What’s wrong with my permissions?!?


SCVMM depends on a number of permissions being available to operate correctly. Some are user and computer account related, others are group policies. Both are outlined below. Keep in mind that although you may have set up permissions correctly at some point during the install, things may have changed. It is not uncommon for an organization to create GPOs that strip computer objects from groups on local machines. It is also not uncommon that the SCVMM installation process is unable to add objects to the required groups on install due to unforeseen permission issues. Take the time to double check the settings below on all of your SCVMM systems and you may find that strange issues you are experiencing are resolved.


 


Group Memberships


Local security groups on the SCVMM Server


·         Group ‘Administrators’ should have the SCVMM Server ‘Computer Object’ as a member, and the Domain Account that is specified during operations in the SCVMM Admin Console


·         Group ‘Virtual Machine Manager Servers’ the SCVMM Server ‘Computer Object’ as a member


Note:  If you need to add a machine accounts, make sure you go to ’Object types’ and check ‘Computers’.  Then add it as <domain>\<machinename>$


 


Local security groups on an SCVMM Host


·         Group ‘Administrators’ should have the SCVMM Server ‘Computer Object’ as a member 


·         Group ‘Virtual Machine Manager Servers’ should have the SCVMM Server ‘Computer Object’ as a member


 


Local security groups on the Source P2V machine


·         Group ‘Administrators’ should have the same User Account as the credentials specified in the SCVMM Admin Console during the P2V process


 


Group Policy Rights


There is not a complied list of rights that are required due to the complexity of rights specified in group policies and the ability to lock down individual registry keys and file system directories. Instead, I have provided a method for comparing current machine group policy rights to those that are applied by default during Windows installation. If you find that there are a number of items more restrictive on your server than in the default policy, consider moving this machine to an OU of its own and blocking inheritance of group policies. This may correct the issue. If rights have been stamped onto the machine, it may be necessary to re-apply the default group policy settings created during Windows installation. Even if this is not an acceptable resolution, at least you will know with confidence that it is restricted rights that are breaking SCVMM. You can then start adding the rights that you find important back until you find that you have broken SCVMM again. You’ll have to live without enabling this restriction once found. If you have a development environment it is strongly suggested that you perform testing there instead of in production.


 


Steps to Analyze and Configure (Apply) Security Templates


This first section will collect data for review. No changes will be made to the server. Make sure you are logged into the domain, not locally. This may take a few minutes to run.


1 – Start> Run> mmc.exe


2 – File> Add/Remove Snap-in…


3 – Add…> Security Configuration and Analysis> Add…> Close> OK


4 – Right click ‘Security Configuration and Analysis’ and select ‘Open Database’.


A – Create a new temporary database named ‘test.sdb’ and click ‘Open’ (do not re-use one of your temporary databases. Make test1.sdb and so on)


Windows 2003


B – When prompted for ‘Import Template’ select ‘C:\Windows\Security\Templates\setup security.inf’ and click ‘Open’


C – If you were not prompted for ‘Import Template’, right click ‘Security Configuration and Analysis’ and select C:\Windows\Security\Templates\setup security.inf’


                – If this is a Domain Controller, use ‘securedc.inf’ instead


Windows 2008


B – When prompted for ‘Import Template’ select ‘C:\Windows\inf\setup security.inf’ and click ‘Open’


C – If you were not prompted for ‘Import Template’, right click ‘Security Configuration and Analysis’ and select C:\Windows\inf\deftsv.inf’


                – If this is a Domain Controller, use ‘deftdc.inf’ instead


5 – Right click ‘Security Configuration and Analysis’ and select ‘Analyze computer now’


6 – Browse to a location to save the Error Log so you can find it later, give it a descriptive name if you like, and click ‘OK’


7 – This log file will show the differences between the default security template applied during Windows setup, and what is currently in place. Note that there will be two sources of rights settings: local and domain. It may be necessary to review domain policies that are making security changes that are incompatible with SCVMM.


 


 


For further reading and information


Analyze and configure security


http://technet.microsoft.com/en-us/library/cc759251.aspx


 


Configure local computer security


http://technet.microsoft.com/en-us/library/cc737638.aspx


 


Your Guide to Group Policy Troubleshooting


http://technet.microsoft.com/en-us/magazine/2007.02.troubleshooting.aspx

Comments (3)

  1. Anonymous says:

    That&#39;s a question we seem to get a lot, and not just for SCVMM but for just about every product we

  2. Anonymous says:

    That’s a question we seem to get a lot, and not just for SCVMM but for just about every product we support.&#160;