Network and Storage Protocols

Take Ownership user right - can it be set without using GPO

loudymanschwab
6,101 Views

I'm trying to determine if it is possible to assign the "Take Ownership user right" on an appliance that is a member of a Windows domain without using a GPO.  Any ideas?

6 REPLIES 6

aborzenkov
6,101 Views

Yes, it is possible – check fsecurity command on NetApp.

loudymanschwab
6,101 Views

Thank you.  That helps, but is not exactly what I was looking for.  Is that actually how NetApp implements user rights polices?  It makes sense that fsecurity is used when applying GPOs to set file and folder permissions, but not user rights.

I'm looking specifically for how to set the system wide user right "Take ownership of files or other objects".  I have confirmed that it is supported, and does function, just want to be able to use it without actually applying a GPO to systems.

aborzenkov
6,101 Views

There seems to be some confusion. In Windows, “user rights” applies to securable object. It specifies, who can do what with this object. It is object (i.e., file) property.

There are also privileges. These are attributes of user accounts. There is indeed “take ownership” privilege which allows “to take ownership of an object without being granted discretionary access.” Privileges are attributes of user account and – buy inheritance – running processes on server; which follows, they do not exist and have no meaning on NetApp.

So you may set file/directory access rights to take ownership on NetApp, but there is no way to change attributes of user account from within NetApp.

Or please explain in more details what you are trying to do. Showing your GPO may be helpful.

loudymanschwab
6,101 Views

Specifically, what I am trying to do is allow a user to take ownership of a file or directory, without having to grant them Administrator/root access on the filer.  It does appear to work as desired if I create a GPO, and assign the non-admin user the "Take ownership of files or other objects", that user can then connect via CIFS and take ownership of files or folders without being granted specific access to the folder (even if they cannot even read the current permissions assigned to the file/folder).

The part that is eluding me...is what change is made in OnTap when this policy is assigned.

aborzenkov
6,101 Views

There are no changes made on OnTap. This policy grants "Take ownership of files or other objects" privilege to user account. Requested privilege is granted when user logs in and is associated with (inherited by) all processes started within user login session. There are no changes made on file system.

So basically you have two ways. Either explicitly grant rights to take ownership to file system objects; or allow user to ignore file system access rights and take ownership anyway. Fsecurity does the former; GPO does the latter.

DSAUDER
6,101 Views

aborzenkov wrote:

There are no changes made on OnTap. This policy grants "Take ownership of files or other objects" privilege to user account. Requested privilege is granted when user logs in and is associated with (inherited by) all processes started within user login session. There are no changes made on file system.

So basically you have two ways. Either explicitly grant rights to take ownership to file system objects; or allow user to ignore file system access rights and take ownership anyway. Fsecurity does the former; GPO does the latter.

I agree with the last paragraph. But re. the first paragraph, changes are certainly made at least somewhere on the filer--maybe they're only cached somewhere. How can group policy settings be pushed/pulled to the filer via the cifs gpupdate OnTap command and yet the filer not change? If the GPO settings resided solely in AD, what would be the point of cifs gpupdate? You might as well skip straight to cifs gpresult.

I had a simlar question. On Windows servers, I use gpedit.msc to make the same changes as group policy, but confining those changes to the local server. If anyone figures out the filer's analog to Window's gpedit.msc, please share. But at this point, I'm guessing no such analogous tool exists.

Public