Your company has an Active Directory Domain Services (AD OS) domain that includes an
AD security group named Development. You have a member server that runs Windows
Server 2008 R2 with the Hyper-V role installed. You need to ensure that Development group
members can only manage virtual machines (VMs). Development group members must not
have administrative privileges on the host server. What should you use?
A.
Authorization Manager
B.
the net localgroup command
C.
Local Users and Groups
D.
Active Directory Administrative Center
Explanation:
Hyper-V security is based on Authorization Manager API (known as AZMan). Similarly to
VMM’s delegated administration model, an administrator can configure a set of role objectsand assign Active Directory user and group accounts to those roles. Each role can be
granted a set of permissions for virtual machine access and management, and securable
objects can be assigned to scopes, which determine the objects against which access
checks are performed. When a Hyper-V host is added to VMM, VMM applies its own
authorization layer, defined by the VMM user roles, to determine the actions that VMM
administrators and self-service users can perform on the Hyper-V virtual machines while
working in VMM. To do this, VMM creates its own AZMan authorization store on the host
computer. In VMM2008R2, the method for implementing user roles in AZMan was changed
to preserve role definitions and role memberships in the root scope of the Hyper-V
authorization store while VMM is managing a Hyper-V host. In VMM2008, the Hyper-V roles
are not used while a host is managed by VMM.