Creating a service user account

The service account Turbonomic uses to connect to a Hyper-V host must be an Active Directory domain account. The account must have full access to the cluster. To create such an account, execute the following command at a PowerShell prompt:

Grant-ClusterAccess <domain>\<service_account> -Full 

Additionally, the service account must have specific local access rights on each host. The easiest way to grant Turbonomic the access it requires is to add the domain account to the Local Administrators group on each Hyper-V server.

Some enterprises require that the service account does not grant full administrator rights. In that case, you can create a restricted service account on every Hyper-V host.

Note:

Turbonomic does not support Restricted User Accounts on Windows 2012 Hyper-V nodes.

To create a restricted service account on your Hyper-V hosts:

  1. Add the service account to each of the following local groups:

    • WinRMRemoteWMIUsers__ or Remote Management Users

    • Hyper-V Administrators

    • Performance Monitor Users

      Note:

      These groups are examples only. If your version of Windows Server does not include these groups, contact Technical Support for assistance.

  2. Grant permissions to the service account.

    In the WMI Management console, grant the following permissions to the service account:

    • Enable Account

    • Remote Enable

    • Act as Operating System (for Windows 2016)

  3. Configure the WinRM security descriptor to allow access by the service account:

    • At a PowerShell prompt, run the command:

      winrm configSDDL default
    • In the Permissions for Default dialog box, grant the service account Read and Execute access.