Configuring restricted access under Virtual Server

It is possible (though not well documented / understood) to configure Virtual Server such that a restricted user can interact with / control only a subset of the virtual machines on a given installation of Virtual Server.  The first step is to launch the Virtual Server Administrative page and go to ‘Server Properties’ and then to ‘Virtual Server Security’. Here you will need to add an entry for the user / user group that you want to use the virtual machines; and give them ‘view’ and ‘control’ privileges.

In order to control which virtual machines these restricted users can see when they come to the Virtual Server Master Status page you will need to go to each of the .VMC files associated with the virtual machines through Windows explorer and edit the Security settings as follows:

  1. No rights / deny all

    If you configure a .VMC such that the user in question as no access rights to the .VMC file they will not see the virtual machine at all – or have any indication that it is there.

  2. Read only

    If a user has read permission on a .VMC (but not write) then they will see the virtual machine on the Master Status page.  If the virtual machine is running they will also be able to interact with it.  However – the user will not be able to power on / turn off the virtual machine as these operations require having write access to the .VMC file.

  3. Read / write

    If a user has read and write permissions for the .VMC file they will be able to interact with and control the virtual machine.

In both options 2 & 3 it is also advisable to give the same level of access to the user on the .VHD files and the directory that contains the .VMC file so that they can save changes to the virtual hard disk and create temporary files as appropriate.