Active IQ Unified Manager Discussions

Using WFA to determine and set cluster CIFS share NTFS permissions via remote script

negusa
2,501 Views

Hi all,

 

Slowly getting to grips with WFA, so please forgive me if I'm missing something fundamental but I've spent some considerable time trying to get a WFA command to remotely set NTFS permissions on a cluster hosted share.  The latest version of my code (also hosted on the windows wfa server)  is here:

 

$Cluster = "clust1"
Connect-WfaCluster -node $Cluster -vserver "vsm1"

$secpasswd = convertto-securestring "password" -asplaintext -force
$mycreds = new-object system.management.automation.pscredential ("domain\user", $secpasswd)

$s = new-pssession -computername wfa1 -credential $mycreds
enter-pssession $s
invoke-command -session $s -scriptblock {c:\erunas\mod2.ps1}

remove-pssession $s

 

within the mod2.ps1 i am simply trying to perform a couple of tests and initially retrieve the current permissions using get-acl:

 

set-executionpolicy -executionpolicy bypass -scope currentuser

whoami > c:\erunas\who.txt
test-connection -computername wfa1 > c:\erunas\wfa1.txt
$a = get-acl "\\vsm1\AMDEV_App"
$a > c:\erunas\amdev.txt

 

"whoami" returns the parsed account from the new-pssession, and is an account with full rights to the share

"test-connection" confirms communication from wfa (web gui) to effectively itself (i.e. where the script is)

Although receive Access Denied when attempting to capture and save get-acl results

 

If I run the get-acl command independant of wfa, using the same account, in a "standard" powershell session it works fine. 

 

My thinking was that I need to use an alternate account otherwise "NT Authority \ System" account is used and is insufficient.

 

Any feedback very much appreciated.

1 REPLY 1

coreywanless
2,462 Views

Yes, my guess is that you are running the WFA services as your local account. Change that to be a domain account that has the privileges to that share. WFA runs all of its scripts via that user.  The services are 'Netapp WFA Server' and 'Netapp WFA Database' honestly, you may be able to get away with only change the 'Netapp WFA Server'. 

 

And welcome to the community!

Public