Network and Storage Protocols
Network and Storage Protocols
I'm trying to determine if it is possible to assign the "Take Ownership user right" on an appliance that is a member of a Windows domain without using a GPO. Any ideas?
Yes, it is possible – check fsecurity command on NetApp.
Thank you. That helps, but is not exactly what I was looking for. Is that actually how NetApp implements user rights polices? It makes sense that fsecurity is used when applying GPOs to set file and folder permissions, but not user rights.
I'm looking specifically for how to set the system wide user right "Take ownership of files or other objects". I have confirmed that it is supported, and does function, just want to be able to use it without actually applying a GPO to systems.
There seems to be some confusion. In Windows, “user rights” applies to securable object. It specifies, who can do what with this object. It is object (i.e., file) property.
There are also privileges. These are attributes of user accounts. There is indeed “take ownership” privilege which allows “to take ownership of an object without being granted discretionary access.” Privileges are attributes of user account and – buy inheritance – running processes on server; which follows, they do not exist and have no meaning on NetApp.
So you may set file/directory access rights to take ownership on NetApp, but there is no way to change attributes of user account from within NetApp.
Or please explain in more details what you are trying to do. Showing your GPO may be helpful.
Specifically, what I am trying to do is allow a user to take ownership of a file or directory, without having to grant them Administrator/root access on the filer. It does appear to work as desired if I create a GPO, and assign the non-admin user the "Take ownership of files or other objects", that user can then connect via CIFS and take ownership of files or folders without being granted specific access to the folder (even if they cannot even read the current permissions assigned to the file/folder).
The part that is eluding me...is what change is made in OnTap when this policy is assigned.
There are no changes made on OnTap. This policy grants "Take ownership of files or other objects" privilege to user account. Requested privilege is granted when user logs in and is associated with (inherited by) all processes started within user login session. There are no changes made on file system.
So basically you have two ways. Either explicitly grant rights to take ownership to file system objects; or allow user to ignore file system access rights and take ownership anyway. Fsecurity does the former; GPO does the latter.
aborzenkov wrote:
There are no changes made on OnTap. This policy grants "Take ownership of files or other objects" privilege to user account. Requested privilege is granted when user logs in and is associated with (inherited by) all processes started within user login session. There are no changes made on file system.
So basically you have two ways. Either explicitly grant rights to take ownership to file system objects; or allow user to ignore file system access rights and take ownership anyway. Fsecurity does the former; GPO does the latter.
I agree with the last paragraph. But re. the first paragraph, changes are certainly made at least somewhere on the filer--maybe they're only cached somewhere. How can group policy settings be pushed/pulled to the filer via the cifs gpupdate OnTap command and yet the filer not change? If the GPO settings resided solely in AD, what would be the point of cifs gpupdate? You might as well skip straight to cifs gpresult.
I had a simlar question. On Windows servers, I use gpedit.msc to make the same changes as group policy, but confining those changes to the local server. If anyone figures out the filer's analog to Window's gpedit.msc, please share. But at this point, I'm guessing no such analogous tool exists.