Managing Virtual Machines without Domain Administrator Credentials

I received another really good question, so I want to share it.

My servers will be running Windows Enterprise running HyperV with 4 VM's each.   The third server will run Windows Standard 2008 with Microsoft SCVMM.   Is there a way for SCVMM to be installed and manage the Windows Enterprise HyperV hosts and VM's without being a domain admin.   These are being installed on a large secured network and getting Domain Admin privileges to Active Directory will not be possible.

I didn’t know the answer to this one so I was going to do some research.  As I was contemplating how I wanted to tackle this one, Ken Lince, one of my peers spoke up with the right way to handle this scenario, so here it is:

There are user roles that you can define in SCVMM to delegate administrative access across server groups or libraries - and the same with Hyper-V Manager - you can delegate access to specific VM's without giving 'domain admin' type privileges at the server level.  So, the admins can use the MMC consoles and effectively do not need or require administrative access to the server itself.

That said, an Admin will need to install it and add the Hyper-V Servers (requires domain admin type access to do this because you have to supply credentials to add hosts), but past that they should be able to devise an administrator policy so that VMM managers don't require that level of access.

Of course, the  other management tools like SCOM have similar capabilities.

Quick blurb on Delegated Admin:

Delegated administration. The delegated administrator is a new role available to manage hosts and VMs in SCVMM 2008. A delegated administrator can perform all the functions of a full administrator but only on a subset of objects. This kind of job is useful for people who need to perform administrative functions on some but not all hosts managed by SCVMM. This role has broader administrative rights than the selfservice user role. You can control the selfservice user role according to what types of functions are allowed on a per-VM basis, whereas the delegated administrator has full rights on a predefined scope of host servers and libraries. For example, you could delegate administration rights to manage hosts and libraries for a particular region.

Thanks again Ken!

This article does a good job of spelling out the requirements:

Until next time,


Comments (0)

Skip to main content