Did your AD team perchance define a group policy on the OU such that any object placed into that OU inherited a specific set of local administrators? That's the only way I can think that your NAS ended up with the calling user in the local admin group.
I understand where you're coming from - we do not manage AD ourselves but we do not want Domain Admins to have administrator control of our CES nodes. So once it was joined to AD (with their help) I simply removed Domain Admins and added the storage team DL in its place. But back to the original question, I'm afraid I do not know how to make CES add a specific user to its local administrator group. Richard -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Engeli Willi (ID SD) Sent: 30 March 2017 15:24 To: [email protected] Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group >-Last time I checked simply adding a normal computer object to the >domain didn't add the account of the adding user to the local administrators group and CES is no exception. We have been using before a competitor Product as a NAS system. With that system, we were able to define virtual NAS Servers, each one joined as an independent object to AD. When joined, we found the 'Domain Admin' group and the joining user as member of local administrators group of that virtual server. Since out AD is quite big, it is structured into many OU. We as the Storage OU have OU admin rights, but we are not member of "Domain Admin" group. Looking Back, we were able by ourselves to add the required groups as needed to the local Administrators group of the NAS server. Why is this important? Since we have quit a mix of OS accessing our shares, some of the create exclusive access rights at the time they create profiles etc. At the end of the lifecycle, one needs to delete those files via the SMB / NFSV4 protocol, which is difficult if not having access rights. On the other hand, we have seen situations, where one OS corrupted the ACL and could not access anymore. Also this needs to be handled by us, giving us a hard time not being member of the administrators group. I.e. the MS tool subinacl does check the privileges before trying to modify ACLs, and if not being member of the Administrators group, not all required privileges are granted. >-Is it a political reason why you cannot ask your Domain Admin team to >add you to the admin group for your CES cluster object? From there you can manage it yourself. Yes and no. We have a clear boundary, where we need to be able to manage the AD Objects, and for security reason it seems to make sense to not use Domain Admin Accounts for such kind of work (statement of our AD Group). So much for the Situation, did I missed something? Willi -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von [email protected] Gesendet: Donnerstag, 30. März 2017 16:02 An: [email protected] Betreff: gpfsug-discuss Digest, Vol 62, Issue 77 Send gpfsug-discuss mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://gpfsug.org/mailman/listinfo/gpfsug-discuss or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of gpfsug-discuss digest..." Today's Topics: 1. Spectrum Scale CES adds only Domain Admin to local Administrators group (Engeli Willi (ID SD)) 2. Re: Spectrum Scale CES adds only Domain Admin to local Administrators group (Sobey, Richard A) 3. Re: Spectrum Scale CES adds only Domain Admin to local Administrators group (Laurence Horrocks-Barlow) ---------------------------------------------------------------------- Message: 1 Date: Thu, 30 Mar 2017 13:29:26 +0000 From: "Engeli Willi (ID SD)" <[email protected]> To: "[email protected]" <[email protected]> Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Hi everybody, In our organization, the management of AD is strictly separated from management of storage. Since we install spectrum scale with protocol SMB and NFS support, we need to join the systems to AD, and have at least the joining user added as well to the local administrators group. Any idea of how to achieve this? Asking our Domain Admin is not the correct method to add other groups, this needs to be in our hands. Regards Willi -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/8e187e01/at tachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5461 bytes Desc: not available URL: <http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/8e187e01/at tachment-0001.p7s> ------------------------------ Message: 2 Date: Thu, 30 Mar 2017 13:53:15 +0000 From: "Sobey, Richard A" <[email protected]> To: gpfsug main discussion list <[email protected]> Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group Message-ID: <amspr06mb4057f08111edb6ee5584f3edf...@amspr06mb405.eurprd06.prod.outlook.co m> Content-Type: text/plain; charset="us-ascii" Last time I checked simply adding a normal computer object to the domain didn't add the account of the adding user to the local administrators group and CES is no exception. Is it a political reason why you cannot ask your Domain Admin team to add you to the admin group for your CES cluster object? From there you can manage it yourself. Richard From: [email protected] [mailto:[email protected]] On Behalf Of Engeli Willi (ID SD) Sent: 30 March 2017 14:29 To: [email protected] Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group Hi everybody, In our organization, the management of AD is strictly separated from management of storage. Since we install spectrum scale with protocol SMB and NFS support, we need to join the systems to AD, and have at least the joining user added as well to the local administrators group. Any idea of how to achieve this? Asking our Domain Admin is not the correct method to add other groups, this needs to be in our hands. Regards Willi -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/385d486f/at tachment-0001.html> ------------------------------ Message: 3 Date: Thu, 30 Mar 2017 15:02:19 +0100 From: Laurence Horrocks-Barlow <[email protected]> To: [email protected] Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group Message-ID: <[email protected]> Content-Type: text/plain; charset="windows-1252"; Format="flowed" Hi Willi, Could you just expand on your issue? Are you requiring CES to bind to AD to allow authenticated users to access your NFS/SMB shares. However you require the ability to add additional groups to these users on the CES system? Or are you trying to use your own account that can join the domain as a local admin on a CES node? -- Lauz On 30/03/2017 14:53, Sobey, Richard A wrote: > > Last time I checked simply adding a normal computer object to the > domain didn?t add the account of the adding user to the local > administrators group and CES is no exception. > > Is it a political reason why you cannot ask your Domain Admin team to > add you to the admin group for your CES cluster object? From there you > can manage it yourself. > > Richard > > *From:*[email protected] > [mailto:[email protected]] *On Behalf Of > *Engeli Willi (ID SD) > *Sent:* 30 March 2017 14:29 > *To:* [email protected] > *Subject:* [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin > to local Administrators group > > Hi everybody, > > In our organization, the management of AD is strictly separated from > management of storage. Since we install spectrum scale with protocol > SMB and NFS support, we need to join the systems to AD, and have at > least the joining user added as well to the local administrators group. > > Any idea of how to achieve this? Asking our Domain Admin is not the > correct method to add other groups, this needs to be in our hands. > > Regards Willi > > > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/fe1f178a/at tachment.html> ------------------------------ _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss End of gpfsug-discuss Digest, Vol 62, Issue 77 ********************************************** _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
