Skip to main content

Supported GPOs

Contributors netapp-thomi

Although not all Group Policy Objects (GPOs) are applicable to your CIFS-enabled storage virtual machines (SVMs), SVMs can recognize and process the relevant set of GPOs.

The following GPOs are currently supported on SVMs:

  • Advanced audit policy configuration settings:

    Object access: Central Access Policy staging

    Specifies the type of events to be audited for central access policy (CAP) staging, including the following settings:

    • Do not audit

    • Audit only success events

    • Audit only failure events

    • Audit both success and failure events

      Note

      If any of the three audit options are set (audit only success events, audit only failure events, audit both success and failure events), ONTAP audits both success and failure events.

      Set by using the Audit Central Access Policy Staging setting in the Advanced Audit Policy Configuration/Audit Policies/Object Access GPO.

      Note

      To use advanced audit policy configuration GPO settings, auditing must be configured on the CIFS-enabled SVM to which you want to apply these setting. If auditing is not configured on the SVM, the GPO settings will not be applied and will be dropped.

  • Registry settings:

    • Group Policy refresh interval for CIFS-enabled SVM

      Set by using the Registry GPO.

    • Group Policy refresh random offset

      Set by using the Registry GPO.

    • Hash publication for BranchCache

      The Hash Publication for BranchCache GPO corresponds to the BranchCache operating mode. The following three supported operating modes are supported:

      • Per-share

      • All-shares

      • Disabled Set by using the Registry GPO.

    • Hash version support for BranchCache

      The following three hash version settings are supported:

      • BranchCache version 1

      • BranchCache version 2

      • BranchCache versions 1 and 2 Set by using the Registry GPO.

    Note

    To use BranchCache GPO settings, BranchCache must be configured on the CIFS-enabled SVM to which you want to apply these setting. If BranchCache is not configured on the SVM, the GPO settings will not be applied and will be dropped.

  • Security settings

    • Audit policy and event log

      • Audit logon events

        Specifies the type of logon events to be audited, including the following settings:

        • Do not audit

        • Audit only success events

        • Audit on failure events

        • Audit both success and failure events Set by using the Audit logon events setting in the Local Policies/Audit Policy GPO.

        Note

        If any of the three audit options are set (audit only success events, audit only failure events, audit both success and failure events), ONTAP audits both success and failure events.

      • Audit object access

        Specifies the type of object access to be audited, including the following settings:

        • Do not audit

        • Audit only success events

        • Audit on failure events

        • Audit both success and failure events Set by using the Audit object access setting in the Local Policies/Audit Policy GPO.

        Note

        If any of the three audit options are set (audit only success events, audit only failure events, audit both success and failure events), ONTAP audits both success and failure events.

      • Log retention method

        Specifies the audit log retention method, including the following settings:

        • Overwrite the event log when size of the log file exceeds the maximum log size

        • Do not overwrite the event log (clear log manually) Set by using the Retention method for security log setting in the Event Log GPO.

      • Maximum log size

        Specifies the maximum size of the audit log.

        Set by using the Maximum security log size setting in the Event Log GPO.

      Note

      To use audit policy and event log GPO settings, auditing must be configured on the CIFS-enabled SVM to which you want to apply these setting. If auditing is not configured on the SVM, the GPO settings will not be applied and will be dropped.

    • File system security

      Specifies a list of files or directories on which file security is applied through a GPO.

      Set by using the File System GPO.

      Note

      The volume path to which the file system security GPO is configured must exist within the SVM.

    • Kerberos policy

      • Maximum clock skew

        Specifies maximum tolerance in minutes for computer clock synchronization.

        Set by using the Maximum tolerance for computer clock synchronization setting in the Account Policies/Kerberos Policy GPO.

      • Maximum ticket age

        Specifies maximum lifetime in hours for user ticket.

        Set by using the Maximum lifetime for user ticket setting in the Account Policies/Kerberos Policy GPO.

      • Maximum ticket renew age

        Specifies maximum lifetime in days for user ticket renewal.

        Set by using the Maximum lifetime for user ticket renewal setting in the Account Policies/Kerberos Policy GPO.

    • User rights assignment (privilege rights)

      • Take ownership

        Specifies the list of users and groups that have the right to take ownership of any securable object.

        Set by using the Take ownership of files or other objects setting in the Local Policies/User Rights Assignment GPO.

      • Security privilege

        Specifies the list of users and groups that can specify auditing options for object access of individual resources, such as files, folders, and Active Directory objects.

        Set by using the Manage auditing and security log setting in the Local Policies/User Rights Assignment GPO.

      • Change notify privilege (bypass traverse checking)

        Specifies the list of users and groups that can traverse directory trees even though the users and groups might not have permissions on the traversed directory.

        The same privilege is required for users to receive notifications of changes to files and directories. Set by using the Bypass traverse checking setting in the Local Policies/User Rights Assignment GPO.

    • Registry values

      • Signing required setting

        Specifies whether required SMB signing is enabled or disabled.

        Set by using the Microsoft network server: Digitally sign communications (always) setting in the Security Options GPO.

    • Restrict anonymous

      Specifies what the restrictions for anonymous users are and includes the following three GPO settings:

      • No enumeration of Security Account Manager (SAM) accounts:

        This security setting determines what additional permissions are granted for anonymous connections to the computer. This option is displayed as no-enumeration in ONTAP if it is enabled.

        Set by using the Network access: Do not allow anonymous enumeration of SAM accounts setting in the Local Policies/Security Options GPO.

      • No enumeration of SAM accounts and shares

        This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. This option is displayed as no-enumeration in ONTAP if it is enabled.

        Set by using the Network access: Do not allow anonymous enumeration of SAM accounts and shares setting in the Local Policies/Security Options GPO.

      • Restrict anonymous access to shares and named pipes

        This security setting restricts anonymous access to shares and pipes. This option is displayed as no-access in ONTAP if it is enabled.

        Set by using the Network access: Restrict anonymous access to Named Pipes and Shares setting in the Local Policies/Security Options GPO.

    When displaying information about defined and applied group policies, the Resultant restriction for anonymous user output field provides information about the resultant restriction of the three restrict anonymous GPO settings. The possible resultant restrictions are as follows:

    • no-access

      The anonymous user is denied access to the specified shares and named pipes, and cannot use enumeration of SAM accounts and shares. This resultant restriction is seen if the Network access: Restrict anonymous access to Named Pipes and Shares GPO is enabled.

    • no-enumeration

      The anonymous user has access to the specified shares and named pipes, but cannot use enumeration of SAM accounts and shares. This resultant restriction is seen if both of the following conditions are met:

      • The Network access: Restrict anonymous access to Named Pipes and Shares GPO is disabled.

      • Either the Network access: Do not allow anonymous enumeration of SAM accounts or the Network access: Do not allow anonymous enumeration of SAM accounts and shares GPOs is enabled.

    • no-restriction

      The anonymous user has full access and can use enumeration. This resultant restriction is seen if both of the following conditions are met:

      • The Network access: Restrict anonymous access to Named Pipes and Shares GPO is disabled.

      • Both the Network access: Do not allow anonymous enumeration of SAM accounts and Network access: Do not allow anonymous enumeration of SAM accounts and shares GPOs are disabled.

        • Restricted Groups

          You can configure restricted groups to centrally manage membership of either built-in or user-defined groups. When you apply a restricted group through a group policy, the membership of a CIFS server local group is automatically set to match the membership-list settings defined in the applied group policy.

          Set by using the Restricted Groups GPO.

  • Central access policy settings

    Specifies a list of central access policies. Central access policies and the associated central access policy rules determine access permissions for multiple files on the SVM.