Compartir a través de


Scripting Constrained Delegation Settings

In reference to Enabling Hyper-V Remote Management - Configuring Constrained Delegation For SMB and Highly Available SMB and Enabling Hyper-V Remote Management - Configuring Constrained Delegation For Non-Clustered Live Migration I’ve had some people ask me about scripting these settings… Well in the first post there was the optional step of creating a security group for all of your Hyper-V servers – there’s actually another reason that I like to do this.

Here’s the script I use… It takes the name of the security group, the name of the SMB server and wither or not live migration should be enabled.  This does require that you have the Active Directory PowerShell module.

$HyperVServersGroup = "hv-hosts"
$SMBServer = "HV-W8-BETA-SMB"
$EnableLiveMigration = $true

$SMBServerAD = Get-ADComputer $SMBServer
$AllowedToDelegateToSMB = @(
("cifs/"+$SMBServerAD.Name),
("cifs/"+$SMBServerAD.DNSHostName))

$HvServersAD = Get-ADGroupMember $HyperVServersGroup

for ($serverCounter = 0; $serverCounter -lt $HvServersAD.Count; $serverCounter++)
{
$AllowedToDelegateTo = $AllowedToDelegateToSMB

    if ($EnableLiveMigration)
{
for ($deligateCounter = 0; $deligateCounter -lt $HvServersAD.Count; $deligateCounter++)
{
if ($deligateCounter -ne $serverCounter)
{
$deligationServer = $HvServersAD[$deligateCounter] | Get-ADComputer
$AllowedToDelegateTo += @(
("Microsoft Virtual System Migration Service/"+$deligationServer.Name),
("Microsoft Virtual System Migration Service/"+$deligationServer.DNSHostName))
}
}
}
($HvServersAD[$serverCounter] | Get-ADComputer) | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"=$AllowedToDelegateTo}
}

Taylor Brown
Hyper-V Enterprise Deployment Team
taylorb@microsoft.com
https://blogs.msdn.com/taylorb

WS08R2-HyperV_v_rgb

Comments

  • Anonymous
    November 06, 2012
    See my new post blogs.msdn.com/.../remote-administration-without-constrained-delegation-using-principalsallowedtodelegatetoaccount.aspx

  • Anonymous
    August 06, 2014
    Taylor, love the script in its simplicity as compared to  the 'Set-KCD.ps1' script written by Matthijs ten Seldam of MS (http://tinyurl.com/mt8w7nh).  I love your approach of looking to a group to drive the delegates, however note that this attribute is a cumulative on the target computer account and thus accumulates delegates on the target. What is needed is the ability to iterate through the security group cleaning out previous delegates from the target computer account and applying the security group members as delegates.  Also, MS premier has advised that both the short name and the FQDN need both the CIFS and the MVSMS ("Microsoft Virtual System Migration Service") delegation (a total of four delegations per target).  Your script adds the CIFS once for the named target and MVSMS for each member of the group.