PowerShell for Failover Clustering: Read-Only Cluster Access

Hi cluster fans,


 


Amongst the list of new features we introduced in Windows Server 2008 R2 Failover Clustering is “read-only cluster access”.


 


Before Windows Server 2008 R2, you were either given full control on the cluster or no control at all.  If you wanted to give anyone access to your cluster, you were giving full control of the cluster to that person.  Effectively, they could turn around and offline groups, evict nodes, or even tear down the entire cluster.


 


In R2, users can now be given read-only access to the cluster.  This may be helpful if your organization is departmentalized with separate owners for clustering, networking, storage and resources, allowing the cluster owners to give other owners read-only access for investigation, but not allow them to actually make any changes to the cluster.


 


Granting read-only access can be done via the Failover Cluster Manager:


 


1.       Open Failover Cluster Manager


2.       Connect to the cluster of interest.  If you open the tool on a cluster node, you should be connected to the cluster automatically.


3.       Right click on the cluster name


4.       Select Properties


5.       Add the user account of interest


6.       Allow that account to have “Read” access and make sure “Full Control” is unselected


 


Configuring Permissions in the UI


 


 


Alternatively, you can grant read-only access to the same user via PowerShell:


 


1.       From Administrative Tools, select Windows PowerShell Modules


2.       When all the modules are loaded, run the following command to view users having access to the local cluster, and notice the ClusterRights column:


Get-ClusterAccess


Or, to a remote cluster:


Get-Cluster <cluster name> | Get-ClusterAccess


3.       To grant the user read-only access, run the following command:


Grant-ClusterAccess domain\user –readonly


Or, on a remote cluster:


Get-Cluster <cluster name> | Grant-ClusterAccess domain\user -readonly


 


 


Now that you’ve granted this user read-only access, this user can connect to the cluster remotely, and perform queries to get information about the cluster. However any attempts to make changes to the cluster are not allowed, including taking resource offline, creating new clustered workloads, changing dependencies between resources, evicting nodes, etc.  Note that the read-only access user can connect to the cluster via PowerShell only.  Attempting to connect with the Failover Cluster Manager will result in an error:


 


Access denied with UI


 


Below are some related CMDlets:


 


# Set a variable


$ClusterName = “RemoteClusterName”


# Show the cluster


Get-Cluster $ClusterName


# Show the cluster properties


Get-Cluster $ClusterName | fl *


# Get the cluster nodes


Get-ClusterNode -Cluster $ClusterName


# Get the cluster resource groups


Get-ClusterGroup -Cluster $ClusterName


# Get the cluster resources


Get-ClusterResource -Cluster $ClusterName


# Get the cluster shared volumes


Get-ClusterSharedVolume -Cluster $ClusterName


# Get the cluster resource types


Get-ClusterResourceType -Cluster $ClusterName


# Get the cluster networks


Get-ClusterNetwork -Cluster $ClusterName


# Get the cluster network interfaces


Get-ClusterNetworkInterface -Cluster $ClusterName


# Get the resource properties


Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | fl *


Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | Get-ClusterParameter


# Get the resource dependencies


Get-ClusterResource -Cluster $ClusterName | Get-ClusterResourceDependency


# Get the dependency reports


Get-ClusterGroup -Cluster $ClusterName | Get-ClusterResourceDependencyReport | Copy-Item -Destination .


dir *.mht


# Can’t set the resource properties


Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | Set-ClusterParameter HostRecordTTL 600


# Can’t add a group


Get-Cluster $ClusterName | Add-ClusterGroup tempgroup


# Can’t offline cluster resources


Get-ClusterResource -Cluster $ClusterName | Stop-ClusterResource


# Can’t move cluster groups


Get-ClusterGroup -Cluster $ClusterName | Move-ClusterGroup


# Can’t add highly available workloads


Add-ClusterServerRole -Cluster $ClusterName


# Can’t set the resource dependencies


Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | Set-ClusterResourceDependency -Dependency “”


 


The following example adds a user to the cluster, gives them full access, then gives them read-only access, and finally blocks access:


 


Sample PowerShell output


 


Regards,


 


Ahmed Bisht


Senior Program Manager


Clustering and High Availability


Microsoft