Manage SCVMM in restrictive Active Directory environment

  • Article

So you want to manage your VMM infrastructure while keeping an eye on your Hyper-V hosts security. Looks like everyone wants to do that. So have you thought before about using Restricted Groups group policy to limit membership for your local admins group?

Let’s have a look at when to use a domain account for the VMM Service. In a restrictive Active Directory environment in which Restricted Groups group policy is in effect, we must use a domain account instead of Local System for the VMM service account. The Restricted Groups policy does not allow machine accounts to be a member of the local Administrators group. Under a Restricted Groups group policy, the VMM machine account will be removed from the computer, leaving VMM unable to communicate with the host. In that situation, VMM places the host in a Needs Attention state and places the VMM agents on hosts and library servers in Not Responding status in VMM.

For our “Restricted Groups group policy” issue, we have two methods to fix it.

Method one

==========

Add the VMM Server machine account to the Administrators “Restricted Groups” group policy setting. But if a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators.

Note To add the VMM Server machine account to the restricted group setting, use the following syntax:

domainname\severname$

Method two

=========

Create a new organizational unit in the domain, move the Virtual Server and Hyper-V Server computer objects to the new OU and then configure the new organizational unit to block policy inheritance.

There are some articles which indicate the restricted group:

Updates to Restricted Groups (“Member of”) behavior of user-defined local groups

http://support.microsoft.com/kb/810076/en-us#appliesto

Restricted Groups

http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

Restricted Groups Policy Settings

http://technet.microsoft.com/en-us/library/cc756802(WS.10).aspx