Home > Tintri VMstoreā„¢ > Knowledge Base > Service Account Permissions for Hyper-V

Service Account Permissions for Hyper-V

Applies To

 

Product(s)

Version(s)

TxOS

4.3 and later

Description

Discusses the permissions needed for the service account used with Tintri and Hyper-V.

 

Q & A

Question :
We have a service account used to access the hypervisor and this was used to join the VMstore to domain as well for AD user/group authentication.
 
What privileges/permissions does this service account need? Hyper-V requires what kind of access on the server?
 
Answer:
For Hyper-V, you don't need to specify a specific account in the Tintri UI for the VMstore to access the hypervisor. We instead use the Tintri VMstore's own Active Directory computer trust account to access the Hyper-V hosts. 

 

For us to access the WMI namespaces that we need to use to do our VM awareness magic with Hyper-V, our machine account needs to be made a local administrator on the Hyper-V hosts themselves. Access to the SCVMM servers isn't required and we don't need any special access to things like domain controllers. 

 

We generally suggest putting your Tintri VMstore computer accounts in an Active Directory group and making that a member of the local administrators group on the hosts. This makes it easier to add/remove compute or storage nodes as needed. 

 

The credentials specified when you perform the domain join only need to have rights to perform the join. Often people use a domain admin account, but you should be able to join using an unprivileged domain account if your AD administrators have delegated control over a particular OU or computer account object.

 

We never persist the credentials specified to perform the domain join. We use those to create the computer account and set a few attributes and then forget them. 
 

 

References

For more information on accounts, groups and permissions, please see Tintri SCVMM and Hyper-V Setup Guide .

Viewing 2 of 2 comments: view all
Tech Approved - RD - 10/08/2017
Posted 01:58, 10 Aug 2017
Final Approval - JR - 8/15/2017
Posted 20:56, 15 Aug 2017
Viewing 2 of 2 comments: view all
You must to post a comment.
Last modified
20:09, 31 Jul 2017

Tags

Classifications

This page has no classifications.