Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Granular permissions used by the Windows account used to join CIFS to the domain
2022-09-28
02:19 PM
1,902 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Does anyone know the granular permissions used by the Windows account used to join CIFS to the domain during the initial filer setup? We are being tasked with removing "Domain Admins" membership from the account we used. I was directed to an article that indicated this should not effect filer operations. But, we'd like to know the permissions required by the Windows account used during CIFS getting joined to the domain. Thanks in advance.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there!
Any user who is authorized to create machine accounts in the AD domain to which you are joining the SMB server can create the SMB server on the SVM. This can include users from other domains.
Beginning with ONTAP 9.7, your AD administrator can provide you with a URI to a keytab file as an alternative to providing you with a name and password to a privileged Windows account. When you receive the URI, include it in the -keytab-uri parameter with the vserver cifs commands.
We have more information at https://docs.netapp.com/us-en/ontap/smb-config/create-server-active-directory-domain-task.html
From memory, "create machine account" is a permission that can be set in ADUC.
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Here are the AD permissions required to delegate on the Organizational Unit for your computer Objects to enable the SVM to successfully join the domain.
- Create Computer Objects
- Reset Password
- Read and write Account Restrictions
- Validated write to DNS host name
- Validated write to service principal name
Hope that helps
/Matt
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.