I typically make the domain account for the administrators a local administrator on the NAS.
On Tue, Sep 15, 2015 at 3:49 AM, Borzenkov, Andrei < andrei.borzenkov@ts.fujitsu.com> wrote:
Good question.
You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just *adding* ACE may not be sufficient anyway.
I could not find explicit statement, but fsecurity appears to replace existing DACL. I suppose one possibility would be
Dump existing DACLs using somesing like “icacl /save”Convert result into valid fsecurity job definitionAdd necessary ACEsApplyBut it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.
C-Mode looks better as it allows editing individual ACEs.
With best regards
*Andre**i** Borzenkov*
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[image: cid:image001.gif@01CBF835.B3FEDA90]
*FUJITSU*
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com
Web: ru.fujitsu.com http://ts.fujitsu.com/
Company details: ts.fujitsu.com/imprint http://ts.fujitsu.com/imprint.html
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Jeff Cleverley *Sent:* Tuesday, September 15, 2015 2:10 AM *To:* Toasters@teaparty.net *Subject:* Cifs administrative access push to the entire qtree
Greetings,
I inherited a group of filer that are heavily cifs. There are multiple clusters of different hardware and different OS levels. All are 7-mode.
What the managers found is that people have changed directory permissions and excluded administrators or people with full control. When a problem pops up they have to find one of the directory owners to get added in order to fix an issue.
We don't really want to push the permissions to all sub-directories in an overwrite mode because we could break tool access, or grant access people may not have had before, etc.
Is there a way to add administrators to a tree from the NetApp or a way to do this that doesn't remove previous access control? The managers already have full control at the share level.
Thanks,
Jeff
--
Jeff Cleverley IT Engineer
4380 Ziegler Road
Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
