Supported GPOs

12/09/2021 Contributors

Although not all Group Policy Objects (GPOs) are applicable to your CIFS-enabled storage virtual machines (SVMs), SVMs can recognize and process the relevant set of GPOs.

The following GPOs are currently supported on SVMs:

Advanced audit policy configuration settings:

Object access: Central Access Policy staging

Specifies the type of events to be audited for central access policy (CAP) staging, including the following settings:

Do not audit
Audit only success events
Audit only failure events

Audit both success and failure events

If any of the three audit options are set (audit only success events, audit only failure events, audit both success and failure events), ONTAP audits both success and failure events.

Set by using the Audit Central Access Policy Staging setting in the Advanced Audit Policy Configuration/Audit Policies/Object Access GPO.

To use advanced audit policy configuration GPO settings, auditing must be configured on the CIFS-enabled SVM to which you want to apply these setting. If auditing is not configured on the SVM, the GPO settings will not be applied and will be dropped.

Registry settings:

Group Policy refresh interval for CIFS-enabled SVM

Set by using the Registry GPO.
Group Policy refresh random offset

Set by using the Registry GPO.
Hash publication for BranchCache

The Hash Publication for BranchCache GPO corresponds to the BranchCache operating mode. The following three supported operating modes are supported:
- Per-share
- All-shares
- Disabled Set by using the Registry GPO.
Hash version support for BranchCache

The following three hash version settings are supported:
- BranchCache version 1
- BranchCache version 2
- BranchCache versions 1 and 2 Set by using the Registry GPO.

To use BranchCache GPO settings, BranchCache must be configured on the CIFS-enabled SVM to which you want to apply these setting. If BranchCache is not configured on the SVM, the GPO settings will not be applied and will be dropped.

Security settings

Audit policy and event log

Audit logon events

Specifies the type of logon events to be audited, including the following settings:
- Do not audit
- Audit only success events
- Audit on failure events
- Audit both success and failure events Set by using the Audit logon events setting in the Local Policies/Audit Policy GPO.
If any of the three audit options are set (audit only success events, audit only failure events, audit both success and failure events), ONTAP audits both success and failure events.
Audit object access

Specifies the type of object access to be audited, including the following settings:
- Do not audit
- Audit only success events
- Audit on failure events
- Audit both success and failure events Set by using the Audit object access setting in the Local Policies/Audit Policy GPO.
If any of the three audit options are set (audit only success events, audit only failure events, audit both success and failure events), ONTAP audits both success and failure events.
Log retention method

Specifies the audit log retention method, including the following settings:
- Overwrite the event log when size of the log file exceeds the maximum log size
- Do not overwrite the event log (clear log manually) Set by using the Retention method for security log setting in the Event Log GPO.
Maximum log size

Specifies the maximum size of the audit log.

Set by using the Maximum security log size setting in the Event Log GPO.

To use audit policy and event log GPO settings, auditing must be configured on the CIFS-enabled SVM to which you want to apply these setting. If auditing is not configured on the SVM, the GPO settings will not be applied and will be dropped.

File system security

Specifies a list of files or directories on which file security is applied through a GPO.

Set by using the File System GPO.

The volume path to which the file system security GPO is configured must exist within the SVM.
Kerberos policy
- Maximum clock skew
  
  Specifies maximum tolerance in minutes for computer clock synchronization.
  
  Set by using the Maximum tolerance for computer clock synchronization setting in the Account Policies/Kerberos Policy GPO.
- Maximum ticket age
  
  Specifies maximum lifetime in hours for user ticket.
  
  Set by using the Maximum lifetime for user ticket setting in the Account Policies/Kerberos Policy GPO.
- Maximum ticket renew age
  
  Specifies maximum lifetime in days for user ticket renewal.
  
  Set by using the Maximum lifetime for user ticket renewal setting in the Account Policies/Kerberos Policy GPO.
User rights assignment (privilege rights)
- Take ownership
  
  Specifies the list of users and groups that have the right to take ownership of any securable object.
  
  Set by using the Take ownership of files or other objects setting in the Local Policies/User Rights Assignment GPO.
- Security privilege
  
  Specifies the list of users and groups that can specify auditing options for object access of individual resources, such as files, folders, and Active Directory objects.
  
  Set by using the Manage auditing and security log setting in the Local Policies/User Rights Assignment GPO.
- Change notify privilege (bypass traverse checking)
  
  Specifies the list of users and groups that can traverse directory trees even though the users and groups might not have permissions on the traversed directory.
  
  The same privilege is required for users to receive notifications of changes to files and directories. Set by using the Bypass traverse checking setting in the Local Policies/User Rights Assignment GPO.
Registry values
- Signing required setting
  
  Specifies whether required SMB signing is enabled or disabled.
  
  Set by using the Microsoft network server: Digitally sign communications (always) setting in the Security Options GPO.
Restrict anonymous

Specifies what the restrictions for anonymous users are and includes the following three GPO settings:
- No enumeration of Security Account Manager (SAM) accounts:
  
  This security setting determines what additional permissions are granted for anonymous connections to the computer. This option is displayed as no-enumeration in ONTAP if it is enabled.
  
  Set by using the Network access: Do not allow anonymous enumeration of SAM accounts setting in the Local Policies/Security Options GPO.
- No enumeration of SAM accounts and shares
  
  This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. This option is displayed as no-enumeration in ONTAP if it is enabled.
  
  Set by using the Network access: Do not allow anonymous enumeration of SAM accounts and shares setting in the Local Policies/Security Options GPO.
- Restrict anonymous access to shares and named pipes
  
  This security setting restricts anonymous access to shares and pipes. This option is displayed as no-access in ONTAP if it is enabled.
  
  Set by using the Network access: Restrict anonymous access to Named Pipes and Shares setting in the Local Policies/Security Options GPO.

When displaying information about defined and applied group policies, the Resultant restriction for anonymous user output field provides information about the resultant restriction of the three restrict anonymous GPO settings. The possible resultant restrictions are as follows:

no-access

The anonymous user is denied access to the specified shares and named pipes, and cannot use enumeration of SAM accounts and shares. This resultant restriction is seen if the Network access: Restrict anonymous access to Named Pipes and Shares GPO is enabled.
no-enumeration

The anonymous user has access to the specified shares and named pipes, but cannot use enumeration of SAM accounts and shares. This resultant restriction is seen if both of the following conditions are met:
- The Network access: Restrict anonymous access to Named Pipes and Shares GPO is disabled.
- Either the Network access: Do not allow anonymous enumeration of SAM accounts or the Network access: Do not allow anonymous enumeration of SAM accounts and shares GPOs is enabled.
no-restriction

The anonymous user has full access and can use enumeration. This resultant restriction is seen if both of the following conditions are met:
- The Network access: Restrict anonymous access to Named Pipes and Shares GPO is disabled.
- Both the Network access: Do not allow anonymous enumeration of SAM accounts and Network access: Do not allow anonymous enumeration of SAM accounts and shares GPOs are disabled.
  - Restricted Groups
    
    You can configure restricted groups to centrally manage membership of either built-in or user-defined groups. When you apply a restricted group through a group policy, the membership of a CIFS server local group is automatically set to match the membership-list settings defined in the applied group policy.
    
    Set by using the Restricted Groups GPO.

Central access policy settings

Specifies a list of central access policies. Central access policies and the associated central access policy rules determine access permissions for multiple files on the SVM.

Related information

Enabling or disabling GPO support on a CIFS server

Securing file access by using Dynamic Access Control (DAC)

SMB and NFS auditing and security tracing

Modifying the CIFS server Kerberos security settings

Using BranchCache to cache SMB share content at a branch office

Using SMB signing to enhance network security

Configuring bypass traverse checking

Configuring access restrictions for anonymous users

Supported GPOs

Creating your file...