Delegating Hyper-V Management in Server 2016 with (Just Enough Administration) “JEA”.

A new feature in Server 2016 is the ability to setup role based access control in hyper v and it’s much simpler than previous RBAC setups Microsoft has implemented in the past.

To set this up it’s just a few powershell commands and some modifications to a pre generated script file to get the permission level you want to provide.

Steps to setup

  • Log in as an administrator on your Hyper-V host.
  • Open a Power Shell session with administrative privileges.
  • Run:
New-PSRoleCapabilityFile -Path C:\RestrictedAdmins.psrc

Once you have created this .psrc file, open it with Power Shell ISE. You will see that this file is a pre-generated template that need to be customised to your requirements. The main line of code we’re looking for to restrict access is the line under “make visible when applied to a session“. This line of code and be amended to list only the cmdlets that the role we’re creating should be allowed to do. To get a full list of commands, I’d recommend running a Get-Command and out put the full list of commands for each module you want to create access for, then remove the commands you don’t want the admin to be able to run. You could create Active Directory groups for each PowerShell Module as required. Keep in mind, that when applied the administrator will only have access to the cmdlets that you specify and no others from any other module.

The line to edit is:

VisibleCmdlets = 'Invoke-Cmdlet1', @{ Name = 'Invoke-Cmdlet2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }

We can use this to restrict parameters within Power Shell commands too, so this can be made very granular indeed. Let’s say we want this administrator to be able to run Get-VM, Start-VM, Stop-VM, Restart-VM. Our cod eshould look like this:

VisibleCmdlets = 'Get-VM','Start-VM','Stop-VM','Restart-VM'

Remember, this will only allow the members of this to do ONLY what is listed, so if applied, this user will not be able to Set-VM or run any other cmdlet.

Once you have configured your psrc file, it needs to be placed in the following location on the Hyper-V host:

C:\Program Files\WindowsPowerShell\Modules\RestrictedAdmins\RoleCapabilities\RestrictedAdmins.psrc

The folder named “RestrictedAdmins” is created newly here. This will be the name of the new Power Shell module we’re creating.

Next we need to create a PSSessionConfigurationFile which will map an active directory user group to the new Role Based Access ‘Capability’ that we just created. To create this file we run:

New-PSSessionConfigurationFile -Path C:\RestrictedAdminsConfiguration.pssc

Open this file with Power Shell ISE. We need to modify the following lines of code:

SessionType = 'RestrictedRemoteServer'
RunAsVirtualAccount = $true
RoleDefinitions = @{ 'CONTOSO\RestrictedAdmins' = @{ RoleCapabilities = 'RestrictedAdmins' };} 

Un-comment the ‘SessionType’, ‘RunAsVirtualAccount’ and ‘RoleDefinitions’ lines. Be sure to update the Session Type to RestrictedRemoteServer. The Role Definitions line is what maps an active directory group to this permission file (Contoso\RestrictedAdmins) being our AD group here. The second part of the last line needs to reference the name of the psrc file we created in step one.

Finally, we need to register this configuration file for it to take effect. To do this we will run:

Register-PSSessionConfiguration -Name RestrictedAdmins -Path C:\RestrictedAdminsConfiguration.pssc

Now the permissions are set as required, you can test this by running a remote power shell session to the host using the -Credential parameter and log in using credentials for the Restricted Admin. The restricted admin will only have access to the cmdlets we specified.

Leave a Reply

Your email address will not be published. Required fields are marked *