Scripting Constrained Delegation Settings
In reference to Enabling Hyper-V Remote Management - Configuring Constrained Delegation For SMB and Highly Available SMB and Enabling Hyper-V Remote Management - Configuring Constrained Delegation For Non-Clustered Live Migration I’ve had some people ask me about scripting these settings… Well in the first post there was the optional step of creating a security group for all of your Hyper-V servers – there’s actually another reason that I like to do this.
Here’s the script I use… It takes the name of the security group, the name of the SMB server and wither or not live migration should be enabled. This does require that you have the Active Directory PowerShell module.
$HyperVServersGroup = "hv-hosts"
$SMBServer = "HV-W8-BETA-SMB"
$EnableLiveMigration = $true
$SMBServerAD = Get-ADComputer $SMBServer
$AllowedToDelegateToSMB = @(
("cifs/"+$SMBServerAD.Name),
("cifs/"+$SMBServerAD.DNSHostName))
$HvServersAD = Get-ADGroupMember $HyperVServersGroup
for ($serverCounter = 0; $serverCounter -lt $HvServersAD.Count; $serverCounter++)
{
$AllowedToDelegateTo = $AllowedToDelegateToSMB
if ($EnableLiveMigration)
{
for ($deligateCounter = 0; $deligateCounter -lt $HvServersAD.Count; $deligateCounter++)
{
if ($deligateCounter -ne $serverCounter)
{
$deligationServer = $HvServersAD[$deligateCounter] | Get-ADComputer
$AllowedToDelegateTo += @(
("Microsoft Virtual System Migration Service/"+$deligationServer.Name),
("Microsoft Virtual System Migration Service/"+$deligationServer.DNSHostName))
}
}
}
($HvServersAD[$serverCounter] | Get-ADComputer) | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"=$AllowedToDelegateTo}
}
Taylor Brown
Hyper-V Enterprise Deployment Team
taylorb@microsoft.com
https://blogs.msdn.com/taylorb
Comments
Anonymous
November 06, 2012
See my new post blogs.msdn.com/.../remote-administration-without-constrained-delegation-using-principalsallowedtodelegatetoaccount.aspxAnonymous
August 06, 2014
Taylor, love the script in its simplicity as compared to the 'Set-KCD.ps1' script written by Matthijs ten Seldam of MS (http://tinyurl.com/mt8w7nh). I love your approach of looking to a group to drive the delegates, however note that this attribute is a cumulative on the target computer account and thus accumulates delegates on the target. What is needed is the ability to iterate through the security group cleaning out previous delegates from the target computer account and applying the security group members as delegates. Also, MS premier has advised that both the short name and the FQDN need both the CIFS and the MVSMS ("Microsoft Virtual System Migration Service") delegation (a total of four delegations per target). Your script adds the CIFS once for the named target and MVSMS for each member of the group.