Tech ONTAP Blogs

Google Cloud NetApp Volumes: Support for built-in default local group management

okrause
NetApp
442 Views

What are built-in default local groups?

Groups are a fundamental concept of user management. They allow you to group users and to apply certain permissions to these groups. In addition to global or domain local groups that a Windows system might inherit from an Active Directory, every Windows system also has local groups that apply only on that specific system.

 

Every Windows system comes with a small number of predefined, built-in default local groups. Besides generic groups like Users or Guests, some groups provide additional privileges to their members. Of special interest for this article are Backup Operators and Administrators.

 

Members of the Administrators group have complete and unrestricted access to the computer.

 

How are Backup Operators and Administrators relevant for NetApp Volumes?

When accessing data on NetApp Volumes using the SMB protocol (more specifically an NTFS security style volume), the service enforces SMB and NTFS security semantics.

 

Every file and folder is protected by an NTFS access control list (ACL). Accessing users are identified by their Windows security identifier (SID). Every access with an SID is checked against the ACL and either granted or denied.

 

To allow management of this data by administrative users, Windows utilizes default groups to bypass such permission checks:

 

Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. They are required by file-based backup software or for data migration. Make the Windows user account running such processes a member of this group. By default, this group has no members.

 

Administrators allow full administrative access to the data within the volume. When joining a Active Directory domain, NetApp Volumes automatically adds the Domain Admin group to the local Administrators group.

 

Please note that membership in these groups only grant access to the volume content within the constraints of the NTFS permission concept. It doesn’t grant any permissions to manage the resources of the service, like storage pools, volumes, snapshots or active directory policies. Management of the service resources is done through Cloud Console, gcloud or APIs and subject to IAM permissions. Think about a volume like an envelope. NetApp Volume administrators manage the envelope, Windows administrators manage the content of the envelope.

 

How to manage Backup Operators and Administrators groups

As with Windows systems, you can connect to NetApp Volumes using Computer Management. Just right-click Computer Management (Local), select Another Computer, and enter the NetBIOS name of your volume.

okrause_0-1725270064830.png

 

okrause_1-1720785889737.png

 

After connecting, you can view the local groups of that volume.

okrause_1-1725270071532.png

okrause_2-1720785910856.png

 

The Administrators group comes pre-populated with the default administrators.

okrause_2-1725270129350.png

okrause_3-1720785934709.png

 

Computer Management can only be used to view group membership or to look up Shared Folders. You cannot do any administrative actions.

 

To add or remove users from Backup Operators or Administrators, you use NetApp Volumes Active Directory policy.

 

How does it work? Every volume is part of a storage pool. Any storage pool that provides SMB volumes has an Active Directory policy attached. In that policy you can manage which users are part of Backup Operators or Administrators.

 

Here’s an example volume.

 

okrause_4-1720785961943.png

 

Update September 2024: The NetApp Volumes UI now allows to edit the Administrators group in Cloud Console:

 

Screenshot 2024-09-02 at 11.43.15.png

 

Currently, the UI only supports updating the Backup Operators group. Until UI support is added for managing the Administrators group, you can use gcloud or Terraform to manage membership.

 

You can also use gcloud or Terraform to manage membership

 

 

# Set membership
$ gcloud netapp active-directories update montreal-ad \
--location northamerica-northeast1 \
--dns=<dns> \
--domain=<domain> \
--net-bios-prefix=<net-bios-prefix> \
--password="******************" \
--username=<username> \
--administrators=bob1 \
--backup-operators=bob2

# View membership
$ gcloud netapp active-directories describe montreal-ad --location northamerica-northeast1 --format="table(name,administrators,backupOperators)"

 

 

You need to specify valid SAM account user or group names. You can specify multiple names separated by commas. The account names are validated when you save. Unfortunately, the gcloud update command requires you to specify the dns, domain, net-bios-prefix, username and password parameters, since they are required parameters. The best approach is to reuse the existing settings. For the password field, you can specify 18 "*" characters, which tells the service to retain the existing password.

 

For the Administrators group, the default entries (Domain Admins and Local Administrator) are not shown and cannot be modified or removed. They are always active.

 

The same applies for Terraform.

 

Learn more about using groups with Google Cloud NetApp Volumes

To learn more about using Active Directory by using the Google Cloud console or Google Cloud CLI, read Create an Active Directory policy.

 

If you have a question about anything covered in this blog, please leave a comment and I’ll be happy to respond.

Public