aborzenkov wrote:
There are no changes made on OnTap. This policy grants "Take ownership of files or other objects" privilege to user account. Requested privilege is granted when user logs in and is associated with (inherited by) all processes started within user login session. There are no changes made on file system.
So basically you have two ways. Either explicitly grant rights to take ownership to file system objects; or allow user to ignore file system access rights and take ownership anyway. Fsecurity does the former; GPO does the latter.
I agree with the last paragraph. But re. the first paragraph, changes are certainly made at least somewhere on the filer--maybe they're only cached somewhere. How can group policy settings be pushed/pulled to the filer via the cifs gpupdate OnTap command and yet the filer not change? If the GPO settings resided solely in AD, what would be the point of cifs gpupdate? You might as well skip straight to cifs gpresult.
I had a simlar question. On Windows servers, I use gpedit.msc to make the same changes as group policy, but confining those changes to the local server. If anyone figures out the filer's analog to Window's gpedit.msc, please share. But at this point, I'm guessing no such analogous tool exists.