Solved: How Add new administrator account

Ahmed-Khudhair · ‎2020-05-26

Hi All,

I appreciate your help and advice on the below question.

we have two domains before for example domain A and B, we cut the two way trust for A & B and NetApp currently on domain A so after cut the two way trust Administrator account was show on all folders and subfolders disappeared and they created for us new account to manger folders/subfolders but this account cant access the folders with disabled inherits. we added the account in NetApp OnCommand System Manager under administrator but not take effect.

is there any command to apply the account on all folder/subfolders even if disabled inherit.

thank you very much in advance.

Best Regards
AK

GidonMarcus · ‎2020-05-27

Hi,

the NTFS permissions are the ones taking place, hence the default and best practice is to have the local administrators group set on all folder - and not a domain based group. There's a few ways to workaround this.

1) use the backup operator functionality to take files out with tools that know tu utilize it (such robocopy).

2) user-mapping, from your existing user to pretend to be another.

3) take ownership on the files, and add the required security group (painful, there's some scripts that can help - but they far from perfect).

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

Ahmed-Khudhair · ‎2020-05-29

Dear Gidon,

TQVM for your reply. how to make the local administrator reflect all folders & subfolders ? because I tried to add a user in NetApp OnCommand System Manager and it's not reflected for all folders & subfolders. for example, if i add username "ahmed" in NetApp OnCommand System Manager when i go to my computer and check the share folder security permission not found "ahmed" in my folders & subfolders.

GidonMarcus · ‎2020-06-01

Hi,

The added permission in system manager is for the share level, the file system permission (NTFS) is separate, and need to be changed from a windows client. There's some messy ways to change it via a GPO or scripts and let the filer propagate it down - but I'd not recommend going to that route.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

tahmad · ‎2020-06-01

Hello Ahmed,

Please follow this kb for instructions:

How to modify permissions on files and folders in clustered Data ONTAP when there is no permission to take ownership

Note: This process is not the recommended method for NTFS ACL management. It is recommended to use the Windows 'Security' tab whenever possible. This process should be used when NTFS ACL management is not available via Windows.

Mjizzini · ‎2020-06-01

System Manager can only control the share security. The NTFS permissions are controlled from the client side.

That being said, If you like to modify the NTFS permissions from the filer command line, you can use the "vserver security file-directory apply" command.

you will have to create a policy first.

vserver security file-directory commands

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-930/TOC__vserver__security__file-directory.html

Regarding the inheritance workaround, you may be able to use the apply to subfolder option when creating the file-directory ntfs dacl add

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-930/vserver__security__file-directory__ntfs__dacl__add.html

View solution in original post