Hi cluster fans,
Amongst the list of new features we introduced in Windows Server 2008 R2 Failover Clustering is “read-only cluster access”.
Before Windows Server 2008 R2, you were either given full control on the cluster or no control at all. If you wanted to give anyone access to your cluster, you were giving full control of the cluster to that person. Effectively, they could turn around and offline groups, evict nodes, or even tear down the entire cluster.
In R2, users can now be given read-only access to the cluster. This may be helpful if your organization is departmentalized with separate owners for clustering, networking, storage and resources, allowing the cluster owners to give other owners read-only access for investigation, but not allow them to actually make any changes to the cluster.
Granting read-only access can be done via the Failover Cluster Manager:
1. Open Failover Cluster Manager
2. Connect to the cluster of interest. If you open the tool on a cluster node, you should be connected to the cluster automatically.
3. Right click on the cluster name
4. Select Properties
5. Add the user account of interest
6. Allow that account to have “Read” access and make sure “Full Control” is unselected
Alternatively, you can grant read-only access to the same user via PowerShell:
1. From Administrative Tools, select Windows PowerShell Modules
2. When all the modules are loaded, run the following command to view users having access to the local cluster, and notice the ClusterRights column:
Get-ClusterAccess
Or, to a remote cluster:
Get-Cluster <cluster name> | Get-ClusterAccess
3. To grant the user read-only access, run the following command:
Grant-ClusterAccess domain\user –readonly
Or, on a remote cluster:
Get-Cluster <cluster name> | Grant-ClusterAccess domain\user -readonly
Now that you’ve granted this user read-only access, this user can connect to the cluster remotely, and perform queries to get information about the cluster. However any attempts to make changes to the cluster are not allowed, including taking resource offline, creating new clustered workloads, changing dependencies between resources, evicting nodes, etc. Note that the read-only access user can connect to the cluster via PowerShell only. Attempting to connect with the Failover Cluster Manager will result in an error:
Below are some related CMDlets:
# Set a variable
$ClusterName = “RemoteClusterName”
# Show the cluster
Get-Cluster $ClusterName
# Show the cluster properties
Get-Cluster $ClusterName | fl *
# Get the cluster nodes
Get-ClusterNode -Cluster $ClusterName
# Get the cluster resource groups
Get-ClusterGroup -Cluster $ClusterName
# Get the cluster resources
Get-ClusterResource -Cluster $ClusterName
# Get the cluster shared volumes
Get-ClusterSharedVolume -Cluster $ClusterName
# Get the cluster resource types
Get-ClusterResourceType -Cluster $ClusterName
# Get the cluster networks
Get-ClusterNetwork -Cluster $ClusterName
# Get the cluster network interfaces
Get-ClusterNetworkInterface -Cluster $ClusterName
# Get the resource properties
Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | fl *
Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | Get-ClusterParameter
# Get the resource dependencies
Get-ClusterResource -Cluster $ClusterName | Get-ClusterResourceDependency
# Get the dependency reports
Get-ClusterGroup -Cluster $ClusterName | Get-ClusterResourceDependencyReport | Copy-Item -Destination .
dir *.mht
# Can’t set the resource properties
Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | Set-ClusterParameter HostRecordTTL 600
# Can’t add a group
Get-Cluster $ClusterName | Add-ClusterGroup tempgroup
# Can’t offline cluster resources
Get-ClusterResource -Cluster $ClusterName | Stop-ClusterResource
# Can’t move cluster groups
Get-ClusterGroup -Cluster $ClusterName | Move-ClusterGroup
# Can’t add highly available workloads
Add-ClusterServerRole -Cluster $ClusterName
# Can’t set the resource dependencies
Get-ClusterResource -Cluster $ClusterName -Name “Cluster Name” | Set-ClusterResourceDependency -Dependency “”
The following example adds a user to the cluster, gives them full access, then gives them read-only access, and finally blocks access:
Regards,
Ahmed Bisht
Senior Program Manager
Clustering and High Availability
Microsoft
Hi,
I have been trying to use the PS cmdlets and everything is working fine when I run them on a domain R2 machine, however, if I try to create a remote PS session from another computer, I always get the "You do not have administrative privileges on the cluster. Contact your network administrator to request access.
Access is denied" error.
My session script looks something like:
$securePassword = ConvertTo-SecureString -AsPlainText -Force -String $password
$Credential = New-Object System.Management.Automation.PSCredential $Username, $SecurePassword
$s = new-PSSession -ComputerName $hostname -credential $credential
enter-PSSession -Session $s
import-module FailoverClusters
I'd really appreciate some insight. Thanks.