Tuesday, 6 October 2015

Using Data ONTAP APIs (PowerShell) to Set ACLs

We encountered a problem this week with a mixed security style qtree. A UNIX client had changed the permissions to effective style UNIX for a folder within the qtree, and - in doing so - NT ACLs had been lost and no one could set permissions to regain NTFS access to this folder.

API and the Data ONTAP PowerShell Toolkit to the rescue!

## TO SEE THE PERMISSIONS BEOFRE ##
Get-NcFileDirectorySecurity -path /VOLNAME/QTREE/FOLDER1/FOLDER2 -VserverContext SVM

## TO VIEW CURRENT SECURITY DESCRIPTORS ##
Get-NcFileDirectorySecurityNtfs -VserverContext SVM

## TO VIEW CURRENT SECURITY POLICY TASKS ##
Get-NcFileDirectorySecurityPolicyTask -VserverContext SVM

## THE SET SECURITY COMMAND ##
New-NcFileDirectorySecurityNtfs -SecurityDescriptor ntfssd1 -VserverContext SVM -Owner BUILTIN\Administrators -Group BUILTIN\Administrators |
Add-NcFileDirectorySecurityNtfsDacl -Account DOMAIN\USER_WHO_CAN_ACCESS -AccessType Allow -Rights Full_Control -PassThru |
Add-NcFileDirectorySecurityPolicyTask -Name policy1 -path /VOLNAME/QTREE/FOLDER1/FOLDER2 -SecurityType ntfs -PassThru |
Set-NcFileDirectorySecurity

## TO SEE THE PERMISSIONS AFTER ##
Get-NcFileDirectorySecurity -path /VOLNAME/QTREE/FOLDER1/FOLDER2 -VserverContext SVM

Note 1: The command is split into lines after | to make it more readable. The full set security command is one line.
Note 2: By setting an owner, that owner already gets Full Control so doesn’t need to be specified.
Note 3: The Security Descriptor and Security Policy Task need to be unique in the command for it not to error, hence the check before.
Note 4: This is for Clustered Data ONTAP.

3 comments:

  1. You are my hero, solved a tricky problem for me, this is the only place I found on taking ownership of a netApp share in PowerShell that just works. THANK YOU. :)

    ReplyDelete
  2. when i run same command again for the volume but for a different user it wipe out all previous permissions . is this how it suppose to work?

    ReplyDelete
    Replies
    1. Hi Chintan. Yes, the above was for recovering a situation where you've lost NTFS permission. There are ways to add permissions with PowerShell. It's probably easier to just give the Wintel Admin (whoever that is) permission, and then let them set their required permissions. Cheers, VC

      Delete