Hello VMM Geeks,
I am using SCVMM 2012 R2 with Update Rollup 4. I have configured User Roles for each service groups (like Exchange-Admins, SCCM-Admins, SCOM-Admins, etc.), assigned the Self-Service user rights for each User Role, and added the respective service accounts for each user Role in the Members tab.
I have not added the User IDs, but the service accounts for each user role.
I installed the VMM Console on the desktops of users. Now, the users are logging-in on the console through ‘Use current Microsoft Windows session identity’, it opens a small window of Select User Role (Select the user role you would like to use for this session), which shows the drop-down options for all the configured user roles. When any user chooses the Administrator (VMM default) user role, users are getting connected to VMM with all administrative privileges.
This is a crucial security threat as any user is able to easily login to VMM with all administrative privileges.
Following are the members of Administrator user role:
NT AUTHORITY\SYSTEM
CONTOSO\DomainAdmins
CONTOSO\SCVMM_Admin
CONTOSO\VMM_Node1$
CONTOSO\VMM_Node2$
CONTOSO\VMM_ServiceCluster$
CONTOSO\VMM_CNO$
When the users login using their designated service accounts, it works fine and VMM shows only their assigned VMs. But the thing is that I cannot restrict the users from logging on the VMM console with Administrator user role.
Please help and advise me ASAP.
Regards,
Hasan Bin Hasib