We have quite a few Clusters and 7 Mode boxes in our environment. In an effort to reduce work during future changes, we decided to add our NAS Admin domain group (we'll call it Domain\NASAdmins) and our Off Shore Support group (call it Domain\OffShore) to the BUILTIN\Administrators group of our Clusters. Then, when adding security to the top Level Volumes we just add \\SVMName\Administrators to the volume with Full Control. That way, everyone in Domain\NASAdmins and Domain\OffShore should have full control over the volumes and the qtree's and if we ever add/change a support group, we don't have to re-push the new group to all 100K+ shares. But, it doesn't work. If we add the domain groups directly to the volume or share, they work as expected. I have tested this on multiple clusters and 7 mode pairs all with the same results. I have checked the domain groups and have tried Group Scope types of Universal and Global.
edit: I have also tried adding admin Domain accounts directly to the BUILTIN\Administrators with the same outcome.
All CIFS access and authentication is working for all shares properly and have been for a long time. This is just a new change we are trying to make.
Removing everyone/full_Control from the Share level is required by our corporate security. We have argued this for a long time, but they will not allow this to be changed because IF by chance a share is created and set to Everyone, than that allows a hole so that even non-authenticated users can access it.
This share creation is done through WFA, so no real time lost. I would love to do it differently, but right now, we have 70+ clusters and 30+ & mode HA pairs.
The part that "isn't working" is that the Active Directory Groups being added to the BUILTIN\Administrators group are not getting FULL control to the NTFS shares when SVMNAME\Adminsitrators is added to NTFS perimssions as having FULL control.
you DEFINITELY want to see the map to root(if you have local admins mapped to root)
UNIX UID: root <> Windows User: DOMAIN\user (Windows Domain User)
GID: daemon Supplementary GIDs: daemon
Primary Group SID: DOMAIN\Domain Users (Windows Domain group)
Windows Membership: DOMAIN\Domain Users (Windows Domain group) DOMAIN\ClusterAdmins (Windows Domain group) DOMAIN\Domain Admins (Windows Domain group) DOMAIN\ESX Admins (Windows Domain group) DOMAIN\Denied RODC Password Replication Group (Windows Alias) NT AUTHORITY\Claims Valid (Windows Well known group) Service asserted identity (Windows Well known group) BUILTIN\Users (Windows Alias) BUILTIN\Administrators (Windows Alias) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< User is also a member of Everyone, Authenticated Users, and Network Users
Is there a difference where users are added? For example the discussion here is about BUILTIN\Administrators. However, I have typically seen in root folder NTFS permissions, the "vserver"\Administrators is added with FULL Control. So does the placement of users (either in BUILTIN\Administrators or "vserver"\Administrators) affect the outcome of what can or cannot be done to directories/folders/files?
Aside from the fact that you should logoff/logon after changes.