Here’s a new Knowledge Base article we published. This one talks about an issue where attempting to change the ownership of a VM in VMM 2012 to a user who is a member of the Self-Service User role created by the VMM Administrator fails.
When the VMM delegated administrator tries to change the ownership of a VM in System Center 2012 Virtual Machine Manager (VMM) to a user who is a member of the Self-Service User role created by the VMM Administrator, the following error is displayed:
The selected user is not a member of any user roles that has this object in its scope. Please select another user.
This happens even when the VMM delegated administrator has the cloud in its scope to which the VM is assigned and to which the Self-Service User role has access.
This is by design as the VMM Delegated Administrators cannot view, modify, or remove user roles created by members of the Administrator user role or by other VMM Delegated Administrator user roles. Due to this fact, a Self-Service User role created by the VMM Administrator is not accessible to the VMM Delegated Administrator.
To allow a delegated administrator in VMM to change the membership of a self-Service user role, that role must be created by the delegated administrator. Below are two methods of creating a self-service user role that can be managed by a delegated administrator.
1. Login to VMM as a Delegated Administrator.
2. Create a new Self-Service User Role (for example SSU_HelpDesk) and assign a user (for example contoso\Vladimir) as the member of this Self-Service User role.
Now the VMM delegated administrator should be able to change the ownership of the virtual machine to contoso\Vladimir as contoso\Vladimir is a member of the Self-Service User role (SSU_HelpDesk) created by the currently logged in VMM Delegated Administrator (assuming that the virtual machine is in the cloud which both the newly created Self-Service User role and the VMM delegated administrator role have in their scope).
NOTE If you log in as a member of a different VMM Delegated Administrator role and try to change the ownership of the virtual machine to contoso\Vladimir, you will get the error "The selected user is not a member of any user roles that has this object in its scope. Please select another user" since the Self-Service User role SSU_HelpDesk was created by a different VMM Delegated Administrator role.
The second option is to use the VMM PowerShell. In this example we are going to create a new Self-Service User role called ‘ContosoSSU’ and assign ‘DelAdmin’ VMM delegated administrator user role as an owner of the ContosoSSU which will enable members of the ‘DelAdmin’ role to change the ownership of a VM to a user who is a member of the ‘ContosoSSU’.
1. Login as a VMM Administrator
2. Launch the VMM PowerShell
3. Type: $UserRole=Get-SCUserRole -name "DelAdmin"
4. Press enter
5. Type: New-SCUserRole -Name "ContosoSSU" -UserRoleProfile "SelfServiceUser" -ParentUserRole $UserRole
6. Press Enter
7. Now the new Self-Service User role "ContosoSSU" is created, and a member of the DelAdmin user group should be able to change ownership of a VM to user who is a member of the "ContosoSSU". Note that both DelAdmin and ContosoSSU need to have the same cloud in their scopes.
For the most current version of this article please see the following:
J.C. Hornbeck | System Center & Security Knowledge Engineer
App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/