How to Enable Hyper-V Manager for Non-Administrators from Windows 10

After adding a user or group to the Hyper-V Administrators local group on a host, you are still unable to connect to the host with Windows 10 Hyper-V Manager.

The error is as follows:
"You do not have the required permission to complete this task. Contact the Administrator of the authorization policy for the computer 'SERVERNAME'."

This is due to a change in the way Hyper-V manager connects to the server in Windows 10 / Server 2016. 

To re-enable the functionality, the user or group needs to be added to the "WinRMRemoteWMIUsers__" and "Hyper-V Administrators" groups. It also needs to be given the "Enable Account" and "Remote Enable" permissions to the root\interop WMI namespace.

To do this in the GUI, open Computer Management and add the user or group to the "WinRMRemoteWMIUsers__" group. On 2016 this group doesn't exist, I added the user/group to the "Remote Management Users" group on my 2016 hosts. 

Also, open "Services and Applications -> WMI Control" properties. Click the security tab, open Root\interop and click the Security button. Add your user or group and check Remote Enable.

To do this with PowerShell, execute the following script (needs to be done with Administrator privileges)

	Param(
	[Parameter(Mandatory=$true)]$Domain,
	[Parameter(Mandatory=$true)]$User,
	[Parameter(Mandatory=$true)]$computerName
	)
	$WindowsAccount = Get-WmiObject -Class Win32_Account -Filter "Domain='$($domain)' and Name='$($user)'"
	if ($WindowsAccount) {
	#### Add user/group into the local group
	$Group = "WinRMRemoteWMIUsers__" #This group only seems to be on 2012 R2 (Not on 2016) - change to "Remote Management Users" for 2016
	$LocalGroup = [ADSI]"WinNT://$computerName/$Group,group"
	$LocalGroup.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)
	#### Add user/group into the local Hyper-V Admins group
	$Group2 = "Hyper-V Administrators"
	$LocalGroup2 = [ADSI]"WinNT://$computerName/$Group2,group"
	$LocalGroup2.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)
	#### Add user/group to required WMI namespace
	#Get Existing Permission Descriptor from object
	$namespace = "root/InterOp"
	$securityDescriptor = (Invoke-WmiMethod -Namespace $namespace `
	-Path "__systemsecurity=@" -ComputerName $computerName -Name GetSecurityDescriptor).Descriptor
	#Create a new Permission with magic numbers
	$newDacl = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance()
	$newDacl.AccessMask = 33 #Enable Account and Remote Enable
	$newDacl.AceType = 0x0 #Allow
	$newDacl.AceFlags = 0
	#Add AD user/Group to the permission
	$trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()
	$trustee.SidString = $WindowsAccount.Sid
	$newDacl.Trustee = $trustee
	#Put the permission back in the Permission Descriptor
	$securityDescriptor.DACL += $newDacl.psobject.immediateBaseObject
	#Set the descriptor back on the object
	$Result = Invoke-WmiMethod -Namespace $namespace `
	-Path "__systemsecurity=@" -ComputerName $computerName -Name SetSecurityDescriptor `
	-ArgumentList $securityDescriptor.psobject.immediateBaseObject
	} else {
	Write-Warning "Can't find AD account specified"
	}

view raw Enable-HyperVManagement.PS1 hosted with ❤ by GitHub

For Windows Server 2016 Hyper-V Servers you will need to change the group "WinRMRemoteWMIUsers__" to "Remote Management Users" in the above script.

For more information on the permissions code please see the below post, I have used only the specific lines required for enabling the specific permissions I require. The following post has a more generic script for WMI permissions:

http://vniklas.djungeln.se/2012/08/22/set-up-non-admin-account-to-access-wmi-and-performance-data-remotely-with-powershell/