Table of ContentsView in Frames

Granting access to Windows domain users

You can specify nonlocal administrative users to have administrative access to the storage system after authentication by a Windows Domain Controller, rather than by the storage system itself.

About this task

By default, the domain administrator account has full access to the system. You can log in this account by using the domain\administrator format with the appropriate password.

Data ONTAP also supports ssh-key based authentication for domain users.

Steps

  1. To assign a Windows domain user to a custom or predefined group, enter the following command: useradmin domainuser add win_user_name -g {custom_group|Administrators|"Backup Operators"|Guests|"Power Users"|Users}[,...]
    win_user_name is the Windows domain user whose name or Security ID (SID) you want to assign to a customized or predefined group. This value can be in one of the following formats:
    • name
      Note: If you do not specify the domain name, the domain is the storage system, and the user is considered distinct from any user in the Windows domain with the same user name.
    • domain\name
    • textual_sid_S-x-y-z

    For more information about these formats, see the na_cifs_lookup(1) man page.

    custom_group is a customized group with roles assigned through the useradmin group command.

    Administrators | "Backup Operators" | Guests | "Power Users" | Users are groups predefined by Data ONTAP with default roles and capabilities.

    Example
    The following command adds the user userjoe in the MyDomain domain to the Power Users group and effectively grants MyDomain\userjoe all administrator capabilities that are granted to the Power Users group through the roles that have been assigned to it.useradmin domainuser add MyDomain\userjoe -g "Power Users"
  2. To verify the success of your operation, enter the following command: useradmin domainuser list -g {custom_group|Administrators|"Backup Operators"|Guests|"Power Users"|Users}
    The SID of the user in question is among those listed in the output of this command.