Skip to main content

vserver cifs group-policy show-defined

Show applicable group policy settings defined in Active Directory

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver cifs group-policy show-defined command displays information about group policies that have been defined in Active Directory. It displays all or a subset of the group policy configuration matching the criteria that you specify.

If you do not specify any parameters, the command displays the following information about all group policies defined in Active Directory:

  • GPO Name: Specifies the name of the Group Policy object.

  • Level: Specifies the level in which the Group Policy is configured. It could be either site level, domain level, or OU level.

  • Status: Specifies whether or not this Group Policy object is enabled.

Advanced Audit Settings:

  • Object Access:

  • Central Access Policy Staging: Specifies the type of events to be audited for central access policy staging. Possible values are:

    • none - Do not audit.

    • success - Audit only success events.

    • failure - Audit only failure events.

    • both - Audit both success and failure events.

Registry Settings:

  • Refresh Time Interval: Specifies how often the Group Policy is updated.

  • Refresh Random Offset: Specifies a random time that is added to the refresh interval to prevent all clients from requesting Group Policy updates at the same time.

  • Hash Publication Mode for BranchCache: Specifies the hash generation mode used to generate hashes for data stored in shared folders on which BranchCache is enabled, which is then provided to clients. Possible values are:

    • per-share - Allow hash publication only for shared folders on which BranchCache is enabled.

    • disabled - Disallow hash publication on all shared folders.

    • all-shares - Allow hash publication for all shared folders.

  • Hash Version Support for BranchCache: Specifies the version supported by the BranchCache hash generation service. Possible values are:

    • all-versions - Both versions 1 and 2 (V1 and V2).

    • version1 - Version 1 (V1).

    • version2 - Version 2 (V2).

Security Settings:

  • Event Audit and Event Log:

  • Audit Logon Events: Specifies the type of logon events to be audited. Possible values are:

    • none - Do not audit.

    • success - Audit only success events.

    • failure - Audit only failure events.

    • both - Audit both success and failure events.

  • Audit Object Access: Specifies the type of object access to be audited. Possible values are:

    • none - Do not audit.

    • success - Audit only success events.

    • failure - Audit only failure events.

    • both - Audit both success and failure events.

  • Log Retention Method: Specifies the audit log retention method. Possible values are:

    • overwrite-as-needed - Overwrite the event log when size of the log file exceeds the maximum log size.

    • overwrite-by-days - Not supported.

    • do-not-overwrite - Do not overwrite the event log.

  • Max Log Size: Specifies the maximum size of the audit log. This size is displayed in kbytes.

  • File Security: Specifies a list of files or directories on which file security is to be applied.

  • Kerberos:

  • Max Clock Skew: Specifies maximum tolerance in hours for computer clock synchronization.

  • Max Ticket Age: Specifies maximum lifetime in minutes for user ticket.

  • Max Renew Age: Specifies maximum lifetime in days for user ticket renewal.

  • Privilege Rights:

  • Take Ownership: List of users and groups that have the right to take ownership of any securable object in the system.

  • Security Privilege: List of users and groups that can specify auditing options for object access of individual resources, such as files, folders, and Active Directory objects.

  • Change Notify: List of users and groups that can traverse directory trees even though the users and groups might not have permissions on the traversed directory.

  • Registry Values:

  • Signing Required: Specifies whether SMB signing is on or off.

  • Restrict Anonymous:

  • No enumeration of Security Account Manager (SAM) accounts: This security setting determines what additional permissions are granted for anonymous connections to the computer. This option displays as 'no-enumeration' in Data ONTAP if enabled.

  • No enumeration of SAM accounts and shares: This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. This option displays as 'no-enumeration' in Data ONTAP if enabled.

  • Restrict anonymous access to shares and named pipes: This security setting restricts anonymous access to shares and pipes. This option displays as 'no-access' in Data ONTAP if enabled.

  • Combined restriction for anonymous user: The combined restriction for the anonymous user is derived from the above three settings:

    • If 'no-access' is enabled, 'Combined restriction for anonymous user' is set to 'no-access'. The anonymous user is denied access to the specificd shares and named pipes, and cannot use enumeration of SAM accounts and shares.

    • If 'no-enumeration' is enabled and 'no-access' is disabled, 'Combined restriction for anonymous user' is set to 'no-enumeration'. The anonymous user has access to the specified shares and named pipes, but cannot use enumeration of SAM accounts and shares.

    • If 'no-enumeration' is disabled and 'no-access' is disabled, 'Combined restriction for anonymous user' is set to 'no-restriction'. The anonymous user has full access and can use enumeration.

  • Restricted Groups:

  • List of restricted groups. For more information on each group, refer to the man page for the "vserver cifs group-policy restricted-group show-defined" command. Each group specifies two properties for restricted groups. The "Members" list defines who belongs and who does not belong to the restricted group. The "MemberOf" list ensures that the restricted group is added to the groups listed in "MemberOf" field. A group can be a member of groups other than those listed in "MembersOf" section.

Central Access Policy Settings:

  • Policies:

    • Specifies a list of central access policies. Central access policies and rules determine access permissions for multiple files on the Vserver.

Parameters

{ [-fields <fieldname>, ...]
If you specify the -fields <fieldname>, ... parameter, the command only displays the fields that you specify.
| [-instance ]}
If you specify the -instance parameter, the command displays detailed information about all entries.
[-vserver <vserver name>] - Vserver
If you specify this parameter, the command displays only group policy information that has been defined in Active Directory for the Vserver that you specify.
[-gpo-index <integer>] - GPO Index
If you specify this parameter, the command displays only group policy information at gpo-index.

Examples

The following example displays all group policy information for all group policies that have been defined in Active Directory: 

cluster1::> vserver cifs group-policy show-defined

Vserver: vs1
-----------------------------
    GPO Name: Default Domain Policy
       Level: Domain
      Status: enabled
  Advanced Audit Settings:
      Object Access:
          Central Access Policy Staging: failure
  Registry Settings:
      Refresh Time Interval: 22
      Refresh Random Offset: 8
      Hash Publication Mode for BranchCache: per-share
      Hash Version Support for BranchCache : version1
  Security Settings:
      Event Audit and Event Log:
          Audit Logon Events: none
          Audit Object Access: success
          Log Retention Method: overwrite-as-needed
          Max Log Size: 16384
      File Security:
          /vol1/home
          /vol1/dir1
      Kerberos:
          Max Clock Skew: 5
          Max Ticket Age: 10
          Max Renew Age:  7
      Privilege Rights:
          Take Ownership: usr1, usr2
          Security Privilege: usr1, usr2
          Change Notify: usr1, usr2
      Registry Values:
          Signing Required: false
      Restrict Anonymous:
          No enumeration of SAM accounts: true
          No enumeration of SAM accounts and shares: false
          Restrict anonymous access to shares and named pipes: true
          Combined restriction for anonymous user: no-access
      Restricted Groups:
          gpr1
          gpr2
  Central Access Policy Settings:
      Policies: cap1
                cap2

    GPO Name: Resultant Set of Policy
      Status: enabled
  Advanced Audit Settings:
      Object Access:
          Central Access Policy Staging: failure
  Registry Settings:
      Refresh Time Interval: 22
      Refresh Random Offset: 8
      Hash Publication for Mode BranchCache: per-share
      Hash Version Support for BranchCache: version1
  Security Settings:
      Event Audit and Event Log:
          Audit Logon Events: none
          Audit Object Access: success
          Log Retention Method: overwrite-as-needed
          Max Log Size: 16384
      File Security:
          /vol1/home
          /vol1/dir1
      Kerberos:
          Max Clock Skew: 5
          Max Ticket Age: 10
          Max Renew Age:  7
      Privilege Rights:
          Take Ownership: usr1, usr2
          Security Privilege: usr1, usr2
          Change Notify: usr1, usr2
      Registry Values:
          Signing Required: false
      Restrict Anonymous:
          No enumeration of SAM accounts: true
          No enumeration of SAM accounts and shares: false
          Restrict anonymous access to shares and named pipes: true
          Combined restriction for anonymous user: no-access
      Restricted Groups:
          gpr1
          gpr2
  Central Access Policy Settings:
      Policies: cap1
                cap2