Fix Hyper-V ‘Account does not have permission’ error

Today, I woke up to a nasty error in the FoxDeploy Hyper-V lab.  All of my VMs were stopped, and wouldn’t start!  When I tried to start one, I’d see this error:


An error occurred while attempting to start the selected virtual machines: General Access Denied Error…

VMName: Account does not have permission to open attachment <PathToVHD>

In my case, this happened because I have a Raid of SSDs for maximum IOPs for my VMs (can’t stand something being slow!) and I lost a drive.  Somehow in rebuilding the volume, permissions were lost for some items on the drive, in addition to corrupting my Recycle Bin.


Can’t start any pre-existing VMs but are able to make a new one.


Something is wrong with permissions (namely, the VM doesn’t have Full Control rights to it’s VHD anymore. In this image below, you can see a new and working VM on the left, and a broken VM on the right.  Note the missing VMid entry.



You could fix this by hand by getting the VMId of the VM and adding it with Full Control permissions manually.  I didn’t like this approach because some of my VMs have more than one VHD (like my SCOM VM, six VHDs!), and I’ve got 8 VMs anyway.  Way too much work!

All we need to do is get a list of our VMs, then iterate through each disk and apply the right Full Control perms.  This depends on the NTFS Security Module being installed.  If you’re running PowerShell v4 or higher, it will attempt to install the module for you.  If not, download and install it first.


#Import the NTFSSecurity Module, if not available, prompt to download it
If ((Get-Module).Name -notcontains 'NTFSSecurity'){
    Write-Warning "This script depends on the NTFSSecurity Module, by MSFT"
        if ($PSVersionTable.PSVersion.Major -ge 4){
            Write-Output "This script can attempt to download this module for you..."
            $DownloadMod = Read-host "Continue (y/n)?"

            if ($DownloadMod.ToUpper() -like "Y*"){
                find-module NTFSSecurity | Install-Module
                #User responded No, end
                Write-Warning "Please download the NTFSSecurity module and continue"

        else {
            #Not running PowerShell v4 or higher
            Write-Warning "Please download the NTFSSecurity module and continue"
    #Import the module, as it exists
    Import-Module NTFSSecurity


$VMs = Get-VM
ForEach ($VM in $VMs){
    $disks = Get-VMHardDiskDrive -VMName $VM.Name
    Write-Output "This VM $($VM.Name), contains $($disks.Count) disks, checking permissions..."

        ForEach ($disk in $disks){
            $permissions = Get-NTFSAccess -Path $disk.Path
            If ($permissions.Account -notcontains "NT Virtual Mach*"){
                Write-host "This VHD has improper permissions, fixing..." -NoNewline
                 try {
                      Add-NTFSAccess -Path $disk.Path -Account "NT VIRTUAL MACHINE\$($VM.VMId)" -AccessRights FullControl -ErrorAction STOP
                       Write-Host -ForegroundColor red "[ERROR]"
                       Write-Warning "Try rerunning as Administrator, or validate your user ID has FullControl on the above path"

                Write-Host -ForegroundColor Green "[OK]"



And here it is in action.


After working, I’m now able to launch my VMs again!


Note: if you’ve got a lot of differencing or template disks in your environment, you’ll also need to resolve the parentpath for each disk, if it exists.  I’d recommend using this fine code by Sam Boutrous, Get-ParentPath.

One thought on “Fix Hyper-V ‘Account does not have permission’ error

  1. Daniel Scott-Raynsford April 6, 2016 / 7:37 pm

    I ran into this problem on one VM on a while back. I though this sounded like a job for a script and made a reminder to write one, but never got round to it. Looks like I can cross that task off! Good stuff! 🙂


Have a code issue? Share your code by going to and pasting your code there, then post the link here!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.