Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In reference to Enabling Hyper-V Remote Management - Configuring Constrained Delegation For SMB and Highly Available SMB and Enabling Hyper-V Remote Management - Configuring Constrained Delegation For Non-Clustered Live Migration I’ve had some people ask me about scripting these settings… Well in the first post there was the optional step of creating a security group for all of your Hyper-V servers – there’s actually another reason that I like to do this.
Here’s the script I use… It takes the name of the security group, the name of the SMB server and wither or not live migration should be enabled. This does require that you have the Active Directory PowerShell module.
$HyperVServersGroup = "hv-hosts" 
$SMBServer = "HV-W8-BETA-SMB" 
$EnableLiveMigration = $true
$SMBServerAD = Get-ADComputer $SMBServer 
$AllowedToDelegateToSMB = @( 
 ("cifs/"+$SMBServerAD.Name), 
 ("cifs/"+$SMBServerAD.DNSHostName))
$HvServersAD = Get-ADGroupMember $HyperVServersGroup
for ($serverCounter = 0; $serverCounter -lt $HvServersAD.Count; $serverCounter++) 
{ 
 $AllowedToDelegateTo = $AllowedToDelegateToSMB
    if ($EnableLiveMigration) 
 { 
 for ($deligateCounter = 0; $deligateCounter -lt $HvServersAD.Count; $deligateCounter++) 
 { 
 if ($deligateCounter -ne $serverCounter) 
 { 
 $deligationServer = $HvServersAD[$deligateCounter] | Get-ADComputer 
 $AllowedToDelegateTo += @( 
 ("Microsoft Virtual System Migration Service/"+$deligationServer.Name), 
 ("Microsoft Virtual System Migration Service/"+$deligationServer.DNSHostName)) 
 } 
 } 
 } 
 ($HvServersAD[$serverCounter] | Get-ADComputer) | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"=$AllowedToDelegateTo} 
}
Taylor Brown
Hyper-V Enterprise Deployment Team
taylorb@microsoft.com
https://blogs.msdn.com/taylorb

Comments
- Anonymous 
 November 06, 2012
 See my new post blogs.msdn.com/.../remote-administration-without-constrained-delegation-using-principalsallowedtodelegatetoaccount.aspx
- Anonymous 
 August 06, 2014
 Taylor, love the script in its simplicity as compared to the 'Set-KCD.ps1' script written by Matthijs ten Seldam of MS (http://tinyurl.com/mt8w7nh). I love your approach of looking to a group to drive the delegates, however note that this attribute is a cumulative on the target computer account and thus accumulates delegates on the target. What is needed is the ability to iterate through the security group cleaning out previous delegates from the target computer account and applying the security group members as delegates. Also, MS premier has advised that both the short name and the FQDN need both the CIFS and the MVSMS ("Microsoft Virtual System Migration Service") delegation (a total of four delegations per target). Your script adds the CIFS once for the named target and MVSMS for each member of the group.