You don't need to be a domain admin.

You can add them to builtin\administrators.

thanks. However, our AD team will not allow that for the helpdesk team as it will give them elevated rights across the whole Domain. 

I am not an AD guy so cannot argue.

Hi Robst -

I think you misunderstand the reply above.  The "BUILTIN\ADMINISTRATORS" group is the equivalent of the "Local Admins" group on a Windows server.  It is not a domain-wide setting, it is a setting on an SVM that you want to let them create shares on.

An SVM hosting CIFS shares can be considered to be a Windows server in most operational respects.  This is one of them.  It has a local set of groups and users that can be defined.  Just as on a typical Windows server there must be a group/user with appropriate permissions on the server to be able to create new shares.  That same type of permission is needed on the SVM.

So a question to explore would be how would the help desk create a share through MMC on any other Windows server in your environment and what permissions/security group are they members of (explicitly or implicitly) on those servers?  That's the level of access that will be needed on the SVM as well.

Hope this helps.

Bob Greenwald

Senior Systems Engineer | cStor

NCIE SAN ONTAP, Data Protection

Kudos and accepted solutions are always appreciated.

Hi Rob,

I think the command you are looking for is "cifs superuser show" with the -vserver parameter, not "vserver cifs superuser show". EG

cluster1::> set advanced
cluster1::*> cifs superuser create -vserver vserver1 -domain TESTLAB -accountname User1
cluster1::*> cifs superuser show -vserver vserver1
Vserver        CIFS Server     Domain          Account Name
-------------- --------------- --------------- ------------
vserver1       VSERVER1        TESTLAB         User1

See the following NetApp KB article:

https://kb.netapp.com/support/s/article/faq-using-windows-mmc-in-clustered-data-ontap?language=en_US

Alternately you might consider using WFA (OnCommand Workflow Automation) to provision CIFS shares instead of using MMC.

/Matt

Thanks all.

Bob, thanks for the explanation. Not sure I want them in a group where they have rights to "fully administer the file"?

However, our helpdesk guys were able to create CIFS shares on the same vservers which were on 7-mode:
once migrated to cDOT they can no longer do this and their rights haven't changed. They are still able to create CIFS shares for vservers
still on 7-mode.

Matt, thanks I used that KB to create the cifs superuser for the vserver: cifs superuser create -vserver testvserver -domain LIVE -accountname testuser.
The article states that testuser which is now a superuser should now be able to create CIFS shares. I will explore WFA nest - but would like their published fix to work.

"Can users other than Domain Administrators access an MMC to a Cluster-Mode node?

Yes. To set this up, the user should be added to the vserver as a cifs superuser. This is available in advanced mode."

Example: ::> set advanced
::*> cifs superuser create -vserver vs0 -domain DOMAIN -accountname user

*> cifs superuser show -vserver testvserver
Vserver        CIFS Server     Domain          Account Name
-------------- --------------- --------------- ------------
testvserver    testv           LIVE            testuser

However, the above doesn't solve the problem of the helpdesk not having access to create CIFS shares.
Any ideas?