Scripting Constrained Delegation Settings

In reference to Enabling Hyper-V Remote Management - Configuring Constrained Delegation For SMB and Highly Available SMB and Enabling Hyper-V Remote Management - Configuring Constrained Delegation For Non-Clustered Live Migration I’ve had some people ask me about scripting these settings… Well in the first post there was the optional step of creating a security group for all of your Hyper-V servers – there’s actually another reason that I like to do this.

Here’s the script I use… It takes the name of the security group, the name of the SMB server and wither or not live migration should be enabled.  This does require that you have the Active Directory PowerShell module.

$HyperVServersGroup = "hv-hosts"
$SMBServer = "HV-W8-BETA-SMB"
$EnableLiveMigration = $true

$SMBServerAD = Get-ADComputer $SMBServer
$AllowedToDelegateToSMB = @(
("cifs/"+$SMBServerAD.Name),
("cifs/"+$SMBServerAD.DNSHostName))

$HvServersAD = Get-ADGroupMember $HyperVServersGroup

for ($serverCounter = 0; $serverCounter -lt $HvServersAD.Count; $serverCounter++)
{
$AllowedToDelegateTo = $AllowedToDelegateToSMB
    if ($EnableLiveMigration)
{
for ($deligateCounter = 0; $deligateCounter -lt $HvServersAD.Count; $deligateCounter++)
{
if ($deligateCounter -ne $serverCounter)
{
$deligationServer = $HvServersAD[$deligateCounter] | Get-ADComputer
$AllowedToDelegateTo += @(
("Microsoft Virtual System Migration Service/"+$deligationServer.Name),
("Microsoft Virtual System Migration Service/"+$deligationServer.DNSHostName))
}
}
}
($HvServersAD[$serverCounter] | Get-ADComputer) | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"=$AllowedToDelegateTo}
}

Taylor Brown
Hyper-V Enterprise Deployment Team
taylorb@microsoft.com
https://blogs.msdn.com/taylorb