write a similar guide for "Hyper-V Server 2008" (Baremetal). I can't apply this one to connect with Vista on an Hyper-V in Workgroup BECAUSE there is nothing like DCOMCNFG in  "Hyper-V Server 2008" (which is not a real Core Server).

16 October 08 at 5:42 AM

# jhoward said:

Lduval - I'll add it to a list, but I should be up front and say it may be some time off yet. However, you should still be able to run from the command prompt in Hyper-V server net localgroup "Distrubuted COM Users" <username> /add to solve this.

Thanks,

John.

16 October 08 at 4:50 PM

# Tech Presales and Business News for Austrian Partners said:

Im Zuge meiner Hyper-V Aktivitäten finde ich immer wieder sehr interessante Artikel im Netz, die ich

29 October 08 at 6:28 AM

# Geek Noise said:

Hyper-V Management Console on Vista x64

04 November 08 at 6:34 PM

# NeatCoding said:

[Weekly Issue] Hyper-V Core e controllo remoto

10 November 08 at 8:25 AM

# Mathew said:

Those links to the management tools don't work, and I can't find the tools anywhere. Any ideas?

13 November 08 at 2:27 AM

# jhoward said:

Matthew - yes, I wrote these articles a few months before RTM came out. You want http://support.microsoft.com/kb/952627 for Vista SP1. The RTM links are on the far right of the blog page.

Thanks,

John

13 November 08 at 12:47 PM

# John Howard - Hyper-V and virtualization blog said:

It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I've come

14 November 08 at 8:44 PM

# HyperVoria said:

Announcing &quot;HVRemote&quot;...., a tool to &quot;automagically&quot; configure Hyper-V Remote Management

17 November 08 at 4:34 PM

# Microsoft, su tecnología y yo said:

Hola Una herramienta imprescindible para configurar los servidores con Hyper-V para que se puedan administra

18 November 08 at 3:49 PM

# PaulDe's Blog said:

Hyper-V Serverをドメイン環境で使用するには特別な設定する必要は特にありませんが、ワークグループの場合は、あいにくいろいろな設定をいじることが必要になります。 まず、必要なサーバー側とクライアント側の設定があります。変更の比較的少ないサーバーの設定を先に説明します。

20 November 08 at 11:12 AM

# Igor Shastitko Technical Blog said:

Народ начал активно устанавливать и использовать виртуализацию Hyper-V, особенно бесплатный Microsoft

20 November 08 at 11:40 AM

# jerrold Morris said:

John,

I'm still trying to run hyper-v on Vista to mange server core.

Thanks for the great tool.  I downloaded it and have the debug into attached below.  

My problem is "WMI: Access Denied."  From your reply to Amir above - when I enter the command

'netsh firewall add allowedprogram program=%windir%\system32\mmc.exe name="Microsoft Management Console" '

Thanks,

Jerrold

Client Debug:

Microsoft (R) Windows Script Host Version 5.7

Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is ZEUS

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is zeus\vmcmd

INFO: Assuming /mode:client as the Hyper-V role is not installed

DEBUG:    Client or Server Mode (1=Client)        1

DEBUG:    Show mode?                              False

DEBUG: S: AZMan Update          (1=Yes)           1

DEBUG: S: Add or Remove User    (1=Add)           0

DEBUG: S: Add/Remove User/Group                  

DEBUG: S: Add/Remove Domain                      

DEBUG: S: Doing DCOM update or display?           1

DEBUG: S: Domain AZMan update or display          1

DEBUG: S: Namespaces (1=Cimv2;2=Virtualizaiton)   3

DEBUG: S: Update FW WMI Remote Mgmt (1=Yes)       0

DEBUG: S: Update FW Hyper-V (1=Yes)               0

DEBUG: S: Role Assignment                         Administrator

DEBUG: C: Update FW Hyper-V Rmt Mgmt Clnt (1=yes) 0

DEBUG: C: Update FW MMC Exception (1=yes)         0

DEBUG: C: Update Anon DCOM      (1=Grant)         0

DEBUG: **START HVREMOTE VERSION**

TAG Version=0.3

TAG Date=19th November 2008

TAG URL=http://code.msdn.microsoft.com/HVRemote/url

TAG BlogURL=http://blogs.technet.com/jhoward/blah-blah-something-like-this_blah.aspx

**END HVREMOTE VERSION**

INFO: Are running the latest version

------------------------------------------------------

Server Debug:

Microsoft (R) Windows Script Host Version 5.7

Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is JMSERVER

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is JMSERVER\Administrator

INFO: Assuming /mode:server as the role is installed

DEBUG:    Client or Server Mode (1=Client)        2

DEBUG:    Show mode?                              False

DEBUG: S: AZMan Update          (1=Yes)           1

DEBUG: S: Add or Remove User    (1=Add)           0

DEBUG: S: Add/Remove User/Group                  

DEBUG: S: Add/Remove Domain                      

DEBUG: S: Doing DCOM update or display?           1

DEBUG: S: Domain AZMan update or display          1

DEBUG: S: Namespaces (1=Cimv2;2=Virtualizaiton)   3

DEBUG: S: Update FW WMI Remote Mgmt (1=Yes)       0

DEBUG: S: Update FW Hyper-V (1=Yes)               0

DEBUG: S: Role Assignment                         Administrator

DEBUG: C: Update FW Hyper-V Rmt Mgmt Clnt (1=yes) 0

DEBUG: C: Update FW MMC Exception (1=yes)         0

DEBUG: C: Update Anon DCOM      (1=Grant)         0

INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

DEBUG: Need to connect to virtualization namespace

DEBUG: ConnectNameSpace Entry: Namespace=root\virtualization

DEBUG: ConnectNameSpace Connected to root\virtualization namespace

DEBUG: ConnectNameSpace Exit: Namespace=root\virtualization, RC=0

DEBUG: Need to get the security desciptor for the CIMv2 namespace

DEBUG: GetWin32SD(): Get __SystemSecurity

DEBUG: Current SecurityDescriptor Details:

instance of __SecurityDescriptor

{

ControlFlags = 32772;

DACL = {

instance of __ACE

{

AccessMask = 393279;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

},

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "NETWORK SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-20";

};

},

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "LOCAL SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-19";

};

},

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "Authenticated Users";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 11, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-11";

};

}};

Group =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

Owner =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

SACL = NULL;

};

DEBUG: GetWin32SD(): Exit RC=0

DEBUG: Need to get the security desciptor for the virtualization namespace

DEBUG: GetWin32SD(): Get __SystemSecurity

DEBUG: Current SecurityDescriptor Details:

instance of __SecurityDescriptor

{

ControlFlags = 32772;

DACL = {

instance of __ACE

{

AccessMask = 393279;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

},

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "NETWORK SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-20";

};

},

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "LOCAL SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-19";

};

},

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "Authenticated Users";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 11, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-11";

};

}};

Group =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

Owner =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

SACL = NULL;

};

DEBUG: GetWin32SD(): Exit RC=0

DEBUG: Opening the AZMan policy store

DEBUG: OpenAuthorizationStore: Enter

DEBUG: OpenAuthorizationStore: Instantiate StdRegProv

DEBUG: OpenAuthorizationStore: GetStringValue

DEBUG: OpenAuthorizationStore: GetStringValue

DEBUG: Getting localized group name for Distributed COM Users

DEBUG: GetGroupNameForSID: S-1-5-32-562

DEBUG: GetGroupNameForSID: RC=0 GroupName=Distributed COM Users

DEBUG: Distributed COM Users group name (localized) is 'Distributed COM Users'

DEBUG: Failed to send

22 November 08 at 5:08 PM

# jhoward said:

Hi Jerrold - unfortunately, you missed the bit I needed :)

Can you run hvremote /show on both the server and the client? You shouldn't need to add the /debug - I'll almost certainly get everything I need from just the /show with the v0.3 version you're running.

Can you also confirm you are running from an elevated command prompt?

Thanks,

John.

22 November 08 at 7:08 PM

# Jerrold Morris said:

John,

In the previous message I left out the response I got when I ran on the server :  

'netsh firewall add allowedprogram program=%windir%\system32\mmc.exe name="Microsoft Management Console" '

The response is: "The following command was not found ..."

Below is the client response (ran at elevated prompt) and server response (ran as administrator) to hvremote /show.

Thanks again,

Jerrold

Client response:

Microsoft (R) Windows Script Host Version 5.7

Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is ZEUS

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is zeus\vmcmd

INFO: Assuming /mode:client as the Hyper-V role is not installed

-------------------------------------------------------------------------------

DACL for COM Security Access Permissions

-------------------------------------------------------------------------------

\Everyone    (S-1-1-0)

    Allow: LocalLaunch RemoteLaunch (7)

BUILTIN\Performance Log Users    (S-1-5-32-559)

    Allow: LocalLaunch RemoteLaunch (7)

BUILTIN\Distributed COM Users    (S-1-5-32-562)

    Allow: LocalLaunch RemoteLaunch (7)

NT AUTHORITY\ANONYMOUS LOGON    (S-1-5-7)

    Allow: LocalLaunch RemoteLaunch (7)

-------------------------------------------------------------------------------

ANONYMOUS LOGON Machine DCOM Access

-------------------------------------------------------------------------------

WARN: ANONYMOUS LOGON does have remote access

 This setting should only be enabled if required as security on this

 machine has been lowered. It is needed if you need to manage Hyper-V

 on a remote server which is either in an an untrusted domain from this

 machine, or both machines are in a workgroup.

 Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

-------------------------------------------------------------------------------

Firewall Settings for Hyper-V Management Clients

-------------------------------------------------------------------------------

Private Firewall Profile is active

  Enabled:  Hyper-V Management Clients - WMI (Async-In)

  Enabled:  Hyper-V Management Clients - WMI (TCP-Out)

  Enabled:  Hyper-V Management Clients - WMI (TCP-In)

  Enabled:  Hyper-V Management Clients - WMI (DCOM-In)

-------------------------------------------------------------------------------

Windows Firewall exception rule(s) for mmc.exe

-------------------------------------------------------------------------------

Private Firewall Profile is active

  Enabled:  Microsoft Management Console (UDP)

  Enabled:  Microsoft Management Console (TCP)

INFO: Are running the latest version

---------------------------------------------------------------

Server response:

Microsoft (R) Windows Script Host Version 5.7

Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is ZEUS

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is zeus\vmcmd

INFO: Assuming /mode:client as the Hyper-V role is not installed

-------------------------------------------------------------------------------

DACL for COM Security Access Permissions

-------------------------------------------------------------------------------

\Everyone    (S-1-1-0)

    Allow: LocalLaunch RemoteLaunch (7)

BUILTIN\Performance Log Users    (S-1-5-32-559)

    Allow: LocalLaunch RemoteLaunch (7)

BUILTIN\Distributed COM Users    (S-1-5-32-562)

    Allow: LocalLaunch RemoteLaunch (7)

NT AUTHORITY\ANONYMOUS LOGON    (S-1-5-7)

    Allow: LocalLaunch RemoteLaunch (7)

-------------------------------------------------------------------------------

ANONYMOUS LOGON Machine DCOM Access

-------------------------------------------------------------------------------

WARN: ANONYMOUS LOGON does have remote access

 This setting should only be enabled if required as security on this

 machine has been lowered. It is needed if you need to manage Hyper-V

 on a remote server which is either in an an untrusted domain from this

 machine, or both machines are in a workgroup.

 Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

-------------------------------------------------------------------------------

Firewall Settings for Hyper-V Management Clients

-------------------------------------------------------------------------------

Private Firewall Profile is active

  Enabled:  Hyper-V Management Clients - WMI (Async-In)

  Enabled:  Hyper-V Management Clients - WMI (TCP-Out)

  Enabled:  Hyper-V Management Clients - WMI (TCP-In)

  Enabled:  Hyper-V Management Clients - WMI (DCOM-In)

-------------------------------------------------------------------------------

Windows Firewall exception rule(s) for mmc.exe

-------------------------------------------------------------------------------

Private Firewall Profile is active

  Enabled:  Microsoft Management Console (UDP)

  Enabled:  Microsoft Management Console (TCP)

INFO: Are running the latest version

23 November 08 at 3:54 PM

# jhoward said:

Jerrold - unfortunately you've pasted the client bit into the server output....

Thanks,

John.

23 November 08 at 4:37 PM

# Jerrold Morris said:

John,

I'm sorry for the mistake.  Here's the client response:

Microsoft (R) Windows Script Host Version 5.7

Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is JMSERVER

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is JMSERVER\Administrator

INFO: Assuming /mode:server as the role is installed

INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

-------------------------------------------------------------------------------

DACL for WMI Namespace root\cimv2

Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

HVRemote also sets NoPropInheritAce and ValidInheritFlags

-------------------------------------------------------------------------------

BUILTIN\Administrators    (S-1-5-32-544)

    Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\NETWORK SERVICE    (S-1-5-20)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\LOCAL SERVICE    (S-1-5-19)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\Authenticated Users    (S-1-5-11)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

-------------------------------------------------------------------------------

DACL for WMI Namespace root\virtualization

Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

HVRemote also sets NoPropInheritAce and ValidInheritFlags

-------------------------------------------------------------------------------

BUILTIN\Administrators    (S-1-5-32-544)

    Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\NETWORK SERVICE    (S-1-5-20)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\LOCAL SERVICE    (S-1-5-19)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\Authenticated Users    (S-1-5-11)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

-------------------------------------------------------------------------------

Contents of Authorization Store Policy

-------------------------------------------------------------------------------

Hyper-V Registry configuration:

- Store: msxml://C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

- Service Application: Hyper-V services

Application Name: Hyper-V services

Operation Count: 33

   100 - Read Service Configuration

   105 - Reconfigure Service

   200 - Create Virtual Switch

   205 - Delete Virtual Switch

   210 - Create Virtual Switch Port

   215 - Delete Virtual Switch Port

   220 - Connect Virtual Switch Port

   225 - Disconnect Virtual Switch Port

   230 - Create Internal Ethernet Port

   235 - Delete Internal Ethernet Port

   240 - Bind External Ethernet Port

   245 - Unbind External Ethernet Port

   250 - Change VLAN Configuration on Port

   255 - Modify Switch Settings

   260 - Modify Switch Port Settings

   265 - View Switches

   270 - View Switch Ports

   275 - View External Ethernet Ports

   280 - View Internal Ethernet Ports

   285 - View VLAN Settings

   290 - View LAN Endpoints

   295 - View Virtual Switch Management Service

   300 - Create Virtual Machine

   305 - Delete Virtual Machine

   310 - Change Virtual Machine Authorization Scope

   315 - Start Virtual Machine

   320 - Stop Virtual Machine

   325 - Pause and Restart Virtual Machine

   330 - Reconfigure Virtual Machine

   335 - View Virtual Machine Configuration

   340 - Allow Input to Virtual Machine

   345 - Allow Output from Virtual Machine

   350 - Modify Internal Ethernet Port

1 role assignment(s) were located

Role Assignment 'Administrator' (Targetted Role Assignment)

  - All Hyper-V operations are selected

  - There are 1 member(s) for this role assignment

  - BUILTIN\Administrators (S-1-5-32-544)

-------------------------------------------------------------------------------

Contents of Group Distributed COM Users

-------------------------------------------------------------------------------

2 member(s) are in Distributed COM Users

  - JMSERVER\dev1

  - JMSERVER\vmcmd

-------------------------------------------------------------------------------

DACL for COM Security Launch and Activation Permissions

-------------------------------------------------------------------------------

BUILTIN\Administrators    (S-1-5-32-544)

    Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

\Everyone    (S-1-1-0)

    Allow: LocalLaunch LocalActivation (11)

BUILTIN\Distributed COM Users    (S-1-5-32-562)

    Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

BUILTIN\Performance Log Users    (S-1-5-32-559)

    Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

-------------------------------------------------------------------------------

Firewall Settings for Hyper-V

-------------------------------------------------------------------------------

Public Firewall Profile is active

  Enabled:  Hyper-V (SPL-TCP-In)

  Enabled:  Hyper-V (RPC)

  Enabled:  Hyper-V (RPC-EPMAP)

  Enabled:  Hyper-V - WMI (Async-In)

  Enabled:  Hyper-V - WMI (TCP-Out)

  Enabled:  Hyper-V - WMI (TCP-In)

  Enabled:  Hyper-V - WMI (DCOM-In)

-------------------------------------------------------------------------------

Firewall Settings for Windows Management Instrumentation (WMI)

-------------------------------------------------------------------------------

Public Firewall Profile is active

  Enabled:  Windows Management Instrumentation (ASync-In)

  Enabled:  Windows Management Instrumentation (WMI-Out)

  Enabled:  Windows Management Instrumentation (WMI-In)

  Enabled:  Windows Management Instrumentation (DCOM-In)

Note: Above firewall settings are not required for Hyper-V Remote Management

Thanks,

Jerrold

23 November 08 at 9:27 PM

# jhoward said:

Jerrold

You're logged on to client as zeus\vmcmd, but there's several bits missing from the server side. Client looks good.

You should simply need to run hvremote /add:vmcmd on the server and reboot (possibly) both sides, depending on whether there are active connections outstanding. You also need to make sure the vmcmd user password is the same on both sides as this is a workgroup.

Thanks,

John.

23 November 08 at 10:32 PM

# Exhotic Hadron said:

John,

I am having these problems connecting to vmms (Virtual Machine Management) service on server! I am running the Hyper-V Manager snap-in under the default Administrator account which is as always a member of BUILTIN\Administrators group.

But when I selecct in the Hyper-V Manager, I get the snap-in connecting to the service and then the notorious "You might not have permission to perform this task". (No message to contact administrator or whoever it might be)

This is observed on PDC build of Windows Server 2008 R2 (Windows Server 7). Any clue?

I checked all the permissions for WMI and DCOM and they are all FULL CONTROL for BUILTIN\Administrators.

I installed both the Hyper-V role AND the RSAT-Hyper-V feature. Could it be that I should NOT to install RSAT on the same computer where I am running the Hyper-V role?

Quite interesting, I was unable to install Hyper-V role using the Server Manager snap-in. I was getting errors from UI reported by CLR debugger.

I was lucky to install the role only after I tried ServerManagerCMD.exe -install Hyper-V -allSubFeatures -restart

Any clue how to get this working?

BTW, this is what I get in Event Viewer

Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin

Source:        Microsoft-Windows-Hyper-V-VMMS

Date:          11/30/2008 7:32:59 AM

Event ID:      14098

Task Category: None

Level:         Error

Keywords:      

User:          SYSTEM

Computer:      Server7

Description:

One or more driver required by the Virtual Machine Management service is not installed or is disabled. Try reinstalling the Hyper-V role.

and right after that I get

Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin

Source:        Microsoft-Windows-Hyper-V-VMMS

Date:          11/30/2008 7:32:59 AM

Event ID:      14096

Task Category: None

Level:         Error

Keywords:      

User:          SYSTEM

Computer:      Server7

Description:

Virtual Machine Management service failed to start.

30 November 08 at 10:44 AM

# Mike S. said:

Ran through it a couple times and get the error:

The Virtual Machine Management service is not available.

when trying to run the Hyper-V Manager on the client.

i can start the Hyper-V Manager on the server with no problem

workgroup environment, no firewalls, host entries used to ensure name resolution, passwords verified to be the same, user an admin on both server and workstation.

i can use the edit disk option to "view" disks on the server... just not connect to them management service.

very strange. any ideas anyone?

03 December 08 at 10:20 PM

# Jerrold said:

John,

I'm running!!! Thanks so much for the help and the great tool!

If you're free we'd love to have you this year (late Oct.) at Tulsa TechFest where you could present to about 500 people.  Just let us know if you should have the time (another vacation maybe ;<) ) to be here.

Thanks again,

Jerrold

06 December 08 at 5:27 PM

# Hyper-V notes from the field said:

I wanted to allow a colleague access to my Hyper-V. Following the instructions at http://blogs.technet.com/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.asp

08 December 08 at 11:27 AM

# jhoward said:

Mike - can you check that the VMMS service is actually running on the target server? (sc query vmms). If you find it is stopping, I'd be interested to see if there's something in the event logs.

Thanks,

John.

08 December 08 at 8:07 PM

# jhoward said:

Exhotic Hadron - to the best of my knowledge, there was no issue on M3 builds running both Hyper-V and the Management client together on a single box. Unfortuantely though, I don't have any boxes around any more still running M3 (we've moved way past that) to verify.

Thanks,

John.

08 December 08 at 8:40 PM

# Scott said:

does anyone know about the standalone install of Hyper-V server? I have installed it and read everything i can, but i can not connect. I have the Hyper-V server installed, configured the name and IP (non domain) set the user and on my Vista SP1 computer with Hyper-V server tried to connect (same user name as server). I can not ping the HV server, but the HV server can ping my laptop.  I have tried the commands on these pages by my Hyper-V server does not recognise most of the commands, such as netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Any help would be muchly appriciated.

Thanks

13 December 08 at 11:52 PM

# Mike said:

This won't work in a Hyper-V server since it has no GUI, so what good is this??????????????????????????????????

14 December 08 at 4:06 AM

# jhoward said:

Mike - I'm not sure I understand your point. Hyper-V server is like Windows Server 2008 server core installation - there is no GUI. You have to manage both remotely if you want to use GUI tools which is what this (and the other 4 posts) are about. I recommend though you use HVRemote (link at top) as that makes the process much simpler.

Thanks,

John.

14 December 08 at 9:04 PM

# jhoward said:

Scott - it would be helpful for diagnosis or ease of configuration (unless you really want to do the steps manually) to use HVRemote instead. The link is at the top of the page. Follow that, take a look at the documentation and if you still have problems, please post back the output of hvremote /show on both the client and the server.

Cheers,

John

14 December 08 at 9:05 PM

# Jörn Sierwald said:

I followed the instructions and I am able to remotely configure Hyper-V from a Vista machine that is in the same domain as the server. I can create, start and stop VMs. However, I cannot connect to one, the server asks me for username and password and rejects everything I try, even admin account. What priviledge is required to _connect_ to a VM?

17 December 08 at 8:29 AM

# jhoward said:

Jörn - are you logging on with a smartcard? What happens if you go into Hyper-V Manager, and uncheck use default credentials under the user credentials node?

Thanks,

John.

17 December 08 at 11:50 AM

# Ask the Core Team said:

Hyper-V Beta released as part Windows Server 2008. The final release of Hyper-V happened shortly after

23 December 08 at 8:42 AM

# Rod Trent at myITforum.com said:

&#160; Top Issues for Microsoft Support for Windows Server 2008 Hyper-V Hyper-V Beta released as part

25 December 08 at 3:08 PM

# pascals.blog said:

Aujourd'hui deux outils pour Hyper-V. Pas tout neufs, mais extrêmement utiles. Le premier vous servira

29 December 08 at 4:50 AM

# Stefan Stranger's Weblog - Manage your IT Infrastructure said:

Source: Mindre.net Tore Lervik has create a very cool Hyper-V Monitor Gadget for Windows Sidebar. The

06 January 09 at 3:09 PM

# Ask the Core Team said:

It is time to update everyone on the types of issues our support engineers have been seeing for Hyper-V.

16 February 09 at 12:17 PM

# I dont understand said:

All other solutions ive tested use the same principal. You install the server then you connect against the server using the current server ip. When asked you enter credentials and voila.

I cant for my life understand how MS can release a free tool like hyper-v and the make it impossible(or just very difficult) to use at home or in a closed testing environment where you most often dont sit on DNS and DOMAIN servers.

20 March 09 at 9:09 AM

# cslim said:

I wonder why we can't create a icon " enable remote acess" or " allow <login name>" to access this hype-v . i agreed this Hype-v are helpful, but when come to " remote administrative" task. nightmare !!!

24 April 09 at 9:24 PM

# Siavash said:

i just wanted to how can i restrict "clipboard sharing" in vmconnect for a standard user

it's not in operations in AZman.msc

please help me

THX

25 April 09 at 2:02 PM

# jhoward said:

Siavash - unfortunately this is not possible in Hyper-V today.

Thanks,

John.

27 April 09 at 12:00 PM

# David said:

Hi John

Just trying out the new Hyper V r2 RC with Windows 7 and the RSAT tols. I get the same error as mentioend originally for the Hyper V (Release 1). The requriement to do enabled and follow all the instructions above shoudlnt be requried should it?

If so using htis product in a DMZ environment will be very very painful, let alone an internal network.

Cheers

24 May 09 at 6:08 PM

# Shiva said:

Hi John,

 We are facing a situation in VM Connect. We have a HyperV Server hosting VM's and this Host Server is available over the internet. Therefore any client machine with RDP Client will be able to connect to a VM via port 2179. The question is if the client machine is behind a firewall, is it require that the firewall has to open port 2179? Also if the server is behind a firewall, is there any specific settings to be taken care? if you have any informaton related to this please  share with us as this will be of great help to us.

Thanks and Regards

Sivakumar

25 May 09 at 10:39 AM

# jhoward said:

David - there is no different in terms of remote management configuration between "v1" and Windows Server 2008 R2/Hyper-V Server R2.

Thanks,

John.

25 May 09 at 9:32 PM

# jhoward said:

Shiva - I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces. General RDP clients will not be able to connect over RDP using port 2179 - although VMConnect uses the RDP protocol, the connection establishment is not the quite the same.

If you need to deploy directly to the Internet, I would recommend you look at building out a Terminal Service Web Access/Gateway protected behind an ISA server (I have previously run through configuring exactly this on my blog, last year IIRC). It would be far more secure.

Thanks,

John.

25 May 09 at 9:38 PM

# Ask the Core Team said:

It is time to update everyone on the issues our support engineers have been seeing for Hyper-V for the

27 May 09 at 10:25 AM

# Tap Consulting said:

Hyper-V Server First Impressions

10 June 09 at 1:19 PM

# Rod Trent at myITforum.com said:

&#160; I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my workstation

20 June 09 at 2:23 PM

Leave a Comment

Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.

Name (required) 

Your URL (optional)

Comments (required) 

Remember Me?