Josh,
Great tool.
I've been playing around with Hyper-V Server 2008 in a workgroup configuration for over a week now, and I can not figure out, for the life of me, how to configure 'Local Security Policies', including User Rights!!! When I launch a Group Policy Object Editor MMC remotely, it provides access to the Administrative Templates, etc, but not no local policies.
Now, the reason I need access to local policies in the first place is that I'm trying to figure out how to configure Hyper-V to run under a different user-account (...other than local system). The reason being is that I have several NAS devices on my network setup with SMB shares, hosting all of the necessary ISOs for use with Hyper-V. Rather than having to copy them all locally over to the Hyper-V Server, I want to be able to mount ISOs from the SMB shares on the NAS devices from all of my VMs. I figure by creating an identical user account on the NAS devices to the one which the Hyper-V service(s) run as, this should provide an nice solution to my problem.
As of now, I've created a user called 'HyperVService', and added the user to the Administrators, and Remote Com Users security groups; however, when I attempt to start Hyper-V Machine Management service using this account, it errors out, claiming that the account lacks privileges. ha.... Unfortunately, I can't being assigning rights to the account using security policy until I can somehow gain access to it. As a side note, I've already granted the 'HyperVService' user all authorization rights / privileges in Authorization Manager (as specified in your article).
I apologize for the extent of this comment, but if you can help in any way, it would be much appreciated.
Josh,
Great tool.
I've been playing around with Hyper-V Server 2008 in a workgroup configuration for over a week now, and I can not figure out, for the life of me, how to configure 'Local Security Policies', including User Rights!!! When I launch a Group Policy Object Editor MMC remotely, it provides access to the Administrative Templates, etc, but not no local policies.
Now, the reason I need access to local policies in the first place is that I'm trying to figure out how to configure Hyper-V to run under a different user-account (...other than local system). The reason being is that I have several NAS devices on my network setup with SMB shares, hosting all of the necessary ISOs for use with Hyper-V. Rather than having to copy them all locally over to the Hyper-V Server, I want to be able to mount ISOs from the SMB shares on the NAS devices from all of my VMs. I figure by creating an identical user account on the NAS devices to the one which the Hyper-V service(s) run as, this should provide an nice solution to my problem.
As of now, I've created a user called 'HyperVService', and added the user to the Administrators, and Remote Com Users security groups; however, when I attempt to start Hyper-V Machine Management service using this account, it errors out, claiming that the account lacks privileges. ha.... Unfortunately, I can't being assigning rights to the account using security policy until I can somehow gain access to it. As a side note, I've already granted the 'HyperVService' user all authorization rights / privileges in Authorization Manager (as specified in your article).
I apologize for the extent of this comment, but if you can help in any way, it would be much appreciated.
Paul, thanks.
Kudos for your experimentation, but I think it is futile. Sorry to say! :) You're heading in a direction which is well into the realms of unsupported and untested. Changing the account under which the service runs may cause all sorts of side effects (I can think of at least one).
In a domain environment, to access a network ISO, you need to add the machine account to the share for read permissions (ie domain\machinename$). On top of that, if you are remotely administering the Hyper-V server, you need to setup constrained delegation. However, I'm 99.8% sure that you will not be able to get ISOs on a network share to work in a workgroup setting, and to the best of my knowledge, there isn't a workaround for this apart from copying the ISO locally. Sorry!
Cheers,
John.
Hyper-V How to: Configure Hyper-V Remote Management in seconds John's blog post describes his HVRemote
I appreciate such a quick response. I searched TechNet forums, and someone was able to get it to work... ...unfortunately they did not leave enough detail in the post. Also, their installation was a full-install of 2K8, not Core, so they had direct access to local security policy for assigning account rights. Either way, until Microsoft officially addresses this issue in a supported manner, I'm not going to attempt an unsupported work-around in any sort of production environment, so I guess there is no point looking into this further.
On that note, what about local user rights... ...as in editing local policy on Server Core or Hyper-V Server in a workgroup environment? Does Microsoft provide a supported method for editing these policies?
Thanks again.
Paul
Secedit and generating the policy from another machine are your answer. Take a look at these two posts:
Thanks,
John.
Hi John,
You mentioned that your tool should not be used if Virtual Machine Manager 2008 is used for managing Hyper-V hosts. It does not explain why. Can you elaborate on that?
Thankx,
Hans Vredevoort
Hi Hans - sure. Apart from the "I haven't done any testing with SCVMM in the picture" answer, there is at least one very good reason. SCVMM replaces the default authorization store with one which they maintain. Any changes made by this tool made to their store would (as I understand it, but I'm not on the SCVMM team) be overridden regardless by their agent (or a combination of the SCVMM server pushing policy down through their agent). For this reason on my list for v0.3 is a hard block if it is detected that the server is being managed by SCVMM.
Thanks,
John.
Thanks John,
That's the explanation I was looking for. As a VMM2008 user, I would appreciate a check on this as azman stores might get mixed up. I appreciate your work as I have tried all the steps in your blog and know how easy it was to forget one step, make a spelling error or some other mistake. So now you have a nice and clean solution for remote Hyper-V management from Vista an Windows Server 2008 computers.
Dear John,
Firstly - you should have more vacation time!
I basically gave up on HyperV some months back - as try as I may, I could not get the remote mgmt working - on a core install. Also, for the life of me, could not see why you would run Hyper V on a "Full" install - may as well use VS 2007/VMW's free server product!
This is a tremedous tool~ it seems to address all the "overlooked/missing" functionality in the Core/HyperV scenario.
I lost track of the hours I wasted on this previously - and as a small shop, time is never in any real abundance...
Many thanks for a great piece of work
Rob
Hey John,
I had already seen both of those links. Unfortunately, neither work. Enabling PnP interface is great for enabling Remote Disk Management, but I'm not sure what it has to do with being able to edit local policy. I think another user points that out on the response to the post.
As for secedit, it doesn't work... ...at least not for me. Another user on the forum had the same experience as I did... ...secedit command seems to function as expected, but no real result / policy change. Plus, this is so inconvenient, especially when you need to enable / disable a policy one at a time while testing something until you get it to work. Using this method, I would have to export / import a policy again and again if attempting to troubleshoot some form of security issue or rights management issue. True, I could set up another machine using a full version of Windows 2008, but editing local policy shouldn't be as complicated as requiring multiple 2K8 servers. What about small businesses, or other users that either cannot afford a second license, or do not have a second server / machine available to install Win2K8 Full? lol... Does Microsoft even think of these things when releasing their products?
Anyway, as always, I sincerely appreciated the quick responses, feedback, and solutions.
I know this is a little bit off topic, but I wanted to address one other issue that no TechNet forum and / or deployment guide has seemed to address... ...best practices for storage on the host hypervisor server. I currently have set my host server to store VHD files of the VMs on separate physical RAID arrays, snapshots on another dedicated physical RAID array (snapshots for all machines stored on a single dedicated array), and VM configuration files on the system / OS array. However, I've noticed that the system / OS array gets hammered, and impacts the VM system performance. Originally, I was under the assumption that once the XML files were loaded into memory, the configuration file was no longer needed / used by the system. Obviously, my assumption was ignorant and now I'm paying for it. Basically, my question is: Where should VM configuration files / data be stored in relation to VHD files? Should they be stored together? Should I create a separate dedicated RAID10 array for configuration files (for all machines), or does each VM require a dedicated disk per VM configuration file? There doesn't seem to be any "best practices" guide that addresses any of these questions (other than the recommendation to stored VHDs on separate disks).
Thanks in advance.
Hi John,
Execellent post, tool, etc. your orginal post helped me a great deal connecting to a server core install I'd setup earlier in the year from a WS2008 laptop... remote mgmt worked a treat until I rebuilt the server with Hyper-V Server (same name, same IP) and now for the love of christ I can't connect... 'You do not have permission....' same network, same creds, same name.. (different SID & GUID's of course..), slowely loosing the will to live and went on a VMware seminar only last week... Vi3 looks good ;-)
ReubenC - If it's still not working, can you post
- the output of hvremote /show from both the server and the client machine,
- the output of ipconfig /all on both machines
- username you are using.
- contents of /windows/system32/drivers/etc/hosts on both machines
I'm assuming the usernames and passwords are the same on both machines.....
I assume also you're in a workgroup(?) rather than domain and have run hvremote /add:user on the server, plus the hvremote /mmc:enable and hvremote /anondcom:grant on the client machine?
Any other info about your setup would be useful. With the tool, should be pretty easy to diagnose :)
Thansk,
John.
Note for anyone experiencing the 'RPC server unavailable' error. If you've disabled the Windows Firewall service, this will give this error!
Not sure why, but enabling it, startng, and running the script to add the firewall rule fixed the problem.