Windows Acls - Overland Storage SnapServer Administrator's Manual

SnapServer 7.0 Administrator's Guide

Windows ACLs

GuardianOS fully supports Windows NTFS-style filesystem ACLs, including configuration,
enforcement, and inheritance models. Inside Windows/Mixed root directories, files created
and managed by Windows clients have the Windows security personality and behave just as
they would on a Windows server. Clients can use the standard Windows 2000, 2003, XP,
Vista, or Windows 7 interface to set directory and file permissions for local and Windows
domain users and groups on the SnapServer.
Permissions are enforced for the specified users in the same manner for all client protocols,
including non-SMB clients that normally have the Unix security personality. However, if a
non-SMB client changes permissions or ownership on a Windows personality file or
directory (or deletes and recreates it), the personality will change to Unix with the Unix
permissions specified by the client.
NOTE: Group membership of NFS clients is established by configuring the local client's user
Default File and Folder Permissions
When a file or directory is created by an SMB client, the owner of the file will be the user
who created the file (except for files created by local or domain administrators, in which
case the owner will be the Administrators group, mapped to the local admingrp), and the ACL
will be inherited per the inheritance ACEs on the parent directory's ACL. The owner of a
file or directory always implicitly has the ability to change permissions, regardless of the
permissions established in the ACL. In addition, members of the SnapServer's local admin
group, as well as members of Domain Admins (if the server is configured to belong to a
domain) always implicitly have take ownership and change ownership permissions.
Setting File and Directory Access Permissions and Inheritance (Windows)
Access permissions for files and directories with the Windows security personality are set
using standard Windows 2000, 2003, XP, Vista, 2008, or 7 security tools. GuardianOS
supports:
• All standard generic and advanced access permissions that can be assigned by
Windows clients.
• All levels of inheritance that can be assigned to an ACE in a directory ACL from a
Windows client.
• Automatic inheritance from parent directories, as well as the ability to disable
automatic inheritance from parents.
• Special assignment and inheritance of the CREATOR OWNER, CREATOR GROUP,
Users, Authenticated Users, and Administrators built-in users and groups.
To Set File and Directory Permissions and Inheritance (Windows)
1. Using a Windows 2000, 2003, XP, Vista, 2008, or 7 client, map a drive to the
SnapServer, logging in as a user with change permissions for the target file or
directory.
2. Right-click the file or directory, choose Properties, and then select the Security tab.
3. Use the Windows security tools to add or delete users and groups, to modify their
permissions, and to set inheritance rules.
10400317-001 10/2011
account or the NIS domain. Group membership of SnapServer local users or users ID-
mapped to domain users is not observed by NFS clients. Therefore, ACL permissions
applied to groups may not apply as expected to NFS clients.
©2010-11 Overland Storage, Inc.
7 – Security Options
7-19