Search This Blog

Friday, September 11, 2009

Remote management and manage security permission in Hyper V

As Microsoft has released a new RSAT for Windows 7, now you can start to use it to remotely manage Hyper V. Before you can connect to Hyper V host, you need to enable firewall exception WMI (Windows Management Instrumentation). Go to control panel > Windows Firewall and click on exception tab. Tick WMI.

That should do the trick. Now you can manage your Hyper V without remote desktop to the host server. Enjoy !

If still cannot access, you need to configure

On the client computer
1. Click Start, Run, type DCOMCNFG. Click OK.

2. Expand Component Services, expand Computers. Right-click on My Computer and click on Properties.

3. Click on COM Security.

4. In the Access Permission area, click Edit Limits.

5. Select ANONYMOUS LOGON in the Group or User Name area. Then set the Permissions for ANONYMOUS LOGON to Allow for Remote Access.

On the Hyper V server:-

1. Go to Computer management and create an account similar as your client computer. (must assign same username and password)

2. Open Component Services by typing “dcomcnfg” in the box on the start menu, and expand the menu so that “My Computer” is selected under Component Services\Computers.

3.Right-Click on My Computer, select Properties and select the “COM Security” tab.

In the above dialog, click Edit Limits in the “Launch and Activation Permissions” area.

Click “Add…” and enter the users (or groups including “Authenticated Users” as appropriate) .eg: laiys

In the Allow column, select Remote Launch and Remote Activation, then click OK.

This step grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces.

Open Computer Management under Start/Administrative Tools, expanding the tree down through Services and Applications\WMI Control. Select WMI Control

Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the Security button.

Now select the user and click the Advanced button below the “Permissions for

Again, make sure the user/group is selected and click Edit

You need to make three changes here:

In the “Apply to:” drop-down, select “This namespace and subnamespaces”

In the Allow column, select Remote Enable

Check “Apply these permissions to objects and/or containers within this container only”

The screen should look like below. If so, click OK through the open dialogs.

Repeat for the Root\virtualization namespace

Click OK as appropriate to confirm all open dialogs and close Computer Management.

Next, let configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role.

1. Open Authorization Manager by typing “azman.msc” in the box on the start menu.

2. Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.
3.Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the system drive and select InitialStore.xml, then click OK.
4. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.

5.In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.
6. Add the appropriate users or groups (here you can see the “laiys” account)

Close the Authorization Manager MMC.

IMPORTANT. You must now reboot your server for the above changes to take effect.