https://community.netapp.com/t5/ONTAP-Discussions/Quick-start-to-setting-up-Multi-admin-verify-MAV-on-labondemand-netapp-com/m-p/467864#M45418 <P>Hi everyone!</P><P>&nbsp;</P><P>NetApp's Multi-admin-verify (MAV) is a great tool for enforcing dual control on potentially dangerous commands&nbsp; (or any command - it's up to you as an admin to decide!), so having a sandbox to play with in labondemand.netapp.com was something I've long thought would be handy.</P><P>&nbsp;</P><P>However, it's one thing to play in a sandbox, and another thing to make it in the first place, and know what steps to follow to set it up in your production environment. We don't have a pre-defined lab for MAV that I could find, so I wrote the attached powershell script to build one from scratch.</P><P>&nbsp;</P><DIV>The script does the following:</DIV><DIV>&nbsp;</DIV><UL><LI><DIV>Creates AD OUs and groups for StorageAdmins and StorageOperators</DIV></LI><LI><DIV>Provisions 9 accounts into each of them (storageadmX and storageopX), password: Netapp1!</DIV></LI><LI><DIV>Creates an SVM on ONTAP cluster 1 (192.168.0.101)</DIV></LI><LI><DIV>Domain joins SVM to demo.netapp.com</DIV></LI><LI><DIV>Sets up domain tunnel through that SVM</DIV></LI><LI><DIV>Sets up StorageAdmin and StorageOperator roles based on the admin role</DIV></LI><LI><DIV>Assigns groups to roles</DIV></LI><LI><DIV>Sets up MAV with StorageOperator requiring MAV approval, StorageAdmin not requiring approval</DIV></LI><LI><DIV>Restricts vol delete and snap delete commands under MAV for StorageOperator</DIV></LI></UL><DIV>I’ve tested it with 9.16.1 and 9.19.1 labs and it’s done what I expected with regards to setup - I haven’t done deep testing of MAV with it, the aim is to setup an environment where MAV can be tested.&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>To use it:</DIV><UL><LI><DIV>Create a lab against <SPAN><A title="https://labondemand.netapp.com/node/1078" href="https://labondemand.netapp.com/node/1078" target="_blank" rel="noopener">https://labondemand.netapp.com/node/1078</A></SPAN>&nbsp;(9.16.1X) or <SPAN><A title="https://labondemand.netapp.com/node/1561" href="https://labondemand.netapp.com/node/1561" target="_blank" rel="noopener">https://labondemand.netapp.com/node/1561</A></SPAN>&nbsp;(9.19.1X),</DIV></LI><LI><DIV>Drag the script into the lab window once the login is finished,</DIV></LI><LI><DIV>Find it in the “Cloud storage” under “My Computer”,</DIV></LI><LI><DIV>Copy it to the Desktop</DIV></LI><LI><DIV>Open PowerShell, and run the command</DIV></LI></UL><P>I hope people find this helpful!&nbsp;</P><P>&nbsp;</P><P>Please note values are hardcoded for the demo environment on labondemand.netapp.com, but you are welcome to use it as a basis for your own environments too. This script is provided only as community supported - please do not call NetApp support for help with it.</P> Wed, 24 Jun 2026 03:17:51 GMT AlexDawson 2026-06-24T03:17:51Z https://community.netapp.com/t5/ONTAP-Discussions/Quick-start-to-setting-up-Multi-admin-verify-MAV-on-labondemand-netapp-com/m-p/467864#M45418 <P>Hi everyone!</P><P>&nbsp;</P><P>NetApp's Multi-admin-verify (MAV) is a great tool for enforcing dual control on potentially dangerous commands&nbsp; (or any command - it's up to you as an admin to decide!), so having a sandbox to play with in labondemand.netapp.com was something I've long thought would be handy.</P><P>&nbsp;</P><P>However, it's one thing to play in a sandbox, and another thing to make it in the first place, and know what steps to follow to set it up in your production environment. We don't have a pre-defined lab for MAV that I could find, so I wrote the attached powershell script to build one from scratch.</P><P>&nbsp;</P><DIV>The script does the following:</DIV><DIV>&nbsp;</DIV><UL><LI><DIV>Creates AD OUs and groups for StorageAdmins and StorageOperators</DIV></LI><LI><DIV>Provisions 9 accounts into each of them (storageadmX and storageopX), password: Netapp1!</DIV></LI><LI><DIV>Creates an SVM on ONTAP cluster 1 (192.168.0.101)</DIV></LI><LI><DIV>Domain joins SVM to demo.netapp.com</DIV></LI><LI><DIV>Sets up domain tunnel through that SVM</DIV></LI><LI><DIV>Sets up StorageAdmin and StorageOperator roles based on the admin role</DIV></LI><LI><DIV>Assigns groups to roles</DIV></LI><LI><DIV>Sets up MAV with StorageOperator requiring MAV approval, StorageAdmin not requiring approval</DIV></LI><LI><DIV>Restricts vol delete and snap delete commands under MAV for StorageOperator</DIV></LI></UL><DIV>I’ve tested it with 9.16.1 and 9.19.1 labs and it’s done what I expected with regards to setup - I haven’t done deep testing of MAV with it, the aim is to setup an environment where MAV can be tested.&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>To use it:</DIV><UL><LI><DIV>Create a lab against <SPAN><A title="https://labondemand.netapp.com/node/1078" href="https://labondemand.netapp.com/node/1078" target="_blank" rel="noopener">https://labondemand.netapp.com/node/1078</A></SPAN>&nbsp;(9.16.1X) or <SPAN><A title="https://labondemand.netapp.com/node/1561" href="https://labondemand.netapp.com/node/1561" target="_blank" rel="noopener">https://labondemand.netapp.com/node/1561</A></SPAN>&nbsp;(9.19.1X),</DIV></LI><LI><DIV>Drag the script into the lab window once the login is finished,</DIV></LI><LI><DIV>Find it in the “Cloud storage” under “My Computer”,</DIV></LI><LI><DIV>Copy it to the Desktop</DIV></LI><LI><DIV>Open PowerShell, and run the command</DIV></LI></UL><P>I hope people find this helpful!&nbsp;</P><P>&nbsp;</P><P>Please note values are hardcoded for the demo environment on labondemand.netapp.com, but you are welcome to use it as a basis for your own environments too. This script is provided only as community supported - please do not call NetApp support for help with it.</P> Wed, 24 Jun 2026 03:17:51 GMT https://community.netapp.com/t5/ONTAP-Discussions/Quick-start-to-setting-up-Multi-admin-verify-MAV-on-labondemand-netapp-com/m-p/467864#M45418 AlexDawson 2026-06-24T03:17:51Z https://community.netapp.com/t5/ONTAP-Discussions/Quick-start-to-setting-up-Multi-admin-verify-MAV-on-labondemand-netapp-com/m-p/467875#M45424 <DIV class=""><DIV class="">"Previously, we saw that the domain info had to match the creation details exactly, including case sensitivity. Has this been resolved?</DIV><DIV class="">e.g.</DIV><DIV class="">domain01\user01<BR />or<BR />Domain01\user01 (Uppercase&nbsp; D)</DIV><DIV class="">It did not work in 9.16.1x, and I have not tested it in 9.17.1 yet."</DIV></DIV> Wed, 24 Jun 2026 07:55:55 GMT https://community.netapp.com/t5/ONTAP-Discussions/Quick-start-to-setting-up-Multi-admin-verify-MAV-on-labondemand-netapp-com/m-p/467875#M45424 a_lehn 2026-06-24T07:55:55Z https://community.netapp.com/t5/ONTAP-Discussions/Quick-start-to-setting-up-Multi-admin-verify-MAV-on-labondemand-netapp-com/m-p/467877#M45425 <P>Unfortunately I believe I hit that issue when developing this with 9.19 as well, so I don't think that is fixed</P> Wed, 24 Jun 2026 08:07:59 GMT https://community.netapp.com/t5/ONTAP-Discussions/Quick-start-to-setting-up-Multi-admin-verify-MAV-on-labondemand-netapp-com/m-p/467877#M45425 AlexDawson 2026-06-24T08:07:59Z