ptg6432687
This page intentionally left blank
Download at www.wowebook.com
ptg6432687
11
Using Virtual Machine
Manager 2008 for
Provisioning
IN THIS CHAPTER
. Understanding Roles Based
Access and Delegation to
Provision Virtual Machines
. Managing User Roles
. Deploying Virtual Machines
. Migrating a VM
This chapter covers the administrative provisioning and
the delegated provisioning capabilities of Virtual Machine
Manager (VMM) for the creation of guest images. This
includes building new images from a template and building
images from other image files.
Understanding Roles-Based
Access and Delegation to
Provision Virtual Machines
System Center Virtual Machine Manager 2008 provides a
granular roles-based access control (RBAC) model for
managing administrative permissions. Each user role has an
administrative profile that determines which actions the
user can perform. User roles are scoped to determine which
VM objects the user can manage.
There are three user roles in VMM 2008: the Administrator
role, the Delegated Administrator role, and the Self-Service

User role.
Administrator Role in VMM 2008
Users in the Administrator role have full rights to the VMM
infrastructure and can perform all actions in the VMM
Administrator console. Administrators can create new
Delegated Administrator and Self-Service User roles. Only
members of this role can add additional members to the
Administrator role.
Download at www.wowebook.com
ptg6432687
322
11 Using Virtual Machine Manager 2008 for Provisioning
The Administrator role is created when VMM is installed for the first time in the domain.
The user who installs VMM is automatically added to the Administrator user role during
installation. There is only one Administrator user role in each domain.
NOTE
Because the Administrator role encompasses the entire VMM infrastructure, this role
cannot be scoped.
Delegated Administrator Within VMM 2008
Users who are members of the Delegated Administrator role can perform all actions in the
VMM Administrator console that apply, or are scoped, to them. The scope of objects is
defined during the creation of the role.
The Delegated Administrator user role does not exist by default. There can be zero or more
Delegated Administrator roles in each domain. Delegated Administrator roles are created
by users who are members of the Administrator user role.
Members of this user role can create new Delegated Administrator and Self-Service User
roles, but only within the scope of objects that applies to them.
Self-Service User as a Role in VMM 2008
Members of the Self-Service User role can use the VMM self-service portal to perform
actions on their VMs. This role is scoped by a member of the Administrator or Delegate

Administrator role to pertain to a specific set of VM objects.
Members of this role cannot manage their role or any other role in VMM. They also
cannot create new user roles.
NOTE
Members of the Administrator or Delegated Administrator roles cannot access the self-
service portal unless they are members of one or more Self-Service User roles.
Managing User Roles
User roles are managed by users in the Administrator or Delegated Administrator role
using the VMM Administrator console. User roles are granted access to manage objects in a
defined scope.
Managing the Administrator User Role
The administrator role can be used to manage user roles. To manage the user roles, do the
following:
1. Open the VMM Administrator console using the shortcut on the Windows desktop
or via the Start menu under Microsoft System Center, VMM 2008, VMM
Administrator console.
Download at www.wowebook.com
ptg6432687
323
Managing User Roles
A Connect to Server window may open, prompting for the VMM server to connect
to. Enter the server name and connection port (the default is port 8100) using the
format VMMserver:port.
NOTE
You m a y choose to always open a connection to t h i s ser ver by s e l e cting t h e Make T h is
Server My Default check box. Doing so prevents this connection window from display-
ing when the Administrator console is run.
2. Go to the Administration view by clicking the Administration button. Then select
User Roles from the view area.
3. Select the Administrator user role in the Results pane. The current members of the

Administrator user role are displayed in the Results pane below.
4. Click Properties in the Actions pane to display the properties of the role.
5. The General tab displays the description for the Administrators role. Modify it if
desired.
6. Click the Members tab. The current members are listed, as shown in Figure 11.1.
11
FIGURE 11.1 Managing members of the Administrator user role.
Download at www.wowebook.com
ptg6432687
324
11 Using Virtual Machine Manager 2008 for Provisioning
7. To remove members from the Administrator user role, select the user to remove and
click the Remove button.
NOTE
There must be at least one member in the Administrator user role at all times. VMM
will not allow you to remove all members of the Administrator user role.
8. To add members to the Administrator user role, click the Add button and enter the
name or names of the users or security groups to add. Click the Check Names button
to resolve the users or groups. Members must be users or security groups in the
Active Directory where the VMM server is a member or in a domain where a full
two-way trust exists.
9. Click OK to close the Administrator Properties window.
Creating a Delegated Administrator User Role
The delegated administrator role can be used to manage user roles. To manage the user
roles, do the following:
1. Open the VMM Administrator console using the shortcut on the Windows desktop
or via the Start menu under Microsoft System Center, VMM 2008, VMM
Administrator console.
A Connect to Server window may open, prompting for the VMM server to connect
to. Enter the server name and connection port (the default is port 8100) using the

format VMMserver:port.
NOTE
You m a y choose to always open a connection to t h i s ser ver by s e l e cting t h e Make T h is
Server My Default check box. Doing so prevents this connection window from display-
ing when the Administrator console is run.
2. Go to the Administration view by clicking the Administration button. Then select
User Roles from the view area.
3. Click New User Role in the Actions pane.
4. On the General page, enter the following information:
a. User Role Name—Type a name for the Delegated Administrator role.
b. Description—Type a useful description for the Delegated Administrator role.
c. Profile—Select Delegated Administrator from the Profile drop-down list. Click
Next to continue.
Download at www.wowebook.com
ptg6432687
325
Managing User Roles
5. On the Add Members page, click Add to add new members to the role. Enter the
name or names of the users or security groups to add. Click the Check Names button
to resolve the users or groups.
Members must be users or security groups in the Active Directory where the VMM
server is a member or in a domain where a full two-way trust exists.
NOTE
The administrator may choose to not populate the members of the Delegated
Administrator user role at this time. Members may be populated after the role is created.
Click Next to continue.
6. On the Object Scope page, select the objects that members of this group can monitor.
The delegated administrator will not be able to view or monitor objects from the
Administrator console that are not selected in this page. Click Next to continue (see
Figure 11.2).

11
7. On the Summary page, carefully review the settings and click Create to proceed with
the creation of the Delegated Administrator role or click Previous to go back and
change the configuration.
FIGURE 11.2 Scoping the objects for the Delegated Administrator user role.
Download at www.wowebook.com
ptg6432687
326
The Create User Role Wizard offers a View Script button. This option allows the adminis-
trator to view, modify, and save the PowerShell commands that the wizard will execute to
create the Delegated Administrator role, as shown in the following example:
$AddMember = companyabc\amy
$hostGroup1 = Get-VMHostGroup -VMMServer vmm2008 | where {$_.Path -eq “All
Hosts\Domain Hosts\SF Core Hosts”}
$libServer2 = Get-LibraryServer -VMMServer vmm2008 | where {$_.Name -eq
“VMM2008.companyabc.com”}
$AddScope = $hostGroup1, $libServer2
Set-VMMUserRole -AddMember $AddMember -AddScope $AddScope -VMMServer vmm2008 -Job-
Group 06fb48f5-96c7-4133-acc4-cbf58f5fb2e4
New-VMMUserRole -Name “SF Core Server Delegated Administrators” -Description ““ -
UserRoleProfile DelegatedAdmin -JobGroup 06fb48f5-96c7-4133-acc4-cbf58f5fb2e4
This code can be saved and edited to facilitate creating other Delegated Administrator
groups from the VMM command shell.
Creating a Self-Service User Role
The Self-Service User role grants users permissions to operate, create, manage, store, create
checkpoints for, and connect to virtual machines (VMs) in their scope using the VMM
self-service portal.
1. Open the VMM Administrator console using the shortcut on the Windows desktop
or via the Start menu under Microsoft System Center, VMM 2008, VMM
Administrator console.

A Connect to Server window may open, prompting for the VMM server to connect
to. Enter the server name and connection port (the default is port 8100) using the
format VMMserver:port.
NOTE
You may choose to always open a c onnection to this ser ver by selecting the Make This
Server My Default check box. Doing so prevents this connection window from displaying
when the Administrator console is run.
2. Go to the Administration view by clicking the Administration button. Then select
User Roles from the view area.
3. Click New User Role in the Actions pane.
4. On the General page, enter the following information:
a. User Role Name— Type a name for the Delegated Administrator role.
b. Description—Type a useful description for the Delegated Administrator role.
c. Profile—Select Self-Service User from the Profile drop-down list, as shown in
Figure 11.3. Click Next to continue.
11 Using Virtual Machine Manager 2008 for Provisioning
Download at www.wowebook.com
ptg6432687
327
FIGURE 11.3 Creating the Self-Service User role.
Managing User Roles
11
5. On the Add Members page, click Add to add new members to the Self-Service User
role. Enter the name or names of the users or security groups to add. Click the
Check Names button to resolve the users or groups.
Members must be users or security groups in the Active Directory where the VMM
server is a member or in a domain where a full two-way trust exists.
Click Next to continue.
NOTE
The administrator may choose to not populate the members of the Delegated

Administrator user role at this time. Members may be populated after the role is
created.
6. On the Object Scope page, select the objects that members of this Self-Service User
role can monitor. Click Next to continue.
7. On the Virtual Machine Tasks page, configure one of the following:
a. Select All Tasks to permit this Self-Service User role to perform all VMM tasks,
as shown in Figure 11.4.
Download at www.wowebook.com
ptg6432687
328
TABLE 11.1 Self-Service User Virtual Machine Tasks
Task Description
Start Allows the user to start processing of a VM.
Stop Allows the user to stop processing of a VM.
Pause &
Resume
Allows the user to pause processing of a VM and resume processing after
the VM has been paused.
Checkpoint Allows the user to manage checkpoints on a VM.
Remove Allows the user to delete and discontinue management of a VM from
VMM.
Local
Administrator
Grants the user local administrator permission on VMs they create.
Remote
Control
Allows the user to connect to and control a VM remotely. This is also
known as Virtual Machine Remote Control (VMRC) access.
b. Select Only Tasks Explicitly Checked in the “Approved Tasks” Grid. Table 11.1
lists all the tasks available for the Self-Service User to run.

11 Using Virtual Machine Manager 2008 for Provisioning
8. The VM Creation Settings page provides the option to allow users to create their own
VMs. If this right will not be granted, click Next; otherwise, configure the following:
FIGURE 11.4 Configuring the tasks the Self-Service User role can run.
Download at www.wowebook.com
ptg6432687
329
Managing User Roles
11
a. Check the Allow Users to Create New Virtual Machines check box to allow self-
service users to do so.
b. In the Templates pane, click Add to add a new template that the self-service
user can deploy.
NOTE
To search for a template, type the complete filename or the first few letters of the tem-
plate name in the Look For box. In the Library group list, select the library group where
the VM files are stored. To filter the files by group, click a group type in the Group By
list.
c. Optionally, the administrator can set a quota for deploying VMs. Quotas are
used to limit the number of VMs the users can deploy at one time.
9. On the Library Settings page, the administrator can grant members of this self-
service user group access to a library share to store their own VMs. To configure this
setting:
a. Check the Allow Users to Store Virtual Machines in a Library check box.
b. Select the VMM Library server to allow users to access. If a large number of
library servers are listed, the administrator can type the first few characters of
the library server name in the Look For box to limit the results.
NOTE
Stored VMs do not count against the VM quota that may have been set when allowing
self-service users to create a VM.

c. To specify the Library Path, click Browse and select the share path to allow
access to the Self-service user.
NOTE
The library path entered can exist at any point under the MSSCVMMLibrary share. For
example, if the Librar y Path is specified as \\VMM2008.companyabc.com\
MSSCVMMLibrary\VHDs, the self-service user can access that folder and any subfold-
ers, but cannot access the higher-level \\VMM2008.companyabc.com\
MSSCVMMLibrary folder itself.
d. Click Next to continue.
Download at www.wowebook.com