Zeros & Ones : VMM Tricks: Manage VMM in restrictive Active Directory environment

Friday, February 12, 2010 6:55 PM Fawzi

VMM Tricks: Manage VMM in restrictive Active Directory environment

So you want to manage your VMM infrastructure while keeping an eye on your Hyper-V hosts security. looks like everyone wants to do that. So have you through before about using restricted Group group policy to limit membership for your local admins group.

let’s have a look at when to use a domain account for the VMM Service. In a restrictive Active Directory environment in which restricted Group group policy is in effect, we must use a domain account instead of Local System for the VMM service account. The Restricted Groups policy does not allow machine accounts to be a member of the local Administrators group. Under a Restricted Groups group policy, the VMM machine account will be removed from the computer, leaving VMM unable to communicate with the host. In that situation, VMM places the host in a Needs Attention state and places the VMM agents on hosts and library servers in Not Responding status in VMM.

For our “Restricted Group group policy” issue, we have two methods to fix it.

Method one

==========

Add the VMM Server machine account to the Administrators “restricted groups” group policy setting. But if a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators.

Note To add the VMM Server machine account to the restricted group setting, use the following syntax:

domainname\severname$

Method two

=========

Create a new organizational unit in the domain, move the Virtual Server and Hyper-V Server computer objects to the new OU and then configure the new organizational unit to block policy inheritance.

There are some articles which indicate the restricted group:

Updates to Restricted Groups (“Member of”) behavior of user-defined local groups

http://support.microsoft.com/kb/810076/en-us#appliesto

Restricted Groups

http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

Restricted Groups Policy Settings

http://technet.microsoft.com/en-us/library/cc756802(WS.10).aspx

Thanks Alex to help in that.

Filed Under: Virtualization, Windows 2008, Windows 2008 R2, VMM, VMM R2, Tips & Tricks

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

What do you think?

Name (required)
Your URL (optional)
Comments (required)
Remember Me?

Zeros & Ones

Search

Archives

Post Categories

VMM Tricks: Manage VMM in restrictive Active Directory environment

Comment Notification

Comments

What do you think?