Managing User Roles in SCVMM

Managing user roles in
SCVMM
Managing user roles in SCVMM
How to Create a Delegated Administrator User Role ............................................................................. 2

To create a Delegated Administrator user role ................................................................................... 2
Managing User Roles ............................................................................................................................... 3
Backing Up and Restoring the VMM Database ....................................................................................... 4
To back up the VMM database ........................................................................................................... 4
To restore the VMM database on the same computer ...................................................................... 4
To restore the VMM database on a different computer .................................................................... 5
How to Create a Delegated Administrator User Role ............................................................................. 6
To create a Delegated Administrator user role ................................................................................... 6
How to Create a Self-Service User Role................................................................................................... 6
To create a self-service user role ........................................................................................................ 7
How to Modify a User Role ..................................................................................................................... 9
How to Remove a User Role .................................................................................................................... 9
How to Create a Delegated Administrator User Role / To create a Delegated Administrator

user role Page 1
How to Create a Delegated Administrator

User Role
The delegated administrator user role grants users administrator permissions within a defined scope.
To create a Delegated Administrator user role

1. In the VMM Administrator Console, in User Roles view, click New User Role in the Actions
pane.
2. Complete the New User Role Wizard.
Wizard
Page Action
General Type a User role name and Description, and then select Delegated Administrator in
the User Role Profile list.
Add Click Add and then type the names of the Active Directory users or groups you want
Members to add to this role.
Select Select the host groups and library servers that you want to enable members of the
Scope user role to manage.
Summary Review the user role settings. To change settings, click Previous. To create the User
Role, click Create.
Note
Use the View Script button to display the Windows PowerShell - Virtual
Machine Manager cmdlets that will perform the operation. All administrative
tasks in Virtual Machine Manager can be performed at the command line or
scripted.

user role Page 2
Managing User Roles

With System Center Virtual Machine Manager (VMM) 2008 and VMM 2008 R2, you manage the
administrative permissions your users have by creating user roles. The profile of the user role
determines what actions a user can perform. The scope of the user role determines which objects
the users are able to manage. There are three user roles:
User Role Permissions
Administrator Able to perform all actions in the VMM Administrator Console. Members of
this user role can create new Delegated Administrator and Self-Service user
roles. Only members of the Administrator user role can add additional
members.
Note
The Administrator user role is created when you install VMM. By default,
the user who performs the VMM installation is added to the
Administrator user role and all accounts in the local Administrators
security group are also automatically added.
Delegated Able to perform most actions in the VMM Administrator Console, but only
Administrator within the scope defined in the role. Members of this user role can create new
Delegated Administrator and Self-Service user roles but cannot modify VMM
settings.
Self-Service Able to use the VMM Self-Service Portal to perform tasks on their virtual
User machines as defined in the user role. Members of this user role cannot create
new user roles.
Important
In VMM 2008 R2, VMM preserves changes made to role definitions or role memberships in the
root scope of the Hyper-V authorization store. All changes to any other scope are overwritten
every half hour by the VMM user role refresher. This differs from user role processing in
VMM 2008. In VMM 2008, VMM determines access to virtual machines, hosts, and resources
based solely on the rights and permissions associated with VMM user roles. VMM 2008 does not
make any changes to Hyper-V role definitions and role memberships; it simply ignores the Hyper-
V authorization store while the hosts and virtual machines are under its management.
For more information about user roles and scopes, see Role-Based Security in VMM
(http://go.microsoft.com/fwlink/?LinkId=119337).
Managing User Roles / To create a Delegated Administrator user role Page 3

Backing Up and Restoring the VMM Database

The Virtual Machine Manager (VMM) database is a SQL Server database that contains all VMM
configuration information.
It is important to back up the VMM database regularly as part of a comprehensive backup plan for
protecting all VMM data, including data on hosts, virtual machines, and library servers. Besides using
the tools provided in VMM, you can also use SQL Server Management Studio to back up and restore
the VMM database.
To back up the VMM database

1. In Administration view, click General, and then, in the Actions pane, click Back up Virtual
Machine Manager.
2. In the Virtual Machine Manager Backup dialog box, type the path for a destination folder for
the backup file. The folder must not be a root directory and must be accessible to the SQL
Server.
Note
You can follow the status of the backup in Jobs view.

Use the following procedures to perform data recovery and reassociate managed computers in your
VMM environment. Which procedure you use depends on whether you are restoring to the same
physical computer or to a different computer.
To restore the VMM database on the same computer

1. To restore the VMM database, on the computer you are restoring the VMM database to, run
the SCVMMrecover.exe tool from the command line. The scvmmrecover.exe tool is located
on the system drive on the following path: \Program Files\Microsoft System Center Virtual
Machine Manager 2008 R2\bin\scvmmrecover.exe.
2. On the VMM database computer, open a command-prompt window with elevated privileges,
and then run the SCVMMrecover.exe tool using the following syntax, SCVMMRecover [-Path
<location>] [-Confirm].
3. If the physical computer that you are restoring the VMM database on has the same System
Identification Number (SID) as the computer it was on before, you must perform the
following steps:
a. In the VMM Administrator Console, in Hosts view, do the following:
• Remove any hosts that were removed from VMM since the last backup was
created. For more information, see How to Remove a Host
(http://go.microsoft.com/fwlink/?LinkID=121827).
If a host has been removed from VMM after the last backup was created, it
will have a status of Needs Attention in Hosts view, and any virtual machines
on that host will have a status of Host Not Responding in Virtual Machines
view.
• Add back any hosts that were added since the last update. For more
information, see Adding Hosts.
b. In the VMM Administrator Console, in Virtual Machines view, remove any virtual
machines that were removed from VMM since the last backup was created. For more
Backing Up and Restoring the VMM Database / To back up the VMM database Page 4
information, see How to Remove a Virtual Machine

If a host is present but has a virtual machine that was removed since the last backup,
the virtual machine will have a status of Missing in Virtual Machines view.
To restore the VMM database on a different computer

1. To restore the VMM database, on the computer you are restoring the VMM database to, run
the scvmmrecover.exe tool from the command line. The scvmmrecover.exe tool is located
system drive on the following path: \Program Files\Microsoft System Center Virtual Machine
Manager 2008 R2\bin\scvmmrecover.exe.
2. On the VMM database computer, open a Command Prompt window with elevated privileges,
and then run the scvmmrecover.exe tool using the following syntax, SCVMMRecover [-Path
<location>] [-Confirm].
3. If the physical computer that you are restoring the VMM database on is different from the
original computer and has a different System Identification Number (SID), you must perform
the following steps:
a. In the VMM Administrator Console, in Administration view, do the following:
i. Click Managed Computers, and, in the results pane, identify any managed
computers with a status of Access Denied.
ii. Click a managed computer with a status of Access Denied, and then, in the
Actions pane, click Reassociate.
b. In the VMM Administrator Console, in Hosts view, do the following:
• Remove any hosts that were removed from VMM since the last backup was
created. For more information, see How to Remove a Host
If a host has been removed from VMM after the last backup was created, it
will have a status of Needs Attention in Hosts view and Access Denied in
Managed Computers, and any virtual machines on that host will have a
status of Host Not Responding in Virtual Machines view.
• Add back any hosts that were added since the last update. For more
information, see Adding Hosts.
c. In the VMM Administrator Console, in Virtual Machines view, remove any virtual
machines that were removed from VMM since the last backup was created. For more
information, see How to Remove a Virtual Machine
If a host is present but has a virtual machine that was removed since the last backup,
the virtual machine will have a status of Missing in Virtual Machines view.
Backing Up and Restoring the VMM Database / To restore the VMM database on a different
computer Page 5
How to Create a Delegated Administrator

User Role
The delegated administrator user role grants users administrator permissions within a defined scope.
To create a Delegated Administrator user role

pane.
Wizard
Page Action
General Type a User role name and Description, and then select Delegated Administrator in
the User Role Profile list.
Add Click Add and then type the names of the Active Directory users or groups you want
Members to add to this role.
Select Select the host groups and library servers that you want to enable members of the
Scope user role to manage.
Summary Review the user role settings. To change settings, click Previous. To create the User
Role, click Create.
Note
Machine Manager cmdlets that will perform the operation. All administrative
tasks in Virtual Machine Manager can be performed at the command line or
scripted.
How to Create a Self-Service User Role

The self-service user role grants users permissions to create, operate, manage, store, create
checkpoints for, and connect to their own virtual machines through the Virtual Machine Manager
Self-Service Portal.
Note
For more information about creating and managing self-service user roles, see Role-Based
Security in VMM (http://go.microsoft.com/fwlink/?LinkID=145061).

user role Page 6
To create a self-service user role

pane.
Wizard Page Action
General Type a User role name and Description, then select Self Service User in the
Profile list.
Add Click Add and then type the names of the users or groups you want to add to this
Members role.
Select Scope Select the host groups on which users will deploy their virtual machines.
Virtual Select the actions that you want to allow the members of this group to perform
Machine on virtual machines. You can select All actions, or grant a set of actions by
Permissions selecting one or more of the following:
• Start
• Stop
• Pause and resume
• Checkpoint—Allows the user to create and remove checkpoints, and to
restore their virtual machines to a previous checkpoint. For more
information, see About Checkpoints
• Remove—Allows the user to remove virtual machines, deleting the
configuration files.
• Local Administrator—Allows the user to set the local administrator
password when creating a virtual machine so that the user has
administrator rights and permissions on the virtual machine.
• Remote connection—Allows the user to remotely control the virtual
machine.
• Shut down
Virtual You can allow the members of the self-service user group to create virtual
Machine machines, assign virtual machine templates for the self-service users to use, and
Creation optionally set a virtual machine quota to limit the number of virtual machines the
Settings users can deploy at one time.
If you select Allow users to create new virtual machines, you must specify a
template that users will use to create their virtual machines. To add templates:
1. Click Add.
The Select a Template dialog box displays the templates that are
available in the Virtual Machine Manager library.
2. To add a template, select the template and click OK.
For information about creating templates, see Working with Virtual

Machine Templates (http://go.microsoft.com/fwlink/?LinkID=163002).
To set a virtual machine quota:
1. Select Set quota for deployed virtual machines.
How to Create a Self-Service User Role / To create a self-service user role Page 7
2. In Maximum quota points allowed for this user role, specify how many
quota points the users in this role will be allowed. This will allow each
user in this user role to create virtual machines until they have reached
this quota. To limit the user role as a group to the maximum quota
points, select the Share quota across user role members check box. This
will allow the group to create virtual machines until the group has
reached the quota, regardless of how many points each individual has
deployed.
The virtual machine template determines the number of quota points

assigned to each virtual machine that is created from it.
Library You can grant members of the self-service user group access to a library share. If
Settings you allow the self-service users to store their virtual machines on a library share,
the stored virtual machines do not count against any virtual machine quota that
you set when allowing self-service users to create a virtual machine.
The virtual machines are stored on the path that you specify on an existing library
share. The self-service users do not know the physical location of their stored
virtual machines. For information about adding library servers and shares, see
Adding File-Based Resources to the Library
If you select Allow users to store virtual machines in a library, you need to
specify where to store the virtual machines. Additionally, you can allow users to
attach ISO images to their virtual machines by selecting a Library path that
contains ISO images.
1. Select the library server and share from the Select the library server and
library share that will store users’ virtual machines and available ISOs
list.
2. To specify a path for the virtual machines on the selected library server,
click Browse by the Library path field, and then navigate to the folder
where you want to store the virtual machines. To allow users to attach
ISO images to their virtual machines, select the folder containing the ISO
images the users should have access to.
The Select Destination Folder dialog box shows only folders within
designated library shares. For information about adding shares to a
library server, see How to Add Library Shares
Summary Review the User Role settings. To change settings, click Previous. To create the
User Role, click Create.
Note
Machine Manager cmdlets that will perform the operation. All
administrative tasks in Virtual Machine Manager can be performed at the
command line or scripted.
How to Create a Self-Service User Role / To create a self-service user role Page 8
How to Modify a User Role

1. From the User Roles view in the VMM Administrator Console, select the user role you want
to modify.
2. In the Actions page, click Properties.
The User Role Properties open. Modify the settings as needed.
3. On the General tab, you can modify the user role name and description.
4. On the Members tab, you can add members to or remove members from the user group.
5. On the Scope tab, select which host groups or library servers the members of the user role
can manage. For more information, see How to Set the Scope for a User Role.
6. For self-service user roles, you can modify the following properties:
• On the VM Permissions tab, determine which actions users can take on their virtual
machines. For more information, see How to Grant Virtual Machine Permissions for
Self-Service Users.
• On the Create VM tab, optionally enable the self-service users to create their own
virtual machines. For more information, see How to Enable Self-Service Users to
Create Virtual Machines.
• On the Store VM tab, optionally allow users to store their virtual machines when
they are not in use. You can allow users to attach ISO images to their virtual
machines by specifying a library path that contains ISO images. For more
information, see How to Enable Self-Service Users to Store Virtual Machines.
How to Remove a User Role

To delete a user role, remove the role from its group.
1. From the User Roles view in the VMM Administrator Console, select the user role you want
to remove.
Note
The Administrator user role cannot be removed.
2. In the Actions pane, click Remove.

3. Verify that you want to remove the user role.
How to Modify a User Role / To create a self-service user role Page 9

Managing User Roles in SCVMM

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Managing User Roles in SCVMM

Caricato da

Copyright:

Formati disponibili

Managing user roles in

How to Create a Delegated Administrator User Role ............................................................................. 2

How to Create a Delegated Administrator User Role / To create a Delegated Administrator

How to Create a Delegated Administrator

To create a Delegated Administrator user role

How to Create a Delegated Administrator User Role / To create a Delegated Administrator