Hyper-V VHD file permissions lost when moving folders

I recently found that I broke my home lab environment when I needed to free up/juggle some disk space on one of my SSDs. I carefully used robocopy to preserve the permissions on the backups of the VHDs, but on restoring them, I forgot, and used the GUI to copy and paste them back to their restored location.
When I tried to start the VM up, the Hyper-V manager greeted me with the following error

Synthetic SCSI Controller Failed to Power on with Error 'General access denied error'.

'YourVirtualMachine' failed to start.

 Synthetic SCSI Controller (Instance ID XXXXX-XXXX-XXXX-XXXX-XXXX): Failed to Power on with Error 'General access denied error'.

 Hyper-V Virtual Machine Management service Account does not have permission to open attachment 'C:\HYPER-V\VHD\YourVirtualMachine.vhdx'. Error: 'General access denied error'

 So the error is fairly self explanatory, I broke the permissions. Each VM on the Hyper-V host, will have a group named after the VMs own unique ID. This group needs NTFS read and write permissions on the VHD or VHDx (note my VM Host is not domain joined).

 So now I have 20 or so VHDX files I need to go through and assign a custom group name to each one. 
Then I thought if I need to do this again in a large production environment, Id prefer to do this with powershell and automate it. 

After an hour or so fiddling, some googling, I butchered engineered this script.

 

 # Author: Andrew James Robinson  
 # Date: 22/10/2017  
 # Purpose: This script repairs permissions on VHDs that have been moved around and lost their machine ID ACL  
 # Revision: 1.00   
 # Changes: 1.00 Initial Release  
   
 cls  
   
 $VHDRoot = "c:\hyper-v\vhd\"  
 $GetVM = Get-VM -ComputerName localhost  
   
 Foreach ($vm in $GetVM)  
 {  
   $AJRname = $vm.Name  
   $AJRid = $vm.VMId  
   $vhdPath = (Join-path $VHDRoot ($AJRname + '.vhdx'))  
   $acl = (Get-Item $vhdPath).GetAccessControl("Access")  
   # AJR is full control required? Hopefully not, just grant read/write.  
   #$permission = "NT VIRTUAL MACHINE\$AJRid","FullControl","Allow"  
   $permission = "NT VIRTUAL MACHINE\$AJRid","Read, Write","Allow"  
   $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission  
   $acl.SetAccessRule($accessRule)  
   $acl | Set-Acl $vhdPath  
    
 }

And now the permissions are correctly set for the VM to start up.


Comments

Post a Comment

Popular posts from this blog

Meltdown and Spectre Windows KB numbers

KB4056890 Windows 10 v1607, Server 2016, Windows 10 Mobile KB4056891 Windows 10 Mobile 15063.850 KB4056892 Windows 10 v 1709 KB4056893 Windows 10 Enterprise KB4056894 Monthly Rollup Windows 7 SP1, Server 2008 R2 SP1 KB4056895 Monthly Rollup Windows 8.1, Server 2012 R2 Standard KB4056896 Monthly Rollup Server 2012 Standard KB4056897 Security Only Windows 7 SP1, Server 2008 R2 SP1 KB4056898 Security Only Windows 8.1, Server 2012 R2 Standard KB4056899 Security Only Server 2012 Standard
Read more

Microsoft Office 365 sign in issues

A quickie, today I had a user on Windows 10 and Office 365, not able to sign into any 365 apps. The credentials were fine, entering the username and password into Word, Excel or Outlook would accept the credentials, wait, then fail to log in with no errors or messages output to screen or eventlog. Other users on the same machine, different user profile were fine. Fixed it by adding following registry key and rebooting the workstation. [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity] "EnableADAL"=dword:00000000
Read more