Can a local user group contain a domain group as a member?
Situation is this: Server 2012 has Hyper-V role installed, logon as non-Admin cannot access Virtual Machine Manager because of error:
you do not have the required permission
I can solve this by adding the user to the local 'Hyper-V Administrators' group which works fine but I would prefer to do this at the domain level.
So for example can I have a Domain\Hyper-V Administrators group which is a member of the local\Hyper-V Administrators group. Or perhaps I can somehow give appropriate permissions to run VMM to the Domain\Hyper-V Administrators group?
Best Answer
Local groups on domain member computers can have groups (Global, Domain Local, or Universal) from the domain nested within them. Creating your "DOMAIN\Hyper-V Administrators" group is certainly a viable idea.
You should look into using "Restricted Groups", which can allow you to perform this group nesting automatically on your domain-joined Hyper-V hosts. This HOWTO is nice, though it doesn't drive home the point hard enoguh that you'll really want to use the "This group is a member of" functionality more often than not.