Allowing non-Administrators to control Hyper-V

By default Hyper-V is configured such that only members of the administrators group can create and control
virtual machines. Today I am going to show you how to allow a non-administrative user to create and control
virtual machines.
Hyper-V uses the new authorization management framework in Windows to allow you to configure what
users can and cannot do with virtual machines. This is very powerful and allows for some useful and
interesting configuration options – but I will explore those on another day. To set the stage I need to explain
some terms from the authorization management framework world:

 Operation

This is the basic building block of authorization manager – and represents some action that the user can
perform. Some operations that exist in our authorization store include op_Create_VM (the act of
creating a new virtual machine) or op_Start_VM (the act of starting a virtual machine).
 Task

A task is a grouping of operations. We do not create any tasks by default – but you could create a task
that was labeled ‘control_VM’ and then add the operations for starting, stopping, pausing and restarting
a virtual machine to that task.

 Role

A role defines a job / position / responsibility that is held by a user. For instance, you might have a role
called ‘Virtual_Network_Admin’. This role would have all the tasks and operations that relate to virtual
networks. Users are then assigned to roles as needed.

 Scope

A scope allows you to define which objects are owned by which roles. If you had a system where you
wanted to grant administrative access to a subset of the virtual machines to a specific user – you would
create a scope for those virtual machines and apply your configuration change to only that scope.

 Default Scope

The default scope is where virtual machines are stored by default. It is the equivalent of having no
scope defined.

Hyper-V can be configured to store it’s authorization configuration in Active Directory or in a local XML file.
After initial installation it will always be configured to use a local XML file located at
programdataMicrosoftWindowsHyper-VInitialStore.xml on the system partition. To edit this file you will need
to:

1. Open the Run dialog (launch it from the Start menu or press Windows Key + R).
2. Start mmc.exe
3. Open the File menu and select Add/Remove Snap-in…
4. From the Available snap-ins list select Authorization Manager.
5. Click Add > and then click OK.
6. Click on the new Authorization Manager node in the left panel.
7. Open the Action menu and select Open Authorization Store…
8. Choose XML file for the Select the authorization store type: option and then use the Browse… to open
c:\programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition (programdata is
a hidden directory so you will need to type it in first).
9. Click OK.
10. Expand InitialStore.xml then Microsoft Hyper-V services then Role Assignments and finally select
Administrator.
11. Open the Action menu and select Assign Users and Groups then From Windows and Active Directory…
12. Enter the name of the user that you want to be able to control Hyper-V and click OK.
13. Close the MMC window (you can save or discard your changes to Console 1 – this does not affect the
authorization manager changes that you just made).

And now you are done. The user that you added will be able to completely control Hyper-V even if they are
not an administrator on the physical computer.