The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

Using WFA to determine and set cluster CIFS share NTFS permissions via remote script


Hi all,


Slowly getting to grips with WFA, so please forgive me if I'm missing something fundamental but I've spent some considerable time trying to get a WFA command to remotely set NTFS permissions on a cluster hosted share.  The latest version of my code (also hosted on the windows wfa server)  is here:


$Cluster = "clust1"
Connect-WfaCluster -node $Cluster -vserver "vsm1"

$secpasswd = convertto-securestring "password" -asplaintext -force
$mycreds = new-object ("domain\user", $secpasswd)

$s = new-pssession -computername wfa1 -credential $mycreds
enter-pssession $s
invoke-command -session $s -scriptblock {c:\erunas\mod2.ps1}

remove-pssession $s


within the mod2.ps1 i am simply trying to perform a couple of tests and initially retrieve the current permissions using get-acl:


set-executionpolicy -executionpolicy bypass -scope currentuser

whoami > c:\erunas\who.txt
test-connection -computername wfa1 > c:\erunas\wfa1.txt
$a = get-acl "\\vsm1\AMDEV_App"
$a > c:\erunas\amdev.txt


"whoami" returns the parsed account from the new-pssession, and is an account with full rights to the share

"test-connection" confirms communication from wfa (web gui) to effectively itself (i.e. where the script is)

Although receive Access Denied when attempting to capture and save get-acl results


If I run the get-acl command independant of wfa, using the same account, in a "standard" powershell session it works fine. 


My thinking was that I need to use an alternate account otherwise "NT Authority \ System" account is used and is insufficient.


Any feedback very much appreciated.



Yes, my guess is that you are running the WFA services as your local account. Change that to be a domain account that has the privileges to that share. WFA runs all of its scripts via that user.  The services are 'Netapp WFA Server' and 'Netapp WFA Database' honestly, you may be able to get away with only change the 'Netapp WFA Server'. 


And welcome to the community!

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner