Home > SCVMM, SCVMM R2, Security, Virtualization, Windows 2008 R2, Windows Server 2008 > VMM Tricks: Manage VMM in restrictive Active Directory environment

VMM Tricks: Manage VMM in restrictive Active Directory environment

So you want to manage your VMM infrastructure while keeping an eye on your Hyper-V hosts security. looks like everyone wants to do that. So have you through before about using restricted Group group policy to limit membership for your local admins group.

let’s have a look at when to use a domain account for the VMM Service. In a restrictive Active Directory environment in which restricted Group group policy is in effect, we must use a domain account instead of Local System for the VMM service account. The Restricted Groups policy does not allow machine accounts to be a member of the local Administrators group. Under a Restricted Groups group policy, the VMM machine account will be removed from the computer, leaving VMM unable to communicate with the host. In that situation, VMM places the host in a Needs Attention state and places the VMM agents on hosts and library servers in Not Responding status in VMM.

For our “Restricted Group group policy” issue, we have two methods to fix it.

Method one

==========

Add the VMM Server machine account to the Administrators “restricted groups” group policy setting. But if a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators.

Note To add the VMM Server machine account to the restricted group setting, use the following syntax:

domainname\severname$

Method two

=========

Create a new organizational unit in the domain, move the Virtual Server and Hyper-V Server computer objects to the new OU and then configure the new organizational unit to block policy inheritance.

There are some articles which indicate the restricted group:

Updates to Restricted Groups (“Member of”) behavior of user-defined local groups

http://support.microsoft.com/kb/810076/en-us#appliesto

Restricted Groups

http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

Restricted Groups Policy Settings

http://technet.microsoft.com/en-us/library/cc756802(WS.10).aspx

Thanks Alex to help in that.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: