Although not all Group Policy Objects (GPOs) are applicable to your CIFS-enabled storage virtual machines (SVMs), SVMs can recognize and process the relevant set of GPOs.
Object access: Central Access Policy staging
Specifies the type of events to be audited for central access policy (CAP) staging, including the following settings:
Set by using the Audit Central Access Policy Staging setting in the Advanced Audit Policy Configuration/Audit Policies/Object Access GPO.
Set by using the Registry GPO.
Set by using the Registry GPO.
The Hash Publication for BranchCache GPO corresponds to the BranchCache operating mode. The following three supported operating modes are supported:
Set by using the Registry GPO.
The following three hash version settings are supported:
Set by using the Registry GPO.
Specifies the type of logon events to be audited, including the following settings:
Set by using the Audit logon events setting in the Local Policies/Audit Policy GPO.
Specifies the type of object access to be audited, including the following settings:
Set by using the Audit object access setting in the Local Policies/Audit Policy GPO.
Specifies the audit log retention method, including the following settings:
Set by using the Retention method for security log setting in the Event Log GPO.
Specifies the maximum size of the audit log.
Set by using the Maximum security log size setting in the Event Log GPO.
Specifies a list of files or directories on which file security is applied through a GPO.
Set by using the File System GPO.
Specifies maximum tolerance in minutes for computer clock synchronization.
Set by using the Maximum tolerance for computer clock synchronization setting in the Account Policies/Kerberos Policy GPO.
Specifies maximum lifetime in hours for user ticket.
Set by using the Maximum lifetime for user ticket setting in the Account Policies/Kerberos Policy GPO.
Specifies maximum lifetime in days for user ticket renewal.
Set by using the Maximum lifetime for user ticket renewal setting in the Account Policies/Kerberos Policy GPO.
Specifies the list of users and groups that have the right to take ownership of any securable object.
Set by using the Take ownership of files or other objects setting in the Local Policies/User Rights Assignment GPO.
Specifies the list of users and groups that can specify auditing options for object access of individual resources, such as files, folders, and Active Directory objects.
Set by using the Manage auditing and security log setting in the Local Policies/User Rights Assignment GPO.
Specifies the list of users and groups that can traverse directory trees even though the users and groups might not have permissions on the traversed directory.
The same privilege is required for users to receive notifications of changes to files and directories. Set by using the Bypass traverse checking setting in the Local Policies/User Rights Assignment GPO.
Specifies whether required SMB signing is enabled or disabled.
Set by using the Microsoft network server: Digitally sign communications (always) setting in the Security Options GPO.
Specifies what the restrictions for anonymous users are and includes the following three GPO settings:
This security setting determines what additional permissions are granted for anonymous connections to the computer. This option is displayed as no-enumeration in ONTAP if it is enabled.
Set by using the Network access: Do not allow anonymous enumeration of SAM accounts setting in the Local Policies/Security Options GPO.
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. This option is displayed as no-enumeration in ONTAP if it is enabled.
Set by using the Network access: Do not allow anonymous enumeration of SAM accounts and shares setting in the Local Policies/Security Options GPO.
This security setting restricts anonymous access to shares and pipes. This option is displayed as no-access in ONTAP if it is enabled.
Set by using the Network access: Restrict anonymous access to Named Pipes and Shares setting in the Local Policies/Security Options GPO.
When displaying information about defined and applied group policies, the Resultant restriction for anonymous user output field provides information about the resultant restriction of the three restrict anonymous GPO settings. The possible resultant restrictions are as follows:
The anonymous user is denied access to the specified shares and named pipes, and cannot use enumeration of SAM accounts and shares. This resultant restriction is seen if the Network access: Restrict anonymous access to Named Pipes and Shares GPO is enabled.
The anonymous user has access to the specified shares and named pipes, but cannot use enumeration of SAM accounts and shares. This resultant restriction is seen if both of the following conditions are met:
The anonymous user has full access and can use enumeration. This resultant restriction is seen if both of the following conditions are met:
You can configure restricted groups to centrally manage membership of either built-in or user-defined groups. When you apply a restricted group through a group policy, the membership of a CIFS server local group is automatically set to match the membership-list settings defined in the applied group policy.
Set by using the Restricted Groups GPO.
Specifies a list of central access policies. Central access policies and the associated central access policy rules determine access permissions for multiple files on the SVM.