https://community.netapp.com/t5/AFF/Granular-permissions-used-by-the-Windows-account-used-to-join-CIFS-to-the-domain/m-p/438736#M1106 <P>Hi there!</P><DIV class=""><P>&nbsp;</P><P>Any user who is authorized to create machine accounts in the AD domain to which you are joining the SMB server can create the SMB server on the SVM. This can include users from other domains.</P></DIV><DIV class=""><P>&nbsp;</P><P>Beginning with ONTAP 9.7, your AD administrator can provide you with a URI to a keytab file as an alternative to providing you with a name and password to a privileged Windows account. When you receive the URI, include it in the<SPAN>&nbsp;</SPAN>-keytab-uri<SPAN>&nbsp;</SPAN>parameter with the<SPAN>&nbsp;</SPAN>vserver cifs<SPAN>&nbsp;</SPAN>commands.</P></DIV><DIV class="">&nbsp;</DIV><DIV class="">We have more information at&nbsp;<A href="https://docs.netapp.com/us-en/ontap/smb-config/create-server-active-directory-domain-task.html" target="_blank" rel="noopener">https://docs.netapp.com/us-en/ontap/smb-config/create-server-active-directory-domain-task.html</A>&nbsp;</DIV><DIV class="">&nbsp;</DIV><DIV class="">From memory, "create machine account" is a permission that can be set in ADUC.</DIV><DIV class="">&nbsp;</DIV><DIV class="">Hope this helps!</DIV> Thu, 29 Sep 2022 03:00:46 GMT AlexDawson 2022-09-29T03:00:46Z https://community.netapp.com/t5/AFF/Granular-permissions-used-by-the-Windows-account-used-to-join-CIFS-to-the-domain/m-p/438719#M1105 <P>Hello,</P><P>&nbsp;</P><P>Does anyone know the granular permissions used by the Windows account used to join CIFS to the domain during the initial filer setup? We are being tasked with removing "Domain Admins" membership from the account we used. I was directed to an article that indicated this should not effect filer operations. But, we'd like to know the permissions required by the Windows account used during CIFS getting joined to the domain. Thanks in advance.</P> Wed, 28 Sep 2022 21:19:45 GMT https://community.netapp.com/t5/AFF/Granular-permissions-used-by-the-Windows-account-used-to-join-CIFS-to-the-domain/m-p/438719#M1105 NetAppPhiler 2022-09-28T21:19:45Z https://community.netapp.com/t5/AFF/Granular-permissions-used-by-the-Windows-account-used-to-join-CIFS-to-the-domain/m-p/438736#M1106 <P>Hi there!</P><DIV class=""><P>&nbsp;</P><P>Any user who is authorized to create machine accounts in the AD domain to which you are joining the SMB server can create the SMB server on the SVM. This can include users from other domains.</P></DIV><DIV class=""><P>&nbsp;</P><P>Beginning with ONTAP 9.7, your AD administrator can provide you with a URI to a keytab file as an alternative to providing you with a name and password to a privileged Windows account. When you receive the URI, include it in the<SPAN>&nbsp;</SPAN>-keytab-uri<SPAN>&nbsp;</SPAN>parameter with the<SPAN>&nbsp;</SPAN>vserver cifs<SPAN>&nbsp;</SPAN>commands.</P></DIV><DIV class="">&nbsp;</DIV><DIV class="">We have more information at&nbsp;<A href="https://docs.netapp.com/us-en/ontap/smb-config/create-server-active-directory-domain-task.html" target="_blank" rel="noopener">https://docs.netapp.com/us-en/ontap/smb-config/create-server-active-directory-domain-task.html</A>&nbsp;</DIV><DIV class="">&nbsp;</DIV><DIV class="">From memory, "create machine account" is a permission that can be set in ADUC.</DIV><DIV class="">&nbsp;</DIV><DIV class="">Hope this helps!</DIV> Thu, 29 Sep 2022 03:00:46 GMT https://community.netapp.com/t5/AFF/Granular-permissions-used-by-the-Windows-account-used-to-join-CIFS-to-the-domain/m-p/438736#M1106 AlexDawson 2022-09-29T03:00:46Z https://community.netapp.com/t5/AFF/Granular-permissions-used-by-the-Windows-account-used-to-join-CIFS-to-the-domain/m-p/438748#M1107 <P>Hi,</P><P>&nbsp;</P><P>Here are the AD permissions required to delegate on the Organizational Unit for your computer Objects to enable the SVM to successfully join the domain.</P><P>&nbsp;</P><P><A href="https://support.microsoft.com/en-au/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con" target="_blank">https://support.microsoft.com/en-au/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con</A></P><UL><LI><STRONG>Create Computer Objects</STRONG></LI><LI><STRONG>Reset Password</STRONG></LI><LI><STRONG>Read and write Account Restrictions</STRONG></LI><LI><STRONG>Validated write to DNS host name </STRONG></LI><LI><STRONG>Validated write to service principal name</STRONG></LI></UL><P>Hope that helps</P><P>&nbsp;</P><P>/Matt</P> Thu, 29 Sep 2022 11:22:21 GMT https://community.netapp.com/t5/AFF/Granular-permissions-used-by-the-Windows-account-used-to-join-CIFS-to-the-domain/m-p/438748#M1107 mbeattie 2022-09-29T11:22:21Z