Basically, we are migrating file servers to CIFS shares on our filer. There is a group of file server admins in an AD group. This AD group is a member of the local Administrators group on the file server, which is given so they can manage all the files on the server.
My question is, when I move the files over to a CIFS share on a filer, in order to maintain the ability for the group to manage the files, I need to make them members of the local Administrators group on the filer itself. But I don't want to them to have the ability to manage the filer itself...either through CLI, Filerview, System Manager, etc.
Is it possible to do this? If not, I would have to use xcacls or some similar utility to modify the ACL on all files/folders to give that group admin access, but I would rather not have to do that.
"My question is, when I move the files over to a CIFS share on a filer, in order to maintain the ability for the group to manage the files, I need to make them members of the local Administrators group on the filer itself"
I d suggest to you that the storage admins should not have to do CIFS permissioning. In most big evnironments I have been to its not seen as secure nor scalable to have
the storage admins doing CIFS permissioning.
The way I have seen this been done in the past is that the storage guys create a cifs share wide open, then its grabbed by the windows team that will set permissions and
deal with any issues. After all the windows guys will have access to AD admin accounts and thus will be in a good position to fix any issues. They will also have the
knowledge about how permissions should be fixed to fit current security requirements etc.
My two pennies worth, which would void having to deal with your current issue.
User capabilities are defined by roles. By default group Administrator is given “admin” role that has following priviliges:
Info: Members can fully administer the filer
Allowed Capabilities: login-,cli-,api-,security-
So you could create another role and assign it to group Administrators instead of default role “admin”; if you will not include login-* in this group, users in this group will not be able to log into filer using any available protocol. Actually, it is quite possible that for your purpose you can remove all capabilities from this group, because it sounds like you only need it as placeholder for file ACLs.
Please check TR-3358 for more in-depth description of role based access control.
This is not tested. One thing I miss – how RBAC plays together with Windows management API.