MMC shows error: You do not have permissions to see the list of shares for Windows client
Applies to
- Data ONTAP 9.1 to 9.5
- Data ONTAP 9
Issue
Domain User who is a member of "BUILTIN\Administrators" group is unable to view shares, sessions, and open files through Windows MMC or computer management console.
Microsoft Management Console (MMC) shows error "You do not have permissions to see the list of shares for Windows client" is seen when he clicks on shares, sessions, and open files.
To check the Windows group memberships for the Windows user, run the following command, available in diagnostic privilege, on all nodes:
::> set d -c off ; row 0
::*> diag secd authentication show-creds -node cdot-01 -vserver svm -win-name naslab\alice
UNIX UID: root <> Windows User: NASLAB\alice (Windows Domain User)
GID: daemon
Supplementary GIDs:
daemon
Primary Group SID: NASLAB\Domain Users (Windows Domain group)
Windows Membership:
NASLAB\Domain Users (Windows Domain group)
NASLAB\Domain Admins (Windows Domain group)
NASLAB\Denied RODC Password Replication Group (Windows Alias)
Service asserted identity (Windows Well known group)
BUILTIN\Users (Windows Alias)
BUILTIN\Administrators (Windows Alias) <<<<<<<<<<<<<<<<<
User is also a member of Everyone, Authenticated Users, and Network Users
Privileges (0x22b7):
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSecurityPrivilege
SeChangeNotifyPrivilege
::*> local-group show-members -vserver svm -group-name BUILTIN\Administrators
(vserver cifs users-and-groups local-group show-members)
Vserver: svm
Group Name: BUILTIN\Administrators
Member Name: SMBSRVR\Administrator
NASLAB\Domain Admins
NASLAB\alice <<<<<<<<<<<<<<<<<<<
Note: If the user is a member of "BUILTIN\Administrators" group but the membership is not reflecting properly in the show-creds output, still the same solution will work.