User Roles Problem (Network Steve Forum)

User Roles Problem

Hello VMM Geeks,

I am using SCVMM 2012 R2 with Update Rollup 4. I have configured User Roles for each service groups (like Exchange-Admins, SCCM-Admins, SCOM-Admins, etc.), assigned the Self-Service user rights for each User Role, and added the respective service accounts for each user Role in the Members tab.

I have not added the User IDs, but the service accounts for each user role.

I installed the VMM Console on the desktops of users. Now, the users are logging-in on the console through Use current Microsoft Windows session identity, it opens a small window of Select User Role (Select the user role you would like to use for this session), which shows the drop-down options for all the configured user roles. When any user chooses the Administrator (VMM default) user role, users are getting connected to VMM with all administrative privileges.

This is a crucial security threat as any user is able to easily login to VMM with all administrative privileges.

Following are the members of Administrator user role:
NT AUTHORITY\SYSTEM
CONTOSO\DomainAdmins
CONTOSO\SCVMM_Admin
CONTOSO\VMM_Node1$
CONTOSO\VMM_Node2$
CONTOSO\VMM_ServiceCluster$
CONTOSO\VMM_CNO$

When the users login using their designated service accounts, it works fine and VMM shows only their assigned VMs. But the thing is that I cannot restrict the users from logging on the VMM console with Administrator user role.

Please help and advise me ASAP.

Regards,
Hasan Bin Hasib

Edited by Hasan Bin Hasib Tuesday, February 10, 2015 10:59 AM

February 10th, 2015 1:43pm

This is addressed in UR5, with this security bulletin: https://technet.microsoft.com/en-us/library/ms15-017

Proposed as answer by Jonobie Ford-MSFT Wednesday, February 11, 2015 12:59 AM
Marked as answer by Hasan Bin Hasib Wednesday, February 11, 2015 4:30 AM

Free Windows Admin Tool Kit Click here and download it now

February 11th, 2015 3:56am

Thanks Madam. I will install the UR 5 today.

I have a confusion and would be thankful if you please help me.

After completing the installation of VMM 2012 R2, I directly installed the UR 4 (skipping the UR 1, UR 2, and UR 3). I though that all the features/fixes of UR1, UR2 and UR3 will also be incorporated in UR4. So I want to ask that do I need to install all the previous Update Rollups (UR1, UR2, and UR3)?

Please advise.

Thank you.

Regards,

Hasan Bin Hasib

Edited by Hasan Bin Hasib Wednesday, February 11, 2015 5:17 AM

February 11th, 2015 7:25am

Your understanding is correct. The latest URs always contain the fixes from the previous ones. When you installed UR4, it included UR1, UR2, UR3 as well as fixes that are new to UR4.

Marked as answer by Hasan Bin Hasib 6 hours 46 minutes ago

Free Windows Admin Tool Kit Click here and download it now

February 11th, 2015 11:40am

Your understanding is correct. The latest URs always contain the fixes from the previous ones. When you installed UR4, it included UR1, UR2, UR3 as well as fixes that are new to UR4.

Marked as answer by Hasan Bin Hasib Thursday, February 12, 2015 4:49 AM

February 11th, 2015 7:36pm

Many thanks to you Madam.

Regards,

Hasan Bin Hasib

Free Windows Admin Tool Kit Click here and download it now

February 11th, 2015 11:53pm

This topic is archived. No further replies will be accepted.