Manage local ONTAP SMB groups
Suggest changes
PDFs
You can change a local group by updating its description or renaming it. You can also view all local groups on the cluster or on a specific storage virtual machine (SVM), and see who belongs to each group. This information can help you troubleshoot file access and user rights issues on the SVM.
| If you want to… | Use the command… |
|---|---|
Display all local groups on the cluster |
|
Display all local groups on the SVM |
|
Display members of all local groups on the cluster |
|
Display members of all local groups on the SVM |
|
Modify the local group description |
If the description contains a space, then it must be enclosed within double quotation marks. |
Rename the local group |
|
Command Examples
The following example renames the local group “CIFS_SERVER\engineering” to “CIFS_SERVER\engineering_new”:
cluster1::> vserver cifs users-and-groups local-group rename -vserver vs1 -group-name CIFS_SERVER\engineering -new-group-name CIFS_SERVER\engineering_new
The following example modifies the description of the local group “CIFS_SERVER\engineering”:
cluster1::> vserver cifs users-and-groups local-group modify -vserver vs1 -group-name CIFS_SERVER\engineering -description "New Description"
The following example displays information about all local groups on SVM vs1:
cluster1::> vserver cifs users-and-groups local-group show -vserver vs1 Vserver Group Name Description -------- --------------------------- ---------------------------- vs1 BUILTIN\Administrators Built-in Administrators group vs1 BUILTIN\Backup Operators Backup Operators group vs1 BUILTIN\Power Users Restricted administrative privileges vs1 BUILTIN\Users All users vs1 CIFS_SERVER\engineering vs1 CIFS_SERVER\sales
The following example displays information about members of all local groups on SVM vs1:
cluster1::> vserver cifs users-and-groups local-group show-members -vserver vs1
Vserver Group Name Members
--------- ---------------------------- ------------------------
vs1 BUILTIN\Administrators CIFS_SERVER\Administrator
AD_DOMAIN\Domain Admins
AD_DOMAIN\dom_grp1
BUILTIN\Users AD_DOMAIN\Domain Users
AD_DOMAIN\dom_usr1
CIFS_SERVER\engineering CIFS_SERVER\james
Delete local ONTAP SMB groups
You can delete a local group from the storage virtual machine (SVM) if it is no longer needed for determining access rights to data associated with that SVM or if it is no longer needed for assigning SVM user rights (privileges) to group members.
Keep the following in mind when deleting local groups:
-
The file system is not altered.
Windows Security Descriptors on files and directories that refer to this group are not adjusted.
-
If the group does not exist, an error is returned.
-
The special Everyone group cannot be deleted.
-
Built-in groups such as BUILTIN\Administrators BUILTIN\Users cannot be deleted.
-
Determine the name of the local group that you want to delete by displaying the list of local groups on the SVM:
vserver cifs users-and-groups local-group show -vserver <SVM_name> -
Delete the local group:
vserver cifs users-and-groups local-group delete -vserver <SVM_name> -group-name <group_name> -
Verify that the group is deleted:
vserver cifs users-and-groups local-group show -vserver <SVM_name>
Command Example
The following example deletes the local group “CIFS_SERVER\sales” associated with SVM vs1:
cluster1::> vserver cifs users-and-groups local-group show -vserver vs1 Vserver Group Name Description --------- ---------------------------- ---------------------------- vs1 BUILTIN\Administrators Built-in Administrators group vs1 BUILTIN\Backup Operators Backup Operators group vs1 BUILTIN\Power Users Restricted administrative privileges vs1 BUILTIN\Users All users vs1 CIFS_SERVER\engineering vs1 CIFS_SERVER\sales cluster1::> vserver cifs users-and-groups local-group delete -vserver vs1 -group-name CIFS_SERVER\sales cluster1::> vserver cifs users-and-groups local-group show -vserver vs1 Vserver Group Name Description --------- ---------------------------- ---------------------------- vs1 BUILTIN\Administrators Built-in Administrators group vs1 BUILTIN\Backup Operators Backup Operators group vs1 BUILTIN\Power Users Restricted administrative privileges vs1 BUILTIN\Users All users vs1 CIFS_SERVER\engineering
Add a member to a local ONTAP SMB group
You can manage local group membership by adding local users, domain users, or domain groups. This is useful if you want to control access to data based on access controls placed on the group or if you want users to have privileges associated with that group.
-
You cannot add users to the special Everyone group.
-
The local group must exist before you can add a user to it.
-
The user must exist before you can add the user to a local group.
-
You cannot add a local group to another local group.
-
To add a domain user or group to a local group, Data ONTAP must be able to resolve the name to a SID.
-
Add a member in a group:
vserver cifs users-and-groups local-group add-members -vserver _vserver_name_ -group-name _group_name_ -member-names name[,...]
You can specify a comma-delimited list of local users, domain users, or domain groups to add to the specified local group.
Command Example
The following example adds a local user “SMB_SERVER\sue” and a domain group “AD_DOM\dom_eng” to the local group “SMB_SERVER\engineering” on SVM vs1:
cluster1::> vserver cifs users-and-groups local-group add-members -vserver vs1 -group-name SMB_SERVER\engineering -member-names SMB_SERVER\sue,AD_DOMAIN\dom_eng
Remove a member from a local ONTAP SMB group
You can manage local group membership by removing local users, domain users, or domain groups. This is useful if you want to control access to data based on access controls placed on the group or if you want users to have privileges associated with that group.
-
You cannot remove members from the special Everyone group.
-
The group from which you want to remove a member must exist.
-
ONTAP must be able to resolve the names of members that you want to remove from the group to a corresponding SID.
-
Remove a member from a group:
vserver cifs users-and-groups local-group remove-members -vserver _vserver_name_ -group-name _group_name_ -member-names name[,...]
You can specify a comma-delimited list of local users, domain users, or domain groups to remove from the specified local group.
Command Example
The following example removes the local users “SMB_SERVER\sue” and “SMB_SERVER\james” from the local group “SMB_SERVER\engineering” on SVM vs1:
cluster1::> vserver cifs users-and-groups local-group remove-members -vserver vs1 -group-name SMB_SERVER\engineering -member-names SMB_SERVER\sue,SMB_SERVER\james
Update ONTAP SMB domain user and group names in local databases
You can add domain users and groups to a CIFS server's local groups. These domain objects are registered in local databases on the cluster. If a domain object is renamed, the local databases must be manually updated.
You must specify the name of the storage virtual machine (SVM) on which you want to update domain names.
-
Set the privilege level to advanced:
set -privilege advanced -
Update the names of domain users and groups associated with storage virtual machine:
vserver cifs users-and-groups update-names -vserver <SVM_name> -
Display domain users and groups that successfully updated and that failed to update:
vserver cifs users-and-groups update-names -vserver <SVM_name> -display-failed-only false|true -
If you want to suppress all status information about updates, use the following command:
vserver cifs users-and-groups update-names -vserver <SVM_name> -suppress-all-output true -
Return to the admin privilege level:
set -privilege admin
Command Example
The following example updates the names of domain users and groups associated with storage virtual machine (SVM, formerly known as Vserver) vs1. For the last update, there is a dependent chain of names that needs to be updated:
cluster1::> set -privilege advanced
Warning: These advanced commands are potentially dangerous; use them
only when directed to do so by technical support personnel.
Do you wish to continue? (y or n): y
cluster1::*> vserver cifs users-and-groups update-names -vserver vs1
Vserver: vs1
SID: S-1-5-21-123456789-234565432-987654321-12345
Domain: EXAMPLE1
Out-of-date Name: dom_user1
Updated Name: dom_user2
Status: Successfully updated
Vserver: vs1
SID: S-1-5-21-123456789-234565432-987654322-23456
Domain: EXAMPLE2
Out-of-date Name: dom_user1
Updated Name: dom_user2
Status: Successfully updated
Vserver: vs1
SID: S-1-5-21-123456789-234565432-987654321-123456
Domain: EXAMPLE1
Out-of-date Name: dom_user3
Updated Name: dom_user4
Status: Successfully updated; also updated SID "S-1-5-21-123456789-234565432-987654321-123457"
to name "dom_user5"; also updated SID "S-1-5-21-123456789-234565432-987654321-123458"
to name "dom_user6"; also updated SID "S-1-5-21-123456789-234565432-987654321-123459"
to name "dom_user7"; also updated SID "S-1-5-21-123456789-234565432-987654321-123460"
to name "dom_user8"
The command completed successfully. 7 Active Directory objects have been updated.
cluster1::*> set -privilege admin
Learn more about vserver cifs in the ONTAP command reference.