Problem with granting remote access to Hyper-V Manager
Hi,
I'm in the following situation: I have a domain environment with a couple of Hyper-V servers (Windows Sever 2012 R2 Datacenter) and some workstations (Windows 8.1 Enterprise). On these workstations I need to run Hyper-V Virtual Machines and I need to delegate
remote access to the Hyper-V Manager to non-administrator users. With the servers this works by just adding the users to the local Hyper-V Administrators group, but it doesn't work with the workstations. The users are only able to connect to the Hyper-V manager
on the workstations if they are also in the local Administrators group. I get this lovely error message: "You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer COMPUTERNAME"
Is this behavior by design or am I missing something here?
vargabes7
February 15th, 2015 1:14am
Hi bargabes7,
The hyper-v administrators group is used to allow non-administrative users to control hyper-v.
Here is a link for reference :
Allowing non-Administrators to control Hyper-VUpdated
http://blogs.msdn.com/b/virtual_pc_guy/archive/2014/06/11/allowing-non-administrators-to-control-hyper-v-updated.aspx
Will all the windows 8.1 workstations have this issue ?
If only the specific machines has this issue ,we may need to refer to the following link to recreate the group to have a check.
Creating a Hyper-V Administrators local group through PowerShell
http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/28/creating-a-hyper-v-administrators-local-group-through-powershell.aspx
Please also turn off the firewall temporarily to have a check .
Considering this is related to the remote access ,we can try this setting to have a check :
Run "dcomcnfg" ,"component services","My computer","com security","access permissions"."edit limits","Anonymous logon","remote access".
Best regards
February 16th, 2015 3:30am
Hi MeipoXu,
First of all thank you for you time and effort for trying to help!
1. I'm aware of the Hyper-V Administrators group, that's what I'm successfully using on the server version.
2. Every Windows 8.1 has this issue. I even tested this with a clean install (nothing else but this role installed and PC joined to the domain) and it's still not working.
3. The firewall is not an issue here for sure. I tried disabling it before and I even did a packet capture and saw that there was communication but the Hyper-V host denied access. (I see this in the capture: Expert Info (Note/Response): Fault: nca_s_fault_access_denied)
4.I added the "remote access" under the "Anonymous logon", but it's still not working. (I even rebooted the machine.)
I'm still getting the "You do not have the required permission..." error.
Is there any log that I can check? The other frustrating part is that I can't seem to find anything in the event logs..
best regards,
vargabes7
February 17th, 2015 7:35am
Hi Vargabes,
We can check the logs in this path "Applications and Services Logs", "Microsoft", "Windows":
Navigate to the options related to Hyper-v.
Best regards
-
Edited by
MeipoXu
10 hours 2 minutes ago
February 17th, 2015 8:48pm
Hi Vargabes,
We can check the logs in this path "Applications and Services Logs", "Microsoft", "Windows":
Navigate to the options related to Hyper-v.
Best regards
-
Edited by
MeipoXuMicrosoft contingent staff, Moderator
Wednesday, February 18, 2015 1:42 AM
February 18th, 2015 1:41am
Hi Vargabes,
We can check the logs in this path "Applications and Services Logs", "Microsoft", "Windows":
Navigate to the options related to Hyper-v.
Best regards
-
Edited by
MeipoXuMicrosoft contingent staff, Moderator
Wednesday, February 18, 2015 1:42 AM
February 18th, 2015 1:41am
Hi MeipoXu,
There's absolutely nothing under any of the Hyper-V entries regarding this (from Hyper-V-Config to Hyper-V-Worker). I just did a quick failed connection attempt again (using VMConnect) and no new logs were generated (yes, I did a refresh before I checked).
The newest of any of the logs were from yesterday afternoon.
February 18th, 2015 3:18am
Hi Vargabes,
We can check the logs in this path "Applications and Services Logs", "Microsoft", "Windows":
Navigate to the options related to Hyper-v.
Best regards
-
Edited by
MeipoXu
Wednesday, February 18, 2015 1:42 AM
February 18th, 2015 4:41am
Hi Vargabes,
We can check the logs in this path "Applications and Services Logs", "Microsoft", "Windows":
Navigate to the options related to Hyper-v.
Best regards
-
Edited by
MeipoXu
Wednesday, February 18, 2015 1:42 AM
February 18th, 2015 4:41am
Hi vargabes,
"Expert Info (Note/Response): Fault: nca_s_fault_access_denied"
This seems to be related to the remote access.
The hyper-v administrators group is used to allow non-administrative users to control hyper-v but we should get the remote access privilages before we can operate the remote resources because we want to remote access .I think this is the key point of
this issue .
We can try to add the accounts to both the "hyper-v administrators" group and the "remote desktop users"group to have a check.
Best regards
-
Edited by
MeipoXu
10 hours 6 minutes ago
February 18th, 2015 8:43pm
Hi vargabes,
"Expert Info (Note/Response): Fault: nca_s_fault_access_denied"
This seems to be related to the remote access.
The hyper-v administrators group is used to allow non-administrative users to control hyper-v but we should get the remote access privilages before we can operate the remote resources because we want to remote access .I think this is the key point of
this issue .
We can try to add the accounts to both the "hyper-v administrators" group and the "remote desktop users"group to have a check.
Best regards
-
Edited by
MeipoXuMicrosoft contingent staff, Moderator
Thursday, February 19, 2015 1:38 AM
February 19th, 2015 1:37am
Hi vargabes,
"Expert Info (Note/Response): Fault: nca_s_fault_access_denied"
This seems to be related to the remote access.
The hyper-v administrators group is used to allow non-administrative users to control hyper-v but we should get the remote access privilages before we can operate the remote resources because we want to remote access .I think this is the key point of
this issue .
We can try to add the accounts to both the "hyper-v administrators" group and the "remote desktop users"group to have a check.
Best regards
-
Edited by
MeipoXuMicrosoft contingent staff, Moderator
Thursday, February 19, 2015 1:38 AM
February 19th, 2015 1:37am
Hi vargabes,
"Expert Info (Note/Response): Fault: nca_s_fault_access_denied"
This seems to be related to the remote access.
The hyper-v administrators group is used to allow non-administrative users to control hyper-v but we should get the remote access privilages before we can operate the remote resources because we want to remote access .I think this is the key point of
this issue .
We can try to add the accounts to both the "hyper-v administrators" group and the "remote desktop users"group to have a check.
Best regards
-
Edited by
MeipoXu
Thursday, February 19, 2015 1:38 AM
February 19th, 2015 4:37am
Hi vargabes,
"Expert Info (Note/Response): Fault: nca_s_fault_access_denied"
This seems to be related to the remote access.
The hyper-v administrators group is used to allow non-administrative users to control hyper-v but we should get the remote access privilages before we can operate the remote resources because we want to remote access .I think this is the key point of
this issue .
We can try to add the accounts to both the "hyper-v administrators" group and the "remote desktop users"group to have a check.
Best regards
-
Edited by
MeipoXu
Thursday, February 19, 2015 1:38 AM
February 19th, 2015 4:37am
Hi MeipoXu,
I have already done that before and it's still not working.
best regards
-
Edited by
vargabes7
23 hours 20 minutes ago
February 19th, 2015 7:31am
Hey,
I built this in a lab to test, my machine is not on the domain but this should not make a massive difference.
On the local machine if you open computer manager --> local users and groups --> groups
There is a Hyper-V Administrators group there. If you add the user here this allows that user to log in and access the local Hyper-V installation.
You could use group policy to add the user or an AD group that the user is a part of to this Builtin group automatically.
Hope this helps :D
February 19th, 2015 10:24am
Hi,
Thanks for your reply!
If you add a non-domain user to that group how will that user authenticate itself on the Hyper-V host from a remote machine?
February 19th, 2015 11:02am
Hi MeipoXu,
I have already done that before and it's still not working.
best regards
-
Edited by
vargabes7
Thursday, February 19, 2015 12:24 PM
February 19th, 2015 12:24pm
Hi MeipoXu,
I have already done that before and it's still not working.
best regards
-
Edited by
vargabes7
Thursday, February 19, 2015 12:24 PM
February 19th, 2015 3:24pm
Try this article, it
describes the organization of remote access to Hyper-V 2012
server from Win 8 (http://woshub.com/remote-hyper-v-2012-management-from-windows-8/)
February 20th, 2015 5:04am
Hi MeipoXu,
I tried your suggestion and used Process Monitor but unfortunately I didn't get any further. The only events related to the connection attempts were from "svchost.exe" and they were all "TCP Accept, TCP Receive, TCP Send and TCP Disconnect".
No access denied and no registry read events.
The only way a user can remotely connect to the workstation's Hyper-V manager is if he is a member of the local Administrators group on that Hyper-V enabled workstation. On the servers (2012 R2) it's enough to be a member of the Hyper-V Administrators local
group and nothing else is needed.
best regards,
vargabes7
February 20th, 2015 5:27am
Hi,
Thanks for the reply, but this article is not related to my problem.
February 20th, 2015 5:28am
Hi vargabes,
From the discussion between you and Random TechGuy,I am a little confused .Have you added the standard user to the local Hyper-V Administrators of the Windows 8.1 machines ?
From the link Maxbak offered, we can try to add them to the "remote Management User" and "WinRMRemoteWMIUsers" groups to have a check .
If it still can not be accessed ,I am afraid that getting into the Hyper-v manager of Windows 8.1 remotely ,the local administrator privilages is necessary.
Best regards
February 21st, 2015 11:31am
Vargabes,
The user who wants to access the Hyper-V are doing this remotely is that correct or are they logged onto the machine?
Is the user connecting to the PC with a domain account or a local account?
Assuming they are connecting using a domain then add the domain user account to the Hyper-V group. Then from the remote machine install the RSAT tools. Try opening the Hyper-V manager and connecting to the Remote windows 8.1 Machine using as the user. You
could always have the user RDP by adding them to the remote users group too. Then they could run the Hyper-V tools from there.
February 23rd, 2015 6:16am
Hello everyone,
I'm just updating this post to let everyone know who bumped into this problem that it can't/won't be solved. I opened up a support ticket with Microsoft regarding this issue and after a long consultation they confirmed my issue and told me that it won't
be fixed (it would require too much effort). This problem has something to do with the way security access control is implemented in the desktop version versus the server version and that's why it works in the servers.
The only way you can remotely connect to the console of a Client Hyper-V virtual machine (running under a Windows 8.1 PC) is if your user is a member of the local administrators group on that PC.
best regards,
vargabes7
-
Marked as answer by
vargabes7
22 hours 39 minutes ago
May 8th, 2015 4:43am
Hello everyone,
I'm just updating this post to let everyone know who bumped into this problem that it can't/won't be solved. I opened up a support ticket with Microsoft regarding this issue and after a long consultation they confirmed my issue and told me that it won't
be fixed (it would require too much effort). This problem has something to do with the way security access control is implemented in the desktop version versus the server version and that's why it works in the servers.
The only way you can remotely connect to the console of a Client Hyper-V virtual machine (running under a Windows 8.1 PC) is if your user is a member of the local administrators group on that PC.
best regards,
vargabes7
-
Marked as answer by
vargabes7
Friday, May 08, 2015 8:42 AM
May 8th, 2015 8:42am