How To: Get Started With Hyper-V Permissions

Defining the security model for your first foray with Hyper-V.

For administrators wanting to use Hyper-V in any capacity, a security model needs to be defined for your requirements. The base functionality with the Hyper-V role to manage permissions is done via the Authorization Manager Framework for Hyper-V. This can be used in conjunction with System Center Virtual Machine Manager (SCVMM) or independently for smaller implementations using the Hyper-V Manager with the Hyper-V role for servers.

Authorization Manger, or Azman, allows administrators to build permissions around roles. Azman includes 32 configurable operations for Hyper-V Manager. There are Administrator and User built-in roles, and custom roles can be added and assigned to various Windows groups or users.

  1. Run "azman.msc" to open up the base console.
  2. Open the Authorization Store .XML file for Hyper-V. The location for default installations is C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml.

Within the Hyper-V Authorization Store, roles can be created for specific virtual machine (VM)-related tasks. Administrators can create roles from 32 operations available for permission assignment. These include VM console access, start and stop functions, networking configuration and more. Fig. 1 shows a role being created and the list of configurable operations being selected.

Role definitions
Figure 1. Role definitions are created in the Hyper-V authorization store. (Click image to view larger version.)

Once a role definition is created, permissions are assigned to that role. Again in the Hyper-V Authorization Store, we can now assign a user or group to the newly created role (see Fig. 2).

Associating role definitions
Figure 2. After role definitions are created, users or groups are associated with that role. (Click image to view larger version.)

At that point, the configured actions are assigned to the users as configured in the Hyper-V Authorization store. Be sure to give some planning to how this is configured; basic guidelines include making sure everything is applied through group permissions, and never over-granting privileges.

This is straightforward stuff for Microsoft folks, but it may not be as intuitive for administrators familiar with assigning roles in VMware.

Send me an e-mail, or post any tricks you’ve done with permissions for Hyper-V below, including some crafty Group Policy Objects.

About the Author

Rick Vanover (Cisco Champion, Microsoft MVP, VMware vExpert) is based in Columbus, Ohio. Vanover's experience includes systems administration and IT management, with virtualization, cloud and storage technologies being the central theme of his career recently. Follow him on Twitter @RickVanover.


  • Microsoft Drops 'Solorigate' for 'Nobelium' in Ongoing SolarWinds Attack Investigations

    Microsoft this week described "three new pieces" of malware that were used in the SolarWinds Orion espionage attacks dubbed "Solorigate," although Microsoft security researches are now calling it "Nobelium."

  • Microsoft Universal Print Service Commercially Released

    Microsoft announced on Tuesday that its Universal Print service is now commercially released at the "general availability" stage worldwide.

  • Restoring a Backup to Dissimilar Hardware: 3 Things To Watch Out For

    Getting a new desktop looking and feeling like the old one used to take a long time, but modern backup applications have greatly streamlined the process. Still, there are a few things to keep in mind to avoid potential issues.

  • Black Box

    Microsoft Releases Windows Server 2022 Preview

    Microsoft announced during its Ignite event that Window Server 2022 is currently availability at the preview stage.

comments powered by Disqus