Snapdrive need a local account that belongs to the LOCAL administrators group for several reasons (act as a service role ecc ecc) and this for member servers.

It’s a best practice to assign it also to the LOCAL administrators group of the filer also if you can assign the right full rights and permissions to it managinf the share that points to the volume containing the LUNs (after all a filer with CIFS is a member server).

Obviuosly if you use SD on a domain controller youi don’t have local security and it has to belong to the Domain Admins group.

Why you “hurt” yourself J with making the shares r/o or other things…make them hidden with a $ and assign only the users/groups that must see them (snapdrive user).

Da: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] Per conto di Christopher Mende
Inviato: martedì 5 febbraio 2008 16.10
A: toasters@mathworks.com
Oggetto: SnapDrive User Permission Lockdown

Hi All,

We've all been asked this question before -- does the snapdrive account HAVE to be a domain admin, and be an administrator on the filer?

I've played with making the shares to the LUN-containing volumes read-only, but most of that is just a panacea.

Here is an IIS server which is accessible to multiple outside entities. Specifically, looking to lessen the impact the snapdrive account may have on the filer, should the IIS server be compromised. I suspect the answer is "it doesn't matter" because you could wreak the same damage from Administrator if compromised -- but I just gotta ask.

Thanks!

Christopher