Problem solve Get help with specific problems with your technologies, process and projects.

SCVMM 2008 R2: Configuring user access

Windows Server 2008 R2 has a built-in authorization manager console, but SCVMM 2008 R2 has greater flexibility for configuring user access across multiple Hyper-V servers.

Solutions provider takeaway: Using Microsoft's SCVMM 2008 R2 for authorization management has many benefits. It lets you configure user access across multiple Hyper-V servers, set access policies and ensure that the proper permissions remain in place for your customers. Use this tip to find out how SCVMM 2008 R2 can help you assign user access to the right resources and learn how SCVMM 2008 R2 also helps you automate certain tasks.

More resources on SCVMM 2008 R2
SCVMM 2008 R2 for Microsoft Hyper-V R2 management

Installing SCVMM 2008 R2

Upgrading to Microsoft's SCVMM 2008 R2: The top seven considerations

New virtual machine management using SCVMM 2008 R2, PowerShell

Managing Hyper-V with Citrix Essentials vs. Microsoft SCVMM 2008 R2

Today, your customers are thinking more and more about security. The financial costs of data exposure weigh heavily on a company. The possibility of losing customer confidence is a nightmare situation that keeps every business owner up at night. Yet today's IT technologies must walk the tightrope between providing greater access and limiting access to only specified individuals.

Virtualization is not spared from this dilemma. Virtualization and its associated protocols enable desktop and server access from anywhere with a network connection. The hardest part is ensuring that only the right users get access to the right resources.

Microsoft's Hyper-V R2 has the built-in ability to limit user access, thanks to Windows Server 2008 R2's Authorization Manager (AzMan). Using the built-in Authorization Manager console, it is possible for solutions providers to configure granular access control privileges for customers' Hyper-V virtual machines (VMs). The problem is that using Microsoft's console doesn't easily work across multiple machines. As a result, using Microsoft's AzMan can lead to mistakes, inappropriate configurations and substantial headaches when scaling Hyper-V environments.

Unlike Windows Server 2008 R2's AzMan, Microsoft System Center Virtual Machine Manager (SCVMM) 2008 R2 is able to automate many activities. And SCVMM 2008 R2's ability to centrally configure user access across multiple Hyper-V servers is a primary value proposition. Using SCVMM 2008 R2, solutions providers can set access policies for the entire virtual infrastructure and be assured that permissions remain in place as VMs move between Hyper-V hosts. You can also view and verify user access across each of your customers' VMs through one central location.

Configuring user access in SCVMM 2008 R2 starts by creating a user role. When creating a user role, there are two types of profiles to choose from. The first is a "Delegated Administrator" and is used for distributing administrator rights to specified VMs. A Delegated Administrator has the ability to perform all of the functions of a full administrator, but only on specified host groups and library servers.

But not all users need to be administrators. Sometimes your customer's environment needs a standard user to access a VM's desktop. Or you may wish to better define access to particular VM actions as opposed to granting full administrator access. These more-granular access assignments are carried out through SCVMM's second user role profile, "Self-Service User."

The Self-Service User profile grants access to users through SCVMM's built-in Self-Service Portal. This Web-based service creates a limited interface for nonadministrative users to interact with VMs. Using website controls, users can be given access to start, stop, pause, resume, checkpoint, remove, connect and shut down specified VMs. Using the Create User Role wizard in SCVMM 2008 R2, solutions providers can assign permissions for any or all of these actions to specified users and groups.

Through the same wizard, solutions providers can also grant users the ability to create their own VMs. When users are granted the ability to create new VMs, they can also be assigned one or more VM templates, which serve as the starting point for the VM. Solutions providers will obviously need to create those VM templates prior to assignment and according to IT policy.

Considering that users have the ability to create VMs at will, protecting the Hyper-V environment from VM sprawl is important. Using the wizard, solutions providers can assign "Quota Points" to VM templates, as well as quota maximums for each user role member. For example, a low-powered VM template might be configured to consume only one Quota Point, and a high-powered VM template may consume two Quota Points. At the same time, a configured user could be assigned a maximum of four points. In such a configuration, the user could at any point have four low-powered VMs concurrently running, two high-powered VMs or a combination of both. Quota Points bring true self-service capabilities to the Self-Service Portal in SCVMM 2008 R2.

Solutions providers will also need to store VMs when they're not in use. SCVMM 2008 R2 uses a library to store needed data, such as templates, ISO files and dormant VMs. More than one library server and/or share can be used when data needs are large. Within the Create User Role wizard, solutions providers can assign permissions to use specified library servers and shares to needy users.

These settings are easily accessed from the Administration node of the SCVMM 2008 R2 console and are exceptionally easy for even the newest Hyper-V administrator. Still, assisting customers in making the right decisions about access control and user privileges is one area where solutions providers can really demonstrate the value of their services.

About the expert
Greg Shields, MVP, vExpert, is a partner with Concentrated Technology. Get more of Greg's tips and tricks at

Dig Deeper on Server virtualization technology and services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.