Creating File System security GPOs

You can specify GPO File System security settings directly on Data ONTAP file system objects (directories or files).

About this task

GPO File System security settings are propagated down the directory hierarchy; that is, when you set a GPO security setting on a directory, those settings are applied to objects within that directory.

Note: These File System security settings can only be applied in mixed or NTFS volumes or qtrees. They cannot be applied to a file or directory in a UNIX volume or qtree.

File System security ACL propagation is limited to about 280 levels of directory hierarchy.

Steps

On the Windows server, open the Active Directory Users and Computers tree.
Right-click the Organization Unit (OU) that contains the storage system.
Select the Group Policy tab, and select New.
Enter a name for the new GPO.
Highlight the new GPO and select Edit.
The Group Policy Object Editor appears.
Double-click Computer Configuration > Windows Settings > Security Settings.
Right-click File System and select Add File.
The "Add a file or folder" box appears.
Note: Do not select the option to browse the local server’s drives.
In the Folder field, enter the storage system path on which to apply the GPO; then click OK.

The Database Security window opens.
In the Database Security window, set the permissions you want; then click OK.

The Add Object window opens.
In the Add Object window, select the ACL inheritance you want; then click OK.

The Group Policy Editor displays the new object name.
Close the Group Policy Editor and the OU Properties dialog box.
On the storage system, enter the following command to retrieve and apply the new GPO: cifs gpupdate
If you do not explicitly apply the new GPO with the cifs gpupdate command, the storage system applies the new GPO the next time it queries the Active Directory server (that is, within 90 minutes).