Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-06-16) Fixing Hyper-V ACLs

Posted by Jorge on 2009-06-16

Are you having issues with Hyper-V VMs and experiencing similar issues as explained here? The solution to these issues is to fix the permissions of the Hyper-V, but do you know exactly what permissions are needed or what’s missing? Stop thinking!

Use the script attached to this post or as shown below. How does it work?

The script is used as a drop-target. A what? A drop-target! Select all the corresponding Hyper-V VM folders and files and drop it on the icon of the script. At that point the script will figure out the correct permissions that are needed to use the VM in Hyper-V.

Let’s talk credits. Credits should go to me for posting this stuff while being watched! J

Credits for the script go to a person that:

  • Is British
  • Used to be an MVP for Directory Services
  • Loves scripting, especially "batch" (he wanted to create a spell checker in batch)
  • Now loves PowerShell
  • Would like to sell that to the world as "PoSH"
  • Now walks the grounds of the "Dark Side" managing DS Stuff
  • Appeared in some cool video a few months back wearing weird stuff

I think you now know who he is. If you don’t you’ll figure it out some way! J Trust me!

:: fix HyperV ACLs.CMD / Dean Wells (DeanWe), Microsoft / October 2008 :: Script adds a suitable ACE (NT Virtual MachinesVirtual Machines or VM-specific) to any number of files supplied as arguments :: (drag and drop works best) permitting them to be used by the Windows HyperVisor without rendering permissions errors. Special :: case logic is included to handle symlinks and the permissioning differences required between VHDs and XML configuration files. @echo off set issuingAUTHORITY=NT Virtual Machine set groupPRINCIPAL=Virtual Machines set EXITcommand=pause set FAILED=0 set FAILEDfile="%TEMP%%~n0.$$$" del %FAILEDfile% 1>nul 2>&1 title Hyper-V ACL fixerupper ... if "%~1"=="" ( echo/ echo #ERROR - nothing to do! goto :END ) echo/ :LOOP :: Restore default environment for each iteration set icaclsSUFFIX= set SECURITYprincipal=%groupPRINCIPAL% set shortSECURITYprincipal=Group ACE set PERMISSION=RW set FILEtype=%~x1 :: Assume the absence of an extension indicates a folder [it's not pretty but it'll do in this context] if "%FILEtype%"=="" ( set FILEtype=folder set icaclsSUFFIX=/t ) :: Determine file type [VHDs require "RW" while the XML configuration files and their symlinks require "F"] :: For VHDs, we assume many VMs _may_ require access to the file so we add the "NT Virtual MachineVirtual Machines" ACE :: For XML configuration files and their symlinks, we treat those as private and add the VM-specific ACE echo "%~a1" | find /i "l" 1>nul 2>&1 if not errorlevel 1 ( set icaclsSUFFIX=/l set FILEtype=symlink set SECURITYprincipal=%~n1 set shortSECURITYprincipal=VM ACE set PERMISSION=F ) else ( if /i "%FILEtype%"==".xml" ( set PERMISSION=F set SECURITYprincipal=%~n1 set shortSECURITYprincipal=VM ACE ) ) set HYPERVfile=%~n1 [%FILEtype% / %shortSECURITYprincipal%:%PERMISSION%] .............................................. set HYPERVfile=%HYPERVfile:~0,67% set /p=+ %HYPERVfile% <nul icacls "%~1" /grant "%issuingAUTHORITY%%securityPRINCIPAL%":%PERMISSION% %icaclsSUFFIX% 1>nul 2>&1 if errorlevel 1 ( icacls "%~1" /grant "%issuingAUTHORITY%%groupPRINCIPAL%":%PERMISSION% %icaclsSUFFIX% 1>nul 2>&1 if errorlevel 1 ( set FAILED=1 echo #FAILED! echo %~n1 [%FILEtype% / %shortSECURITYprincipal%:%PERMISSION%] >>%FAILEDfile% ) else ( echo SUCCESS! ) ) else ( echo SUCCESS! ) shift if not "%~1"=="" goto :LOOP echo/ if not "%FAILED%"=="1" ( color 2E echo The command completed successfully. set EXITcommand=ping -n 6 localhost ) else ( color 4E echo #ERROR - the following Hyper-V file[s] was/were not permissioned correctly: echo/ type %FAILEDfile% ) :END %EXITcommand% 1>nul 2>&1




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########



One Response to “(2009-06-16) Fixing Hyper-V ACLs”

  1. bluezone said

    Do you know if this will fix Server Backup unable to create snapshots for the appropriate vm’s?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: