ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Start a New Post

How Add new administrator account

Ahmed-Khudhair
‎2020-05-26 07:01 AM
2,979 Views

Hi All,

   I appreciate your help and advice on the below question. 

we have two domains before for example domain A and B, we cut the two way trust for A & B and NetApp currently on domain A so after cut the two way trust Administrator account was show on all folders and subfolders disappeared and they created for us new account to manger folders/subfolders but this account cant access the folders with disabled inherits. we added the account in NetApp OnCommand System Manager  under administrator but not take effect.

is there any command to apply the account on all folder/subfolders even if disabled inherit.

 

thank you very much in advance.

 

Best Regards
AK

Preview file
15 KB
0 Kudos
1 ACCEPTED SOLUTION

Mjizzini
Community Manager
‎2020-06-01 09:14 PM
2,799 Views

System Manager can only control the share security. The NTFS permissions are controlled from the client side.

 

That being said, If you like to modify the NTFS permissions from the filer command line,  you can use the "vserver security file-directory apply" command.

you will have to create a policy first. 

 

vserver security file-directory commands

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-930/TOC__vserver__security__file-directory.html 

 

Regarding the inheritance workaround, you may be able to use the apply to subfolder option  when creating the  file-directory ntfs dacl add

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-930/vserver__security__file-directory__ntfs__dacl__add.html

 

 

 

View solution in original post

0 Kudos
5 REPLIES 5

GidonMarcus
‎2020-05-27 07:48 AM
2,895 Views

Hi,

 

the NTFS permissions are the ones taking place, hence the default and best practice is to have the local administrators group set on all folder - and not a domain based group. There's a few ways to workaround this.

1) use the backup operator functionality to take files out with tools that know tu utilize it (such robocopy).

2) user-mapping, from your existing user to pretend to be another.

3) take ownership on the files, and add the required security group (painful, there's some scripts that can help - but they far from perfect).

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
0 Kudos
Tags (1)

Ahmed-Khudhair
‎2020-05-29 11:35 PM
In response to GidonMarcus
2,865 Views

Dear Gidon,

  TQVM for your reply. how to make the local administrator reflect all folders & subfolders ? because I tried to add a user in NetApp OnCommand System Manager and it's not reflected for all folders & subfolders. for example, if i add username "ahmed" in NetApp OnCommand System Manager when i go to my computer and check the share folder security permission not found "ahmed" in my folders & subfolders.

0 Kudos

GidonMarcus
‎2020-06-01 01:23 AM
In response to Ahmed-Khudhair
2,824 Views

Hi,

 

The added permission in system manager is for the share level, the file system permission (NTFS) is separate, and need to be changed from a windows client. There's some messy ways to change it via a GPO or scripts and let the filer propagate it down - but I'd not recommend going to that route.

 

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
0 Kudos

tahmad
NetApp
‎2020-06-01 08:41 PM
2,804 Views

Hello Ahmed,

 

Please follow this kb for instructions:

How to modify permissions on files and folders in clustered Data ONTAP when there is no permission to take ownership 

 

Note: This process is not the recommended method for NTFS ACL management. It is recommended to use the Windows 'Security' tab whenever possible. This process should be used when NTFS ACL management is not available via Windows.

0 Kudos

Mjizzini
Community Manager
‎2020-06-01 09:14 PM
2,800 Views

System Manager can only control the share security. The NTFS permissions are controlled from the client side.

 

That being said, If you like to modify the NTFS permissions from the filer command line,  you can use the "vserver security file-directory apply" command.

you will have to create a policy first. 

 

vserver security file-directory commands

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-930/TOC__vserver__security__file-directory.html 

 

Regarding the inheritance workaround, you may be able to use the apply to subfolder option  when creating the  file-directory ntfs dacl add

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-930/vserver__security__file-directory__ntfs__dacl__add.html

 

 

 

0 Kudos
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2022 NetApp Cookies settings
Let us know
Public