MMC shows error: You do not have permissions to see the list of shares for Windows client

Applies to

• Data ONTAP 9.1 to 9.5
• Data ONTAP 9

Issue

Domain User who is a member of "BUILTIN\Administrators" group is unable to view shares, sessions, and open files through Windows MMC or computer management console.

Microsoft Management Console (MMC) shows error "You do not have permissions to see the list of shares for Windows client" is seen when he clicks on shares, sessions, and open files.

To check the Windows group memberships for the Windows user, run the following command, available in diagnostic privilege, on all nodes:

::> set d -c off ; row 0

::*> diag secd authentication show-creds -node cdot-01 -vserver svm -win-name naslab\alice

UNIX UID: root <> Windows User: NASLAB\alice (Windows Domain User)

GID: daemon

Supplementary GIDs:

daemon

Primary Group SID: NASLAB\Domain Users (Windows Domain group)

Windows Membership:

NASLAB\Domain Users (Windows Domain group)

NASLAB\Domain Admins (Windows Domain group)

NASLAB\Denied RODC Password Replication Group (Windows Alias)

Service asserted identity (Windows Well known group)

BUILTIN\Users (Windows Alias)

BUILTIN\Administrators (Windows Alias) <<<<<<<<<<<<<<<<<

User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x22b7):

SeBackupPrivilege

SeRestorePrivilege

SeTakeOwnershipPrivilege

SeSecurityPrivilege

SeChangeNotifyPrivilege

 

::*> local-group show-members -vserver svm -group-name BUILTIN\Administrators

         (vserver cifs users-and-groups local-group show-members)

Vserver: svm

Group Name: BUILTIN\Administrators

Member Name: SMBSRVR\Administrator

NASLAB\Domain Admins

NASLAB\alice <<<<<<<<<<<<<<<<<<<

Note: If the user is a member of "BUILTIN\Administrators" group but the membership is not reflecting properly in the show-creds output, still the same solution will work.