ONTAP 9 Manuals ( CA08871-402 )

Disallow users or groups from bypassing directory traverse checking

If you do not want a user to traverse all the directories in the path to a file because the user does not have permissions on the traversed directory, you can remove the SeChangeNotifyPrivilege privilege from local SMB users or groups on storage virtual machines (SVMs).

Before you begin

The local or domain user or group from which privileges will be removed must already exist.

About this task

When removing privileges from a domain user or group, ONTAP might validate the domain user or group by contacting the domain controller. The command might fail if ONTAP cannot contact the domain controller.

Steps
  1. Disallow bypass traverse checking: vserver cifs users-and-groups privilege remove-privilege -vserver vserver_name -user-or-group-name name -privileges SeChangeNotifyPrivilege

    The command removes the SeChangeNotifyPrivilege privilege from the local or domain user or group that you specify with the value for the -user-or-group-name name parameter.

  2. Verify that the specified user or group has bypass traverse checking disabled: vserver cifs users-and-groups privilege show -vserver vserver_name ‑user-or-group-name name

Example

The following command disallows users that belong to the “EXAMPLE\eng” group from bypassing directory traverse checking:

cluster1::> vserver cifs users-and-groups privilege show -vserver vs1
Vserver   User or Group Name    Privileges
--------- --------------------- -----------------------
vs1       EXAMPLE\eng           SeChangeNotifyPrivilege

cluster1::> vserver cifs users-and-groups privilege remove-privilege -vserver vs1 -user-or-group-name EXAMPLE\eng -privileges SeChangeNotifyPrivilege

cluster1::> vserver cifs users-and-groups privilege show -vserver vs1
Vserver   User or Group Name    Privileges
--------- --------------------- -----------------------
vs1       EXAMPLE\eng           -
Top of Page