Creating a service user account
The service account Turbonomic uses to connect to a Hyper-V host must be an Active Directory domain account. The account must have full access to the cluster. To create such an account, execute the following command at a PowerShell prompt:
Grant-ClusterAccess <domain>\<service_account> -Full
Additionally, the service account must have specific local access rights on each host. The easiest way to grant Turbonomic
the access it requires is to add the domain account to the Local Administrators
group on each Hyper-V server.
Some enterprises require that the service account does not grant full administrator rights. In that case, you can create a restricted service account on every Hyper-V host.
Turbonomic does not support Restricted User Accounts on Windows 2012 Hyper-V nodes.
To create a restricted service account on your Hyper-V hosts:
Add the service account to each of the following local groups:
WinRMRemoteWMIUsers__
orRemote Management Users
Hyper-V Administrators
Performance Monitor Users
Note:These groups are examples only. If your version of Windows Server does not include these groups, contact Technical Support for assistance.
Grant permissions to the service account.
In the WMI Management console, grant the following permissions to the service account:
-
Enable Account
-
Remote Enable
-
Act as Operating System
(for Windows 2016)
-
Configure the WinRM security descriptor to allow access by the service account:
At a PowerShell prompt, run the command:
winrm configSDDL default
In the Permissions for Default dialog box, grant the service account Read and Execute access.