What’s wrong with my permissions?!?

  • Article

SCVMM depends on a number of permissions being available to operate correctly. Some are user and computer account related, others are group policies. Both are outlined below. Keep in mind that although you may have set up permissions correctly at some point during the install, things may have changed. It is not uncommon for an organization to create GPOs that strip computer objects from groups on local machines. It is also not uncommon that the SCVMM installation process is unable to add objects to the required groups on install due to unforeseen permission issues. Take the time to double check the settings below on all of your SCVMM systems and you may find that strange issues you are experiencing are resolved.

 

Group Memberships

Local security groups on the SCVMM Server

· Group ‘Administrators’ should have the SCVMM Server 'Computer Object' as a member, and the Domain Account that is specified during operations in the SCVMM Admin Console

· Group ‘Virtual Machine Manager Servers’ the SCVMM Server 'Computer Object' as a member

Note:  If you need to add a machine accounts, make sure you go to ’Object types’ and check ‘Computers’. Then add it as <domain>\<machinename>$

 

Local security groups on an SCVMM Host

· Group ‘Administrators’ should have the SCVMM Server 'Computer Object' as a member 

· Group ‘Virtual Machine Manager Servers’ should have the SCVMM Server 'Computer Object' as a member

 

Local security groups on the Source P2V machine

· Group ‘Administrators’ should have the same User Account as the credentials specified in the SCVMM Admin Console during the P2V process

 

Group Policy Rights

There is not a complied list of rights that are required due to the complexity of rights specified in group policies and the ability to lock down individual registry keys and file system directories. Instead, I have provided a method for comparing current machine group policy rights to those that are applied by default during Windows installation. If you find that there are a number of items more restrictive on your server than in the default policy, consider moving this machine to an OU of its own and blocking inheritance of group policies. This may correct the issue. If rights have been stamped onto the machine, it may be necessary to re-apply the default group policy settings created during Windows installation. Even if this is not an acceptable resolution, at least you will know with confidence that it is restricted rights that are breaking SCVMM. You can then start adding the rights that you find important back until you find that you have broken SCVMM again. You’ll have to live without enabling this restriction once found. If you have a development environment it is strongly suggested that you perform testing there instead of in production.

 

Steps to Analyze and Configure (Apply) Security Templates

This first section will collect data for review. No changes will be made to the server. Make sure you are logged into the domain, not locally. This may take a few minutes to run.

1 - Start> Run> mmc.exe

2 - File> Add/Remove Snap-in...

3 - Add...> Security Configuration and Analysis> Add...> Close> OK

4 - Right click 'Security Configuration and Analysis' and select 'Open Database'.

A - Create a new temporary database named 'test.sdb' and click 'Open' (do not re-use one of your temporary databases. Make test1.sdb and so on)

Windows 2003

B - When prompted for 'Import Template' select 'C:\Windows\Security\Templates\setup security.inf' and click 'Open'

C - If you were not prompted for 'Import Template', right click 'Security Configuration and Analysis' and select C:\Windows\Security\Templates\setup security.inf'

                - If this is a Domain Controller, use ‘securedc.inf’ instead

Windows 2008

B - When prompted for 'Import Template' select 'C:\Windows\inf\setup security.inf' and click 'Open'

C - If you were not prompted for 'Import Template', right click 'Security Configuration and Analysis' and select C:\Windows\inf\deftsv.inf'

                - If this is a Domain Controller, use ‘deftdc.inf’ instead

5 - Right click 'Security Configuration and Analysis' and select 'Analyze computer now'

6 - Browse to a location to save the Error Log so you can find it later, give it a descriptive name if you like, and click 'OK'

7 – This log file will show the differences between the default security template applied during Windows setup, and what is currently in place. Note that there will be two sources of rights settings: local and domain. It may be necessary to review domain policies that are making security changes that are incompatible with SCVMM.

 

 

For further reading and information

Analyze and configure security

https://technet.microsoft.com/en-us/library/cc759251.aspx

 

Configure local computer security

https://technet.microsoft.com/en-us/library/cc737638.aspx

 

Your Guide to Group Policy Troubleshooting

https://technet.microsoft.com/en-us/magazine/2007.02.troubleshooting.aspx