Understanding AzMan In Hyper-V

Understanding AzMan in Hyper-V
Lai YoongSeng
MVP : Virtual Machine www.ms4u.info
Technical Consultant, Redynamics

Agenda
Who is AzMan?
How AzMan Works?
Configure AzMan
Why use AzMan?
Auditing
Troubleshooting

Who is AzMan?
Not who but “ What is AzMan ?”
AzMan also known as “Authorization Manager”
Is a GUI interface for configuring security in Hyper-V
Role Based Access and Control (RBAC) is what is used

How AzMan Work?
Access to resources is based on Role Definitions and not Access Control List (ACL)
Roles are based on a list of Tasks that are defined in a Role Definition. The Role Definition is then associated with a Role Assignment
Only one Default Role defined in Hyper-V:- Administrator
Built in Local Administrator Group is automatically added to the Administrator Role Assignment

Access AzMan
To access
Start | Run | Type Azman.msc
Azman.msc is the primary method for defining and managing permissions for Hyper-V
Open Authorization Stores

Configure AzMan
Note: Backup InitialStore.xml before modify
Configure Role Assignment
Add non administrator to full permission on Hyper-V server

Configure AzMan
Create Task. A task is a grouping of operation. Example: Control VM task and assign start, stop, restart vm operation.
1
2

Configure AzMan
Create Role Definition- to limit operation on Hyper-V Server. Example: Operator Role which assign to control VM operation.
1
2

Configure AzMan
Create new roles – to assign user to tasks or operation
1
2

Configure AzMan
demo

Why use Azman?
More secure and limit operation can perform on Hyper-V Hosts
Secure either entire Hyper-V host or based on Virtual Machine
Note:-

Secure by Virtual Machine
Step 1: Create Scope
Step 2: Create Role
Step 3: Assign Role
Step 4: Create New VM
Step 5: Set the scope of the VM by using 4 scripts – Contributed by Tony Super
GUI ? Sorry no GUI.

Script #1:- CreateVMInScope.vbs
Option Explicit
Dim WMIService
Dim VMManagementService
Dim VMName
Dim VMScope
Dim VMSystemGlobalSettingData
Dim Result
Dim inParameters
VMName = InputBox(“Specify the name for the new virtual machine:”)
VMScope = InputBox(“Specify the scope to be used for the new virtual
machine:”)
‘Get an instance of the WMI Service in the virtualization namespace.
Set WMIService = GetObject(“winmgmts:.rootvirtualization”)
‘Get a VMManagementService object
Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM
Msvm_VirtualSystemManagementService”).ItemIndex(0)
‘ Initialize the global settings for the VM
Set VMSystemGlobalSettingData =
WMIService.Get(“Msvm_VirtualSystemGlobalSettingData”).SpawnInstance_()
‘Set the name and scope
VMSystemGlobalSettingData.ElementName = VMName
VMSystemGlobalSettingData.ScopeOfResidence = VMScope
‘ Create the VM
VMManagementService.DefineVirtualSystem(VMSystemGlobalSettingData.GetText_(1
)

Script #2:DisplayVMScopes.vbs
Option Explicit
Dim WMIService
Dim VMList
Dim VM
Dim Message
‘Setup start of message string
Message = “Virtual Machines and their scope of residence” & chr(10) _
& “========================================”
‘Get instance of ‘virtualization’ WMI service on the local computer
‘Get all the MSVM_ComputerSystem object
Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)
For Each VM In VMList
if VM.Caption = “Virtual Machine” then
(VM.Associators_(“MSVM_ElementSettingData”,
“Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)
Message = Message & chr(10) & “VM: “ & VM.ElementName
Message = Message & chr(10) & “Scope: “ &
VMSystemGlobalSettingData.ScopeOfResidence
Message = Message & chr(10)
end if
Next
wscript.echo Message

Script #3:ClearVMScope.vbs
Option Explicit
Dim WMIService
Dim VMList
Dim VM
Dim Result
‘Get instance of ‘virtualization’ WMI service on the local computer
‘Get all the MSVM_ComputerSystem object
Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)
For Each VM In VMList
if VM.Caption = “Virtual Machine” then
(VM.Associators_(“MSVM_ElementSettingData”,
VMSystemGlobalSettingData.ScopeOfResidence = “”
Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,
VMSystemGlobalSettingData.GetText_(1))
end if
Next

Script #4:ChangeVMScope.vbs
Dim WMIService
Dim VM
Dim VMName
Dim VMScope
Dim Result
‘Setup variables for the VM we are looking for, and the scope to assign it to
VMName = InputBox(“Specify the virtual machine to change scope on:”)
VMScope = InputBox(“Specify the new scope to be used:”)
‘Get an instance of the WMI Service in the virtualization namespace.
‘Get the VM object that we want to modify
Set VM = (WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem WHERE
ElementName=’” & VMName & “‘“)).ItemIndex(0)
‘Get the VirtualSystemGlobalSettingsData of the VM we want to modify
Set VMSystemGlobalSettingData = (VM.Associators_(“MSVM_ElementSettingData”,
‘Change the ScopeOfResidence property
VMSystemGlobalSettingData.ScopeOfResidence = VMScope
‘Update the VM with ModifyVirtualSystem
Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,
VMSystemGlobalSettingData.GetText_(1))

Function of Each Scripts

What Happen When Host Join To Domain?
Domain Admin Group will have full permission to create and manage VM on host servers.
Administrator Role Assignment is set to
domain admin

What Happen When Host Added into VMM?
VMM create a copy and store in ProgramDataMicrosoftVirtual Machine ManagerHyperVAuthStore.xml
By default, VMM will
VMM Administrators are given full access to the VM/Hyper-V, including console access to the VM
VMM Delegated administrators have no access to the VM or Hyper-V
End User Role members are given console access to the VM if their User Roles has this privilege defined
This means that any privileges defined in the old AzManfile will be lost once VMM takes control of the host.
When remove Hyper-V host from management, will revert to InitialStore.xml

Auditing
Must enabled on Authorization Manager
1
2

Auditing
On Local Hosts. Use Local Security Policy | Audit Policy and Enable object access.
On domain, enable on GPO | Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and then double-click Audit directory service access.

Troubleshooting AzMan
Refer to Event Viewer.
Open Windows Log | Security
Open Applications and Services Log | Microsoft | Windows
Hyper-V-VMMS
Hyper-V-Workers
More information:- http://technet.microsoft.com/en-us/library/dd581761(WS.10).aspx

Event Viewer

Summary
AzMan is a Role Based Access and Control
Security in Hyper-V

Questions & Answers
Post – MVUG page @ Facebook

Resources
Understand more about AzMan
http://technet.microsoft.com/en-us/library/cc726036(WS.10).aspx
http://blogs.technet.com/b/m2/archive/2009/01/12/azman-permissions-for-vmm-managed-hyper-v-hosts.aspx
http://blogs.technet.com/b/jhoward/archive/2009/08/31/explaining-the-hyper-v-authorization-model-part-one.aspx
http://blogs.technet.com/b/jhoward/archive/2009/09/02/explaining-the-hyper-v-authorization-model-part-two.aspx
http://blogs.technet.com/b/jhoward/archive/2009/09/09/explaining-the-hyper-v-authorization-model-part-three.aspx
http://blogs.technet.com/b/jhoward/archive/2009/09/18/explaining-the-hyper-v-authorization-model-part-four.aspx
MVUG (Malaysia Virtualization User Group) – Join us !
http://www.facebook.com/group.php?gid=216237734803 @ Search “MVUG” in Facebook
Lai’s Blog –Virtualization & System Center related, etc
http://www.ms4u.info

Understanding AzMan In Hyper-V

by Lai Yoong Seng

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 367

Statistics

Understanding AzMan In Hyper-V Presentation Transcript

http://www.ms4u.info	365
http://webcache.googleusercontent.com	2