Required User Privileges
This topic describes the user privileges that are required for running Virtual Machine Manager (VMM) jobs successfully. VMM uses three security groups to grant privileges to perform various VMM jobs:
Virtual Machine Manager Administrators |
Members in this group have administrative privileges on all resources that VMM manages. By default, all local administrators on the VMM server are also VMM administrators. You can add new VMM administrators by adding accounts as members of either group. |
Virtual Machine Manager Self-Service Portals |
Members in this group have privileges to delegate actions on behalf of self-service users. When you add a self-service Web server, VMM adds the machine account of that computer to this group on the VMM server. This enables the VMM server to communicate with the computer hosting the VMM Self-Service Portal. |
Virtual Machine Manager Servers |
Members in this group have privileges to administer virtualization resources on the computer using the VMM agent. When you add a host or library server, VMM adds this security group to that managed computer and adds the machine account of the VMM server. Note In addition, VMM also adds the machine account of the VMM server to the local Administrator group on the managed computer. These accounts enable the VMM server to communicate with and perform actions on the managed computers by using the VMM agent. |
Before you begin a VMM deployment, verify that appropriate users have been granted required privileges for performing the various VMM jobs. The following table shows the user privileges that are required to perform the major jobs associated with VMM.
| Job | Required Privileges |
|---|---|
Installing the VMM server or VMM Administrator Console |
Administrator account on the local computer. To install the VMM server also requires a domain account. |
Installing the VMM Self-Service Portal |
Administrator account on the local computer, and a domain account that is a member of the Virtual Machine Manager Administrators security group. |
Installing a VMM agent locally on a virtual machine host |
Administrator account on the virtual machine host computer. |
Setting up and remote instance of SQL Server for the VMM database |
Domain account that is a member of the sysadmin server role on the remote instance of SQL Server. |
Adding a virtual machine host |
Domain account that is a member of the Virtual Machine Manager Administrators security group and a member of the local administrators group on the host. |
Adding a VMM library server |
Domain account that is a member of the Virtual Machine Manager Administrators security group and a member of the local administrators group on the library server. |
Adding files to a VMM library share |
Need Write permission on the library share folder. Note This is a Windows access control permission set outside of VMM. |
Converting a physical server to a virtual machine (P2V) |
Administrator account on the source computer. |
Opening and viewing reports in VMM |
Domain account that is included in the Report Operator role in System Center Operations Manager. |
Creating custom reports for use in VMM |
Domain account that is included in the Report Operator role in System Center Operations Manager. |
See Also
Concepts
Security Considerations
General Security Considerations
About Assigning Ports in VMM