Figure 5.18 Configuring actions for a specific new user role
A common question related to Hyper-V Manager is whether it gives you the ability to
control management of specific activities by using role-based access control (RBAC).
The original versions of Hyper-V enabled granular control of the actions available to
different groups of users by utilizing the Windows Authorization Manager (AzMan)
component. This authorization management approach was deprecated in Windows
Server 2012 (although it still works) in favor of a new, simple authorization scheme
that utilizes a new local group on each Hyper-V Server, Hyper-V Administrators. Any
user who is in the Hyper-V Administrators’ group on a server has complete access and
management rights for the Hyper-V server and the virtual machines. If you have a
group of people who should be administrators for all Hyper-V servers, the best
practice is to create a group in Active Directory, add the Hyper-V administrators into
that group, and then add the Active Directory group into each server’s local Hyper-V
Administrators’ group. That way, as administrators change, only the single Active
Directory group membership has to be updated. The true RBAC solution for Hyper-V
is through SCVMM, which has full RBAC capabilities with granular options for
assigning different rights through the use of custom user roles that can be created and
assigned the required configuration targeting specific resources. Figure 5.18 shows
some of the actions that can be granularly assigned within SCVMM to user roles,
which users are then made part of.
Core Actions Using PowerShell
The Hyper-V PowerShell module enables complete management of Hyper-V. If an
action is possible in the graphical shell, that action is possible using PowerShell. If the