Access Denied Error Attempting to Manage a Remote Hyper-V Server in a Workgroup Environment
When you attempt to use the Hyper-V management tools on a Windows Vista or Windows 7 computer, and connect to a remote Windows Server 2008 R2 machine running the Hyper-V role enabled, if both machines are in a workgroup, you will get a nasty error:
You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer `IP address`
Here is what it looks like in the UI:
I will not go into details on why this happens. The reasons for this were well documented on the official Microsoft documentation:
In addition, John Howard, a Senior Program Manager in the Hyper-V team at Microsoft Corporation, has done a wonderful job in documenting all the manual steps that were needed to be taken in order to allow for such a remote management scenario (it is strange that Microsoft themselves did not offer an easier way to do this). His blog posts can be found in the following links:
So if you really want the nasty bits, make sure you read the above posts.
How to enable remote management of Hyper-V
John Howard has drafted, in great detail, all the steps that need to be taken in order to make it work. The process is long, it has many steps that need to be done (part on the server side, part on the client side, and part on both ends). Because of that and all the complication involved, it’s quite easy to make errors that will prevent you from successfully completing the necessary steps.
However, and here is the nice part, John Howard also has a solution for us: A tool he wrote, called HVRemote, which was developed in order to avoid the manual steps required for remote configuration.
Hyper-V Remote Management Configuration Utility – Release: HVRemote Version 0.7
By using this command line tool and running a bunch of simple commands, you will be able to easily enable remote management of Hyper-V. Let’s see what needs to be done:
Note: If your server is being managed by System Center Virtual Machine Manager 2008, you should not use this script.
After downloading the tool, copy HVRemote.wsf to a location on both target machine – the server and the client. It is recommended to create a new sub-directly such as C:\HVRemote in which to store the script.
- Open a command prompt window and point it to that folder. It’s recommended that you open it as an administrator (right-click and choose “Run As Administrator”).
- On the Hyper-V server: Add a user rights to remotely access Hyper-V.
- cscript hvremote.wsf /add:domain\user (if machine is in a domain)
cscript hvremote.wsf /add:user (if machine is in a workgroup)
- On the client if using Vista or Windows 7 client (not needed on Windows Server 2008 or Windows Server 2008 R2): Add a firewall exception for the Microsoft Management Console.
- cscript hvremote.wsf /mmc:enable
- On the client (if the client and server are both in workgroups, or on the client and server are in untrusted domains): Allow anonymous DCOM access
- cscript hvremote.wsf /anondcom:grant
- Reboot both Hyper-V server and client.
- Optional – On the client: Display current configuration and verify common configuration problems.
- cscript hvremote.wsf /show /target:servercomputername
- Optional – On the server: Display current configuration and verify common configuration problems.
- cscript hvremote.wsf /show /target:clientcomputername
Now, you can add the remote Hyper-V server to the Windows 7 Hyper-V management console:
So there you have it! By default, connecting to Windows Server 2008 R2 from a Vista or Windows 7 machine while using Hyper-V management tools leads to an annoying denial error. Fortunately the workaround for this is pretty straight forward. Hopefully this article has helped you through the required steps to make it work!