![]() Then you would be in line with the ongoing roles development story. If you were dead set on rolling your own authorization system you would probably need to build your own RDP/Console client and could leverage the Windows Integrated Auth endpoint in ADFS to get the same information that you are basing your roles on in AzMan. Your post was about client Hyper-V Client has always been meant for developers.įor server you are probably using System Center for role assignment and access control. There were probably more users of alternate data streams in NTFS but the deprecated that in ReFS. If you were to build a business around an edge case feature then you have put yourself in a place were the vendor doesn't really get burned for dropping it because the number of users for that thing are always going to be small. Take routers and switches.they do all kinds of stuff that people never turn on. In the end, it has to be widely used and intended to be widely used. See what I mean?Īlso, a feature being in the box doesn't mean that you should hang your hat on it. Also, the windows phone emulators are hyper-v images. How do I know that? Because they have said that multiple times. Client Hyper-V was intended for developers. If there was something that you were using it was a "nice to have" that they cut. Client hyper-v has never been intended to have something like that. System Center probably has the functionality for servers. They have never intended for there to be an RBAC system for HYPER-V. We are probably going to be forced to go back to VirtualBox as it allows network access to be restricted. Hyper-V in an environment where you don't want people able to screw up their workstation networking is totally useless. I tried adding a dummy network adapter and binding the switch driver to that which should in theory work, except when you add it to one network interface, it gets added to them all and you are back to square one. ![]() You also can't create new machines as they have a network card by default. We resorted to removing the hyper-v switch driver from the network card - this looked promising, however if you try to import a VM that has a network card, everything breaks. You can tell HvRemote not to put them in the Hyper-V Administrators group and to be explicit with permissions, but it just gives them permission to WMI and DCOM and wont let them connect to the Hyper-V service locally. If they are not in the group, they cannot even connect to the local console. Users in this group can do anything with Hyper-V including the network switches and there is no way to restrict what they can do that I have found. I've investigated f which seems Windows 8.1 aware, but by default just puts users into the Hyper-V Administrators group. Microsoft's apparently means 'it's there, but it doesn't do anything'. My definition of 'deprecated' and Microsoft's appear to differ as I would consider 'deprecated' to mean 'it works, but it's being pulled in a future release'. In Windows 8.1 Microsoft say AzMan is 'deprecated' and you should use 'alternatives'. You could simply make a new role that simply didn't have the sub-roles to mess with virtual switches and external adapters. Once upon a time you could use AzMan.msc to control what users could and couldn't do with Hyper-V. The default is even the external adapter. A user can completely stuff networking on the host box in three clicks from the management console by making a virtual switch. ![]() Also students should not be able to disable the host computer by creating a virtual switch and connecting it to the external adapter. Their VMs should be able to do anything EXCEPT talk on the production network. (This is replacing VirtualBox on Windows 7.)ĬAVEAT: Users MUST NOT be able to mess with the external network adapter. I've been tearing my hair out over this issue for the last few weeks.ĪLL I NEED TO DO: Setup the Hyper-V role on lots of Windows 8.1 Update workstations so that students can play with virtual machines. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |