AD Account with full access to all CIFS shares | NetApp | Page 1

lyric leaf May 20, 2025, 5:44 PM

#

How to provide my AD account full access to all the shares within a vserver

errant halo May 20, 2025, 6:07 PM

#

you would have to have permissions on each share to allow full control to that specific account
Such as domain admins
But you can't grant it directly across all of them, it has to be done per share

#

would be easy to do via powershell/etc

lyric leaf May 20, 2025, 6:30 PM

#

Can i atleast grant read permission to all the shares, my goal is to check if there are any files in those shares, is there any other way to accomplish the same thing

errant halo May 20, 2025, 6:37 PM

#

when the share is created it is usually created with a basic set of permissions.
You can do a list of permissions via the CLI for all the shares at once

#

something like cifs share show -vserver VSERVER -fields share-properties

#

i think, been a while, but you can do it via cli

#

-fields acl, not share-properties

#

cifs share show -fields acl
vserver share-name acl

nas02 c$ "BUILTIN\Administrators / Full Control"
nas02 Products "Everyone / Full Control"

noble totem May 20, 2025, 7:42 PM

#

lyric leaf How to provide my AD account full access to all the shares within a vserver

give your AD account SeTcbPrivilege

errant halo May 20, 2025, 8:04 PM

#

does that push across all shares though, or is that something that would have to be accessed by \server\c$

alpine edge May 20, 2025, 9:02 PM

#

basically, one just adds onesself to the BUILTIN\Administrators account, then you can see whatever you want and do whatever you want with all of the advantages and disadvantages that entails

#

cifs users-and-groups local-group add-members -vserver <my_vserver> -group-name BUILTIN\Administrators DOMAIN\user_or_group
cifs users-and-groups privilege add-privilege -vserver <my_vserver> -user-or-group-name BUILTIN\Administrators -privilege Se* (or something more specific as mentioned previously)

pliant bramble May 20, 2025, 9:19 PM

#

If all else fails, you can do this all from CLI. It might be a PIA if you have a lot of shares, but...

cifs share show <share_name> -fiel volume
vol show <vol_name> -fiel node
set d
run <node_name> ls /vol/<vol_name>
set adm

noble totem May 20, 2025, 10:21 PM

#

adding yourself to administrators doesn't work if someone puts administrators on a deny ACL. "ls" in nodeshell doesn't help if you have thousands of subdirs. SeTcbPrivilege is basically the only way to get unrestricted access to everything

#

in older ONTAP versions it was called "cifs superuser" and the commands to configure it were different

#AD Account with full access to all CIFS shares