2010-12-08 08:48 AM
We're starting to branch out and require service accounts to have access to our filer - namely... adding symantec virus scanning. This requires an account that has Backup Operator privileges or above on the NetApp Filer. Since we're planning on using the symantec server for multiple filers, I'd want to use a domain account to run the symantec service.
How can I add a domain account to be a backup operator, or local administrator on the filer. Also how are those settings originally implemented? For example, if I just bought a brand new filer, how would I go about adding domain admins, or individual accounts to the administrator group on the filer? Are there command line ontap options that I could use, or is it just forcing a connection to the filer using filername\administrator or filername\root for the initial connection via computer management?
I ask this because in our infrastructure, one of the filers I actually don't have access to (very old... set up a long time ago) and domain admins don't seem to have access, so I'd like to figure out how to fix that. Also there seems to be inconsistency with how our other filers are set up... for example my domain admin account can access our 3020's but only the shared folders/event viewer. If I try to access local users and groups I get a RPC server is unavailable. This however seems to work on the 2050 but I can't see shared folders/event logs (haven't tried editing the administrator group yet) but I assume I can't because a test server (similar access/errors as 2050) does not let me write to the admin group.
I'd really like to get all of the filers in the same security config so everyone in our group can have the proper access to manage the filers with their own individual accounts rather than using generic ones... and also to be able to give domain\virusscan at least backup operator access.
Where should I start? I can't find anything that really tells me how to set this up properly
2010-12-08 09:12 AM
well, I found how to add members to the local admin group I think that's what I needed.
You can specify nonlocal administrative users to have administrative access to the storage system after authentication by a Windows Domain Controller, rather than by the storage system itself.
By default, the domain administrator account has full access to the system. To access this account, log in as domain\administrator, using the appropriate password.
win_user_name is the Windows domain user whose name or Security ID (SID) you want to assign to a customized or predefined group. This value can be in one of the following formats:
For more information about these formats, see the na_cifs_lookup(1) man page.
custom_group is a customized group with roles assigned through the useradmin group command.
Administrators | "Backup Operators" | Guests | "Power Users" | Users are groups predefined by Data ONTAP with default roles and capabilities.
The following command adds the user userjoe in the MyDomain domain to the Power Users group and effectively grants MyDomain\userjoe all administrator capabilities that are granted to the Power Users group through the roles that have been assigned to it.useradmin domainuser add MyDomain\userjoe -g "Power Users"
The SID of the user in question is among those listed in the output of this command.