Export (0) Print
Expand All

Configuring Virtual Server security settings

Configuring Virtual Server security settings

On the Virtual Server Security Properties page, you can configure permissions for managing Virtual Server. You can add a permission entry for a user account or group and configure permissions for it, you can modify the permissions specified for an existing permission entry, or you can remove a permission entry.

By configuring the settings on this page, you can give users control over some features of Virtual Server, but not others. For example, by default all members of the Administrators group have full control of Virtual Server. You might, however, want to allow a member of the Administrators group to view and modify configuration settings, but not to add or remove permissions entries. You could do this by adding a permission entry for that person's user account and then denying Change permissions to it. The user account would retain all of the permissions allowed to the Administrators group, except for the permission to Change permissions.

noteNote
You can allow users to manage specific virtual machines and virtual networks without giving them more global permissions to manage Virtual Server. For more information, see Configuring virtual machine security and Configuring virtual disk security. For general information about configuring security for Virtual Server, see Securing Virtual Server.

For each permission entry, you can configure the permissions described in the following table.

 

Item Description

Full

Select the check box for this permission to automatically select all of the other permissions.

Modify

Add virtual machines and virtual networks to Virtual Server, and make changes to the following pages:

  • Virtual Machine Remote Control (VMRC) Server Properties
  • Virtual Server Script Settings
  • Virtual Server Search Paths

For more information about viewing and modifying Virtual Server configuration settings, see Configuring Virtual Server.

View

Read Virtual Server configuration information and the Virtual Server event log, as well as configuration information for virtual machines for which the user has Read permissions. This also allows the user to manage virtual machines for which they have the appropriate permissions by using VMRC.

Remove

Remove virtual machine and virtual network configurations from Virtual Server.

Change permissions

Change permissions on the Virtual Server Security Properties page.

Control

Access the Component Object Model (COM) interfaces. This allows the user to manage Virtual Server by using the COM interface or the Administration Website. This permission is required for a user account or group to have any administrative control over Virtual Server. Without it, the Administration Website and COM interface are not available. If the user account or group has been granted permissions on the virtual machine configuration (.vmc) file, but denied this permission, the user account or group can manage the virtual machine by using the VMRC client, but not by using the Administration Website.

Special permissions

Indicates whether special permissions have been configured on the Virtual Server folder. You cannot select or clear this check box.

The permissions that you configure on this page modify the discretionary access control list (DACL) on the Virtual Server folder, located by default in C:\Documents and Settings\All Users\Application Data\Microsoft. Although you could configure these permissions by changing the DACL directly in the file system, we recommend that you use this page instead. This is because if you configure the DACL directly, you must restart the Virtual Server service for the settings to take effect. This is not the case, however, for configuring permissions on virtual machine, virtual network, and virtual disk files. You can configure DACLs for those files directly in the file system.

The permissions that you configure on this page apply to the Virtual Server folder and the subfolders and files that it contains. In addition, even if it is not contained in the Virtual Server folder, these permissions also apply to the default virtual machine configuration folder, which is specified on the Virtual Server Search Paths page of the Administration Website. For more information about specifying this folder, see Configuring Virtual Server search paths.

This page displays permissions for user accounts and groups only. It does not display permissions for system accounts, such as the Local System account. This is so that users of this page do not inadvertently delete or change permissions for system accounts that are critical to the functioning of Virtual Server. Under most circumstances, you should not need to modify the default permissions for system accounts. In the event that this is necessary, however, you should modify them by configuring the DACL in the file system, which is described next.

ImportantImportant
Do not change the DACL on the Virtual Machine Helper service folder. This folder is located by default in C:\Documents and Settings\All Users\Application Data\Microsoft. The files in this folder store account name and password information for use with virtual machines. If you do change the DACL on this folder, virtual machines that you have configured to run under a specific user account may not be able to turn on, and encrypted password information contained in this file could become accessible to unauthorized users.

The following table describes the DACL on the Virtual Server folder.

 

Permission Use to allow or deny this ability

List Folder/Read Data

  • View Virtual Server configuration information.
  • View the VMRC display.

Traverse Folder/Execute File

Use the Administration Website or manage Virtual Server by using the COM interface. This permission is required for a user account or group to have any administrative control over Virtual Server. Without it, the Administration Website and COM interface are not available. If the user account or group has been granted permissions on the virtual machine configuration (.vmc) file but denied this permission, the user account or group can manage the virtual machine by using VMRC, but not by using the Administration Website.

Create Files/Write Data

  • Modify Virtual Server configuration.
  • Add virtual machines and virtual networks.

Delete

Remove virtual machines and virtual networks.

Change Permissions

Change permissions on the Virtual Server folder.

For more information about the default file system security settings of Virtual Server, see File system security settings for Virtual Server.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft