SCVMM 2008 Beta and non-admin access to remote machines - further information
Following my last blog post regarding SCVMM 2008 Beta and the issues I was seeing with non-admin access to remote machines via Hyper-V manager, I thought it would be beneficial to forward my query to the team concerned via Connect. Here's the answer I got:
"What you are seeing is expected behaviour. When you add a Hyper-V host in SCVMM the Initialstore.xml file is no longer used for Hyper-V security. Instead SCVMM creates a new XML file and modifies it based on the user and admin roles that apply to that host in the SCVMM. That means that the step where you ran Azman and updated the Initialstore.xml file is lost. There is not a good workaround for this issue. The only thing that could be done is to add the user that needs access as a delegated administrator in SCVMM (with the right to administrator this specific host). Then SCVMM will update the XML file it uses with the correct info. Note that if you edit that file manually those changes will be lost when SCVMM refreshes it. It is called Hypervauthstore.xml."
This is useful insofar as it does indeed allow me a nice way around the problem I was describing. It does however raise another issue, which is that I don't believe that there is enough granularity in the delegated administrator role mentioned. I can only assign a host to a delegated administrator, not an individual guest. While I can limit which virtual machines a delegated administrator can log onto via user accounts, it may well generate a lower administrative overhead if I could limit the machines that a delegated administrator can connect to (say in the same way that TS Gateway works with RAPS and CAPS).
I'll feed this suggestion back to the team via Connect.
Technorati Tags: SCVMM,virtual machines,management,administration,System Center Virtual Machine Manager