How to Configure Granular Hyper-V Permissions for Domain Users: Restrict VM Control to Start/Connect Only


6 views

html

When dealing with Hyper-V permissions on domain-joined systems, you're working with two layers of security:

  1. Windows file system ACLs for VM configuration files (*.vmcx, *.vmrs)
  2. Hyper-V's WMI-based role system through the Virtual Machine Manager service

Here's how to implement least-privilege access for UserA:

1. Create Custom Hyper-V Role

Run this PowerShell script on ComputerA (requires Hyper-V Administrator rights):

# Define the role
$roleName = "VM Operator - Start/Connect Only"
$roleDescription = "Allows starting and connecting to specific VMs"

# Create the custom role
New-VMRemoteFxPhysicalVideoAdapter -Name $roleName -Description $roleDescription

# Add specific permissions
Set-VMRemoteFXPhysicalVideoAdapter -Name $roleName -AddPermission @(
    "Microsoft.Virtualization.Client.Management.IVirtualSystemManagementService",
    "Microsoft.Virtualization.Client.Management.IVirtualSystemManagementService.GetVirtualSystemOperationalStatus",
    "Microsoft.Virtualization.Client.Management.IVirtualSystemManagementService.RequestStateChange"
)

2. Assign Role to UserA

Apply the role to ComputerA-VM specifically:

$vm = Get-VM -Name "ComputerA-VM"
$user = "domain.com\UserA"

# Grant the custom role
Grant-VMRemoteFXPhysicalVideoAdapter -VMName $vm.Name -UserName $user -RoleName $roleName

To validate the permissions:

# Check assigned roles
Get-VMRemoteFXPhysicalVideoAdapter -VMName "ComputerA-VM"

# Test as UserA (run in separate session)
Invoke-Command -ComputerName ComputerA -Credential (Get-Credential domain.com\UserA) -ScriptBlock {
    Get-VM -Name "ComputerA-VM" | Start-VM
    vmconnect.exe localhost "ComputerA-VM"
}
  • Access denied to VM files: Ensure UserA has read permissions to the VM's configuration folder at C:\ProgramData\Microsoft\Windows\Hyper-V
  • WMI namespace issues: Verify UserA has Execute Methods permission on root\virtualization\v2 namespace
  • Remote connectivity problems: Add UserA to Remote Management Users group if accessing from another machine

For enterprise environments with System Center Virtual Machine Manager:

# SCVMM PowerShell example
$vm = Get-SCVirtualMachine -Name "ComputerA-VM"
$user = Get-SCUser -Name "UserA@domain.com"
New-SCUserRole -Name "LimitedVMOperator" -User $user -VirtualMachine $vm -JobGroup $null -AddMember $true
Set-SCUserRole -UserRole "LimitedVMOperator" -AddPermission @("StartVM","ConnectVM")

When dealing with Hyper-V permissions on domain-joined systems, we need to work with both the Hyper-V Authorization Manager (AzMan) store and Active Directory security principles. The key challenge is balancing least privilege access while allowing specific VM operations.

First, ensure you have administrative access to ComputerA and the Hyper-V host:

# Verify Hyper-V module availability
Get-Module -ListAvailable -Name Hyper-V

# Import the module if needed
Import-Module Hyper-V

We'll use PowerShell to create a minimal role definition:

$roleName = "VM Operator - Start/Connect Only"
$roleDescription = "Allows starting VM and connecting to console only"

$role = @{
    Name = $roleName
    Description = $roleDescription
    OperationNames = @(
        "Microsoft.HyperV.VirtualMachine.Start",
        "Microsoft.HyperV.VirtualMachine.Connect"
    )
}

Add-VMRemoteFxPhysicalVideoAdapter -ComputerName ComputerA
New-VMRole -ComputerName ComputerA @role

Now assign this role to the domain user specifically for ComputerA-VM:

$userPrincipal = "domain.com\UserA"
$vmName = "ComputerA-VM"

Set-VMRemoteFxPhysicalVideoAdapter -ComputerName ComputerA -Name $vmName
Grant-VMRemoteFxPhysicalVideoAdapterAccess -ComputerName ComputerA -VMName $vmName -User $userPrincipal -Role $roleName

Test the permissions work as intended:

# Check assigned roles
Get-VMRemoteFxPhysicalVideoAdapter -ComputerName ComputerA -VMName $vmName | 
    Get-VMRemoteFxPhysicalVideoAdapterAccess

# Validate via PowerShell remoting (simulate UserA context)
$cred = Get-Credential -UserName "domain.com\UserA" -Message "Enter UserA credentials"
Invoke-Command -ComputerName ComputerA -Credential $cred -ScriptBlock {
    Get-VM -Name "ComputerA-VM" | Start-VM
    vmconnect.exe localhost "ComputerA-VM"
}
  • The user won't appear in Hyper-V Manager's security UI - these are low-level permissions
  • Consider creating a security group instead of assigning to individual users
  • Document these permissions as they won't be visible in standard Hyper-V interfaces

If UserA encounters access denied errors:

# Check effective permissions
Get-VMRemoteFxPhysicalVideoAdapter -ComputerName ComputerA -VMName $vmName | 
    Test-VMRemoteFxPhysicalVideoAdapterAccess -User $userPrincipal

# Audit Hyper-V security events
Get-WinEvent -LogName "Microsoft-Windows-Hyper-V-VMMS-Admin" -MaxEvents 100 | 
    Where-Object {$_.Id -eq 40970}