Bob, thanks for the explanation. Not sure I want them in a group where they have rights to "fully administer the file"?
However, our helpdesk guys were able to create CIFS shares on the same vservers which were on 7-mode: once migrated to cDOT they can no longer do this and their rights haven't changed. They are still able to create CIFS shares for vservers still on 7-mode.
Matt, thanks I used that KB to create the cifs superuser for the vserver: cifs superuser create -vserver testvserver -domain LIVE -accountname testuser. The article states that testuser which is now a superuser should now be able to create CIFS shares. I will explore WFA nest - but would like their published fix to work.
"Can users other than Domain Administrators access an MMC to a Cluster-Mode node?
Yes. To set this up, the user should be added to the vserver as a cifs superuser. This is available in advanced mode."
Example: ::> set advanced ::*> cifs superuser create -vserver vs0 -domain DOMAIN -accountname user
*> cifs superuser show -vserver testvserver Vserver CIFS Server Domain Account Name -------------- --------------- --------------- ------------ testvserver testv LIVE testuser
However, the above doesn't solve the problem of the helpdesk not having access to create CIFS shares. Any ideas?
I think you misunderstand the reply above. The "BUILTIN\ADMINISTRATORS" group is the equivalent of the "Local Admins" group on a Windows server. It is not a domain-wide setting, it is a setting on an SVM that you want to let them create shares on.
An SVM hosting CIFS shares can be considered to be a Windows server in most operational respects. This is one of them. It has a local set of groups and users that can be defined. Just as on a typical Windows server there must be a group/user with appropriate permissions on the server to be able to create new shares. That same type of permission is needed on the SVM.
So a question to explore would be how would the help desk create a share through MMC on any other Windows server in your environment and what permissions/security group are they members of (explicitly or implicitly) on those servers? That's the level of access that will be needed on the SVM as well.