AFF

Granular permissions used by the Windows account used to join CIFS to the domain

NetAppPhiler
1,623 Views

Hello,

 

Does anyone know the granular permissions used by the Windows account used to join CIFS to the domain during the initial filer setup? We are being tasked with removing "Domain Admins" membership from the account we used. I was directed to an article that indicated this should not effect filer operations. But, we'd like to know the permissions required by the Windows account used during CIFS getting joined to the domain. Thanks in advance.

2 REPLIES 2

AlexDawson
1,579 Views

Hi there!

 

Any user who is authorized to create machine accounts in the AD domain to which you are joining the SMB server can create the SMB server on the SVM. This can include users from other domains.

 

Beginning with ONTAP 9.7, your AD administrator can provide you with a URI to a keytab file as an alternative to providing you with a name and password to a privileged Windows account. When you receive the URI, include it in the -keytab-uri parameter with the vserver cifs commands.

 
 
From memory, "create machine account" is a permission that can be set in ADUC.
 
Hope this helps!

mbeattie
1,566 Views

Hi,

 

Here are the AD permissions required to delegate on the Organizational Unit for your computer Objects to enable the SVM to successfully join the domain.

 

https://support.microsoft.com/en-au/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con

  • Create Computer Objects
  • Reset Password
  • Read and write Account Restrictions
  • Validated write to DNS host name
  • Validated write to service principal name

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public