NFS Account Mapping Task Reference

Article
10/04/2011

Applies To: Windows Server 2008, Windows Storage Server 2008 R2

This section contains a list of the management tasks related to NFS Account Mapping.

Contents

NFS User and Group Account Mapping Management Using ADSI Edit
NFS User Account Mapping Using Windows PowerShell
NFS Group Account Mapping Using Windows PowerShell
Unmapped UNIX User Access Management
Server for NFS Resource Management Tasks
Using Nfsfile.exe to Manage User and Group Access

NFS User and Group Account Mapping Management Using ADSI Edit

You can manage the NFS user and group account mappings using ADSI Edit. For Windows Server 2008 you can use the ADSI Edit snap-in. For Windows Server 2008 R2, Windows Storage Server 2008 R2, or for the Remote Server Administration Tools (RSAT) for Windows 7, you can use the:

ADSI Edit snap-in. For more information, see ADSI Edit (adsiedit.msc).
Attribute Editor tab on a user or group object in Active Directory Users and Computers. This requires that you click Advanced Features on the View menu in Active Directory Users and Computers.

NFS User Account Mapping Using Windows PowerShell

You can manage NFS user account mappings using the Windows PowerShell cmdlets available in the Active Directory Module for Windows PowerShell. The Active Directory Module for Windows PowerShell is available in Windows Server 2008 R2 or Windows Storage Server 2008 R2. However, you can also manage computers running Windows Server 2008 using the Remote Server Administration Tools (RSAT) for Windows 7 from Windows Server 2008 R2, or from Windows Storage Server 2008 R2.

Manage NFS user account mappings by performing the following tasks:

To view the NFS user account mappings for an individual user using the Get-ADUser Windows PowerShell cmdlet, see How to View NFS User Account Mapping for an Individual User Using the Get-ADUser Cmdlet.
To view NFS user account mappings for multiple users using Windows PowerShell cmdlets, see How to View NFS User Account Mappings for Multiple Users Using Windows PowerShell Cmdlets.
To add or modify NFS user account mappings for an individual user using the Set-ADGroup cmdlet, see How to Add or Modify NFS User Account Mappings for an Individual User Using the Set-ADUser Cmdlet.
To add or modify NFS user account mappings for a specific set of users specified in a .csv file, see How to Add or Modify NFS User Account Mappings for a Specific Set of Users Using a .csv File.
To remove the NFS user account mapping for an individual user using the Get-ADGroup cmdlet, see How to Remove NFS User Account Mappings for an Individual User Using the Get-ADUser Cmdlet.
To remove NFS user account mappings for multiple users using Windows PowerShell cmdlets, see How to Remove NFS User Account Mappings for Multiple Users Using Windows PowerShell Cmdlets.
To find user objects with duplicate uidNumber attribute values using Windows PowerShell cmdlets, see How to Find User Objects with Duplicate uidNumber Attribute Values Using the Get-ADUser Cmdlet.

How to View NFS User Account Mapping for an Individual User Using the Get-ADUser Cmdlet

You can view user account mappings configured for an individual user using the GetADUser cmdlet as shown in the following example (where user_name is the user name, SamAccountName object attribute, for the user to be viewed):

Get-ADUser –Identity <user_name> -Properties uidNumber, gidNumber

For more information about this cmdlet, see Get-ADUser.

How to View NFS User Account Mappings for Multiple Users Using Windows PowerShell Cmdlets

You can use the Get-ADUser cmdlet to view the user account mappings configured for multiple users by using:

The –Filter parameter of the Get-ADUser cmdlet. Use this method when the selection criteria for the –Filter parameter returns the correct set of users.
A .csv file and the Import-CSV cmdlet. Use this method when the selection criteria for the –Filter parameter is too complex.

How to View NFS User Account Mappings for Multiple Users Using the –Filter Parameter

You can view user account mappings configured for multiple users using the GetADUser cmdlet as shown in the following example (where filter_parameter is the criteria for selecting the users):

Get-ADUser –Filter <filter_param> -Properties uidNumber, gidNumber

For more information about this cmdlet, see Get-ADUser. When the selection criteria for the –Filter parameter is too complex, use a .csv file to specify a set of users as described in the following section.

How to View NFS User Account Mappings for a Specific Set of Users Using a .csv File

You can view the user account mappings configured for a specific set of users using the Export-CSV, Import-CSV and GetADUser cmdlets. This method can be useful when the selection criteria for the –Filter parameter is too complex.

You can create a.csv file that you can use as a baseline for this task using the Export-CSV cmdlet. For more information about these cmdlets, see Export-CSV, Import-CSV, and Set-ADUser.

Create a .csv file that contains the list of SamAccountName object attributes for the users you wish to view using the Get-AdUser and ExportCSV cmdlets as shown in the following example (where filter_param is the criteria used to select the users to be exported and csv_file_name is the file name for the .csv file being created):
```
Get-ADUser –Filter <filter_param> | Select-Object SamAccountName | Export-CSV <csv_file_name>
```
This creates a .csv file that contains the SamAccountName attribute of the user object for the users selected using the –Filter parameter as shown in the following example:
```
#TYPE Selected.Microsoft.ActiveDirectory.Management.ADUser
"SamAccountName"
"user01"
"user02"
"user03"
```
View the uidNumber and the gidNumber attributes of the user object for each user in the .csv file by running the following command (where csv_file_name is the file name for the .csv file):
```
Import-CSV <csv_file_name> | ForEach-Object {Get-ADUser Identity $_.SamAccountName –Properties uidNumber, gidNumber}
```

How to Add or Modify NFS User Account Mappings for an Individual User Using the Set-ADUser Cmdlet

You can add or modify the user account mapping configured for an individual user using the SetADUser cmdlet as shown in the following example (where user_name is the SamAccountName attribute, or user name, of the user object, uid_number is the UID to be added or modified, and gid_number is the GID to be added or modified):

Set-ADUser –Identity <user_name> -Replace @{uidNumber="<uid_number>", gidNumber="<gid_number>"}

Note

The UID and GID values must be unique for the user and group accounts respectively. The cmdlets will not validate these values for uniqueness.

For more information about this cmdlet, see Set-ADUser.

How to Add or Modify NFS User Account Mappings for a Specific Set of Users Using a .csv File

You can add or modify the user account mappings for multiple users using the Import-CSV and SetADUser cmdlets. You can create a .csv file that you can use as a baseline for this task using the Export-CSV cmdlet. For more information about these cmdlets, see Export-CSV, Import-CSV, and Set-ADUser.

Note

The Set-ADUser cmdlet only changes the attributes of an existing account in AD DS. The Set-ADUser cmdlet does not create user accounts in AD DS.

Create a .csv file that contains the list of SamAccountName attributes of the user object for the users you wish to configure NFS user account mappings.

Use the Get-AdUser and ExportCSV cmdlets as shown in the following example (where filter_param is the criteria used to select the users to be exported and csv_file_name is the file name for the .csv file being created):
```
Get-ADUser –Filter <filter_param> | Select-Object SamAccountName | Export-CSV <csv_file_name>
```
This creates a .csv file that contains the SamAccountName attribute of the user object for the users selected using the –Filter parameter as shown in the following example:
```
#TYPE Selected.Microsoft.ActiveDirectory.Management.ADUser
"SamAccountName"
"user01"
"user02"
"user03"
```

Modify the.csv file created in the previous step to include the uidNumber and the gidNumber attributes for each user as shown in the following example:

#TYPE Selected.Microsoft.ActiveDirectory.Management.ADUser
"SamAccountName","uidNumber","gidNumber"
"user01","101","402"
"user02","102","402"
"user03","103","401"

Add or modify the uidNumber attribute of the user object for each user in the .csv file by running the following command:

Import-CSV <csv_file_name> | ForEach-Object {Set-ADUser Identity $_.SamAccountName –Replace @{uidNumber="$_.uidNumber", gidNumber="$_.gidNumber"}}

How to Remove NFS User Account Mappings for an Individual User Using the Get-ADUser Cmdlet

You can remove user account mapping configured for an individual group using the SetADUser cmdlet by clearing the uidNumber and gidNumber attributes of the user object as shown in the following example (where user_name is the user name, SamAccountName attribute, for the user to be removed):

Set-ADUser –Identity <user_name> -Clear uidNumber, gidNumber

Note

The Set-ADUser cmdlet only changes the attributes of an existing account in AD DS. The Set-ADUser cmdlet does not create user accounts in AD DS.

For more information about this cmdlet, see Set-ADUser.

How to Remove NFS User Account Mappings for Multiple Users Using Windows PowerShell Cmdlets

The Set-ADUser cmdlet can be used to remove the user account mappings configured for multiple users using:

The –Filter parameter of the Set-ADGroup cmdlet. This method can be useful when the selection criteria for the –Filter parameter is able to return the correct set of groups.
A .csv file and the Import-CSV cmdlet. This method can be useful when the selection criteria for the –Filter parameter is too complex.

How to Remove NFS User Account Mappings for Multiple Users Using the –Filter Parameter

You can remove user account mappings configured for multiple users using the SetADUser cmdlet as shown in the following example (where filter_param is the criteria for selecting the users to have NFS mapping removed):

Set-ADUser –Filter <filter_param> -Clear uidNumber, gidNumber

Note

The Set-ADUser cmdlet only changes the attributes of an existing account in AD DS. The Set-ADUser cmdlet does not create user accounts in AD DS.

For more information about this cmdlet, see Set-ADUser.

When the selection criteria for the –Filter parameter is too complex, use a .csv file to specify a set of groups as described in the following section, “How to Remove NFS User Account Mappings for a Specific Set of Users Using a .csv File”.

How to Remove NFS User Account Mappings for a Specific Set of Users Using a .csv File

You can remove the user account mappings configured for a specific set of users using the Import-CSV and SetADGroup cmdlets. This method can be useful when the selection criteria for the –Filter parameter is too complex.

You can create a.csv file that you can use as a baseline for this task using the ExportCSV cmdlet. For more information about these cmdlets, see Export-CSV, Import-CSV, and Set-ADUser.

Note

The Set-ADUser cmdlet only changes the attributes of an existing account in AD DS. The Set-ADUser cmdlet does not create user accounts in AD DS.

Create a .csv file that contains the list of SamAccountName attributes of the user objects for the users you wish to remove using the Get-AdUser and ExportCSV cmdlets as shown in the following example (where filter_param is the criteria used to select the groups to be exported and csv_file_name is the file name of the .csv file being created):
```
Get-ADUser –Filter <filter_param> | Select-Object SamAccountName | Export-CSV <csv_file_name>
```
This creates a .csv file that contains the SamAccountName attribute of the user objects for the users selected using the –Filter parameter as shown in the following example:
```
#TYPE Selected.Microsoft.ActiveDirectory.Management.ADUser
"SamAccountName"
"user01"
"user02"
"user03"
```
Remove the NFS user account mapping by clearing the uidNumber and gidNumber attributes of the user objects for each user in the .csv file by running the following command (where csv_file_name is the file name for the .csv file you created in the previous step):
```
Import-CSV <csv_file_name> | ForEach-Object {Set-ADUser Identity $_.SamAccountName –Clear uidNumber, gidNumber}
```

How to Find User Objects with Duplicate uidNumber Attribute Values Using the Get-ADUser Cmdlet

You can find all user objects with duplicate uidNumber attribute values in AD DS or AD LDS using the GetADUser cmdlet as shown in the following example:

Get-ADUser -Filter {uidNumber -like "*"} -Properties uidNumber | Select-Object Name, uidNumber | Group-Object uidNumber| ?{ $_.Count -gt 1 } | Select-Object -Expand Group

For more information about this cmdlet, see Get-ADUser.

NFS Group Account Mapping Using Windows PowerShell

You can manage NFS group account mappings using the Windows PowerShell cmdlets available in the Active Directory Module for Windows PowerShell. The Active Directory Module for Windows PowerShell is available in Windows Server 2008 R2 or Windows Storage Server 2008 R2. However, you can also manage computers running Windows Server 2008 using the Remote Server Administration Tools (RSAT) for Windows 7 from Windows Server 2008 R2, or from Windows Storage Server 2008 R2.

Manage NFS group account mappings by performing the following tasks:

View NFS group account mapping for an individual group using the Get-ADGroup Windows PowerShell cmdlet as described in How to View NFS Group Account Mapping for an Individual Group Using the Get-ADGroup Cmdlet.
View NFS group account mappings for multiple groups using Windows PowerShell cmdlets as described in How to View NFS Group Account Mappings for Multiple Groups Using Windows PowerShell Cmdlets.
Add or modify NFS group account mappings for an individual group using the Set-ADGroup cmdlet as described in How to Add or Modify NFS Group Account Mapping for an Individual Group Using the Set-ADGroup Cmdlet.
Add or modify NFS group account mappings for a specific set of groups specified in a .csv file as described in How to Add or Modify NFS Group Account Mappings for a Specific Set of Groups Using a .csv File.
Remove the NFS group account mapping for an individual group using the Get-ADGroup cmdlet as described in How to Remove NFS Group Account Mappings for an Individual Group Using the Get-ADGroup Cmdlet.
Remove NFS group account mappings for multiple groups using Windows PowerShell cmdlets as described in How to Remove NFS Group Account Mappings for Multiple Groups Using Windows PowerShell Cmdlets.
Find group objects with duplicate gidNumber attribute values using Windows PowerShell cmdlets as described in How to Find Group Objects with Duplicate gidNumber Attribute Values Using the Get-ADGroup Cmdlet.

How to View NFS Group Account Mapping for an Individual Group Using the Get-ADGroup Cmdlet

You can view group account mappings for an individual group using the GetADGroup cmdlet as shown in the following example (where group_name is the group name, such as the SamAccountName attribute of the group object, for the group to be viewed):

Get-ADGroup –Identity <group_name> -Properties gidNumber

For more information about this cmdlet, see Get-ADGroup.

How to View NFS Group Account Mappings for Multiple Groups Using Windows PowerShell Cmdlets

The Get-ADGroup cmdlet can be used to view the NFS group account mappings for multiple groups using:

The –Filter parameter of the Get-ADGroup cmdlet. This method can be useful when the selection criteria for the –Filter parameter is able to return the correct set of groups.
A .csv file and the Import-CSV cmdlet. This method can be useful when the selection criteria for the –Filter parameter is too complex.

How to View NFS Group Account Mappings for Multiple Groups Using the –Filter Parameter

You can view group account mappings for multiple groups using the GetADGroup cmdlet as shown in the following example (where filter_parameter is the criteria for selecting the groups):

Get-ADGroup –Filter <filter_param> -Properties gidNumber

For more information about this cmdlet, see Get-ADGroup. When the selection criteria for the –Filter parameter is too complex, use a .csv file to specify a set of groups as described in the following section, “How to View NFS Group Account Mappings for a Specific Set of Groups Using a .csv File”.

How to View NFS Group Account Mappings for a Specific Set of Groups Using a .csv File

You can view the group account mappings for a specific set of groups using the Import-CSV and GetADGroup cmdlets. This method can be useful when the selection criteria for the –Filter parameter is too complex.

You can create a.csv file that you can use as a baseline for this task using the ExportCSV cmdlet. For more information about these cmdlets, see Export-CSV, Import-CSV, and Get-ADGroup.

Create a .csv file that contains the list of SamAccountName attributes of the group objects for the groups you wish to view using the Get-AdGroup and ExportCSV cmdlets as shown in the following example (where filter_param is the criteria used to select the groups to be exported and csv_file_name is the file name for the .csv file being created):

Get-ADGroup –Filter <filter_param> | Select-Object SamAccountName | Export-CSV <csv_file_name>

This creates a .csv file that contains the SamAccountName attribute of the group objects for the groups selected using the –Filter parameter as shown in the following example:

#TYPE Selected.Microsoft.ActiveDirectory.Management.ADGroup
"SamAccountName"
"group01"
"group02"
"group03"

View the gidNumber attribute for each group in the .csv file by running the following command (where csv_file_name is the file name for the .csv file):

Import-CSV <csv_file_name> | ForEach-Object {Get-ADGroup Identity $_.SamAccountName –Properties gidNumber}

How to Add or Modify NFS Group Account Mapping for an Individual Group Using the Set-ADGroup Cmdlet

You can add or modify the group account mapping for an individual group using the SetADGroup cmdlet as shown in the following example (where group_name is the SamAccountName attribute, or group name, of the group object and gid_number is the GID to be added or modified):

Set-ADGroup –Identity <group_name> -Replace @{gidNumber="<gid_number>"}

Note

The Set-ADGroup cmdlet only changes the attributes of an existing account in AD DS. The Set-ADGroup cmdlet does not create group accounts in AD DS.

For more information about this cmdlet, see Set-ADGroup.

How to Add or Modify NFS Group Account Mappings for a Specific Set of Groups Using a .csv File

You can add or modify the group account mapping for multiple groups using the Import-CSV and SetADGroup cmdlets. You can create a.csv file that you can use as a baseline for this task using the Export-CSV cmdlet. For more information about these cmdlets, see Export-CSV, Import-CSV, and Set-ADGroup.

Note

The Set-ADGroup cmdlet only changes the attributes of an existing account in AD DS. The Set-ADGroup cmdlet does not create group accounts in AD DS.

Create a .csv file that contains the list of SamAccountName attributes of the group objects for the groups you wish to configure NFS group account mappings using the Get-AdGroup and ExportCSV cmdlets as shown in the following example (where filter_param is the criteria used to select the groups to be exported and csv_file_name is the file name for the .csv file being created):
```
Get-ADGroup –Filter <filter_param> | Select-Object SamAccountName | Export-CSV <csv_file_name>
```
This creates a .csv file that contains the SamAccountName object attribute for the groups selected using the –Filter parameter as shown in the following example:
```
#TYPE Selected.Microsoft.ActiveDirectory.Management.ADGroup
"SamAccountName"
"group01"
"group02"
"group03"
```

Modify the.csv file created in the previous step to include the gidNumber object attribute for each group as shown in the following example:

#TYPE Selected.Microsoft.ActiveDirectory.Management.ADGroup
"SamAccountName","gidNumber"
"group01","401"
"group02","402"
"group03","403"

Add or modify the gidNumber attribute for each group in the .csv file by running the following command:

Import-CSV <csv_file_name> | ForEach-Object {Set-ADGroup Identity $_.SamAccountName –Replace @{gidNumber="$_.gidNumber"}}

How to Remove NFS Group Account Mappings for an Individual Group Using the Get-ADGroup Cmdlet

You can remove group account mapping for an individual group using the SetADGroup cmdlet by clearing the gidNumber object attribute as shown in the following example (where group_name is the group name, and SamAccountName is the attribute of the group object of the group to be removed):

Set-ADGroup –Identity <group_name> -Clear gidNumber

Note

The Set-ADGroup cmdlet only changes the attributes of an existing account in AD DS. The Set-ADGroup cmdlet does not create group accounts in AD DS.

For more information about this cmdlet, see Set-ADGroup.

How to Remove NFS Group Account Mappings for Multiple Groups Using Windows PowerShell Cmdlets

You can use the Set-ADGroup cmdlet to remove the group account mappings for multiple groups using:

The –Filter parameter of the Set-ADGroup cmdlet. This method can be useful when the selection criteria for the –Filter parameter is able to return the correct set of groups.
A .csv file and the Import-CSV cmdlet. This method can be useful when the selection criteria for the –Filter parameter is too complex.

How to Remove NFS Group Account Mappings for Multiple Groups Using the –Filter Parameter

You can remove group account mappings for multiple groups using the SetADGroup cmdlet as shown in the following example (where filter_param is the criteria for selecting the groups to have NFS mapping removed):

Set-ADGroup –Filter <filter_param> -Clear gidNumber

Note

The Set-ADGroup cmdlet only changes the attributes of an existing account in AD DS. The Set-ADGroup cmdlet does not create group accounts in AD DS.

For more information about this cmdlet, see Set-ADGroup.

When the selection criteria for the –Filter parameter is too complex, use a .csv file to specify a set of groups as described in the following section, “How to Remove NFS Group Account Mappings for a Specific Set of Groups Using a .csv File”.

How to Remove NFS Group Account Mappings for a Specific Set of Groups Using a .csv File

You can remove the group account mapping for a specific set of groups using the Import-CSV and SetADGroup cmdlets. This method can be useful when the selection criteria for the –Filter parameter is too complex.

You can create a .csv file that you can use as a baseline for this task using the ExportCSV cmdlet. For more information about these cmdlets, see Export-CSV, Import-CSV, and Set-ADGroup.

Note

The Set-ADGroup cmdlet only changes the attributes of an existing account in AD DS. The Set-ADGroup cmdlet does not create group accounts in AD DS.

Create a .csv file that contains the list of SamAccountName attributes of the group objects for the groups you wish to view using the Get-AdGroup and ExportCSV cmdlets as shown in the following example (where filter_param is the criteria used to select the groups to be exported and csv_file_name is the file name for the .csv file being created):
```
Get-ADGroup –Filter <filter_param> | Select-Object SamAccountName | Export-CSV <csv_file_name>
```
This creates a .csv file that contains the SamAccountName attribute for the groups selected using the –Filter parameter as shown in the following example:
```
#TYPE Selected.Microsoft.ActiveDirectory.Management.ADGroup
"SamAccountName"
"group01"
"group02"
"group03"
```
Remove the group account mapping by clearing the gidNumber object attribute for each group in the .csv file by running the following command (where csv_file_name is the file name for the .csv file you created in the previous step):
```
Import-CSV <csv_file_name> | ForEach-Object {Set-ADGroup Identity $_.SamAccountName –Clear gidNumber}
```

How to Find Group Objects with Duplicate gidNumber Attribute Values Using the Get-ADGroup Cmdlet

You can find group objects with duplicate gidNumber attribute values in AD DS or AD LDS using the SetADGroup cmdlet as shown in the following example:

Get-ADGroup -Filter {gidNumber -like "*"} -Properties gidNumber | Select-Object Name, gidNumber | Group-Object gidNumber| ?{ $_.Count -gt 1 } | Select-Object -Expand Group

For more information about this cmdlet, see Get-ADGroup.

Unmapped UNIX User Access Management

Manage Unmapped UNIX User Access to NFS shares to help ensure the appropriate users have access to the files and folders. Perform Unmapped UNIX User Access management using the following tasks:

Enable Unmapped UNIX User Access for an NFS share as described in How to Enable Unmapped UNIX User Access.
Check whether Unmapped UNIX User Access is enabled for an NFS share as described in How to View Unmapped UNIX User Access Configuration.
Disable Unmapped UNIX User Access for an NFS share as described in How to Disable Unmapped UNIX User Access.

How to Enable Unmapped UNIX User Access

The Unmapped UNIX User Access feature is available on Windows Server 2008 R2 or Windows Storage Server 2008 R2. You can enable Unmapped UNIX User Access by using one of the methods in the following table.

Table 14. Methods to Enable Unmapped UNIX User Access

Method	Perform these steps
Windows Explorer	In Windows Explorer, go to the <*target_folder>, right-click it, and then click Properties* (where target_folder is a folder that is an NFS share). In the <*target_folder> Properties* dialog box, on the NFS Sharing tab, click Manage NFS Sharing. The NFS Advanced Sharing dialog box displays. In the NFS Advanced Sharing dialog box, select the No server authentication check box. In the NFS Advanced Sharing dialog box, select the Enable unmapped user access check box. In the NFS Advanced Sharing dialog box, click Allow unmapped UNIX user access, and then click OK. In the <*target_folder> Properties* dialog box, click Close.
Share and Storage Management	Start Share and Storage Management. In the Share and Storage Management console, in the details pane, click the Shares tab, and then click <*share_name> (where share_name* is the name of the NFS share). In the Actions pane, click Properties. The <share_name> Properties dialog box displays. In the <*share_name> Properties* dialog box, on the NFS Authentication tab, select the Enable unmapped user access check box. On the NFS Authentication tab, click Allow unmapped UNIX user access, and then click OK. Close the Share and Storage Management console.
Nfsshare.exe	At an elevated command prompt, type the following command and then press ENTER (where nfs_share is the name of the NFS shared folder): `Nfsshare.exe nfs_share –o unmapped=yes anon=no`

How to View Unmapped UNIX User Access Configuration

You can view Unmapped UNIX User Access configuration by using one of the methods in the following table.

Table 15. Methods to View Unmapped UNIX User Access Configuration

Method	Perform these steps
Windows Explorer	In Windows Explorer, go to <*target_folder>, right-click it, and then click Properties* (where target_folder is the folder that is shared as an NFS share). In the <*target_folder> Properties* dialog box, on the NFS Sharing tab, click Manage NFS Sharing. The NFS Advanced Sharing dialog box displays. In the NFS Advanced Sharing dialog box, if the Allow unmapped UNIX user access option button is: Selected, then Unmapped UNIX User Access is enabled. Cleared, then Unmapped UNIX User Access is disabled. In the NFS Advanced Sharing dialog box, click OK. In the <*target_folder> Properties* dialog box, click Close.
Share and Storage Management	Start Share and Storage Management. In the Share and Storage Management console, in the details pane, click the Shares tab, and then click <*share_name> (where share_name* is the name of the NFS share). In the Actions pane, click Properties. The <share_name> Properties dialog box displays. In the <*share_name> Properties* dialog box, on the NFS Authentication tab, select the Enable unmapped user access check box. On the NFS Authentication tab, click Allow unmapped UNIX user access. In the <*share_name> Properties* dialog box, on the NFS Authentication tab, if the Allow unmapped UNIX user access option button is: Selected, then Unmapped UNIX User Access is enabled. Cleared, then Unmapped UNIX User Access is disabled. In the <*share_name> Properties* dialog box, click OK. Close the Share and Storage Management console.
Nfsshare.exe	At an elevated command prompt, type the following command and then press ENTER (where nfs_share is the name of the NFS shared folder): `Nfsshare.exe nfs_share`

How to Disable Unmapped UNIX User Access

Table 16. Methods to Enable Unmapped UNIX User Access

Method	Perform these steps
Windows Explorer	In Windows Explorer, go to <*target_folder>, right-click it, and then click Properties* (where target_folder is a folder that is an NFS share). In the <*target_folder> Properties* dialog box, on the NFS Sharing tab, click Manage NFS Sharing. The NFS Advanced Sharing dialog box displays. In the NFS Advanced Sharing dialog box, ensure that the Allow unmapped UNIX user access option button is cleared. You can select other configuration settings as appropriate for your solution. In the NFS Advanced Sharing dialog box, click OK. In the <*target_folder> Properties* dialog box, click Close.
Share and Storage Management	Start Share and Storage Management. In the Share and Storage Management console, in the details pane, click the Shares tab, and then click <*share_name> (where share_name* is the name of the NFS share). In the Actions pane, click Properties. The <share_name> Properties dialog box is displayed. In the <share_name> Properties dialog box, on the NFS Authentication tab, ensure that the Allow unmapped UNIX user access option button is cleared. You can select other configuration settings as appropriate for your solution. In the <share_name> Properties dialog box, click OK. Close the Share and Storage Management console.
Nfsshare.exe	At an elevated command prompt, type the following command and then press Enter (where nfs_share is the name of the NFS shared folder): `Nfsshare.exe nfs_share –o unmapped=no`

Server for NFS Resource Management Tasks

Manage NFS resource access to ensure the appropriate users have access to the files and folders that are accessed through an NFS share. Manage access to NFS shares using the following tasks:

Assign access when creating an NFS share as described in Provision an NFS Share.
Manage access to an existing NFS share as described in Manage User and Group Access to an NFS Share.
View the current access to an existing NFS share as described in View User and Group Access to an NFS Share.

You can create an NFS share by using one of the following methods:

The NFS Sharing tab in the folder properties in Windows Explorer as described in the section "To create a shared resource using the Windows interface" in Create an NFS Shared Network Resource.
The Nfsshare.exe tool as described in the section "To create a shared resource using the command prompt" in Create an NFS Shared Network Resource.
The Provision a Shared Folder Wizard in the Share and Storage Management console as described in Share a Resource.

Note

Ensure that you set the appropriate user and group access to the NFS share as described in Manage User and Group Access to an NFS Share.

You can manage user and group access to an NFS share by managing the:

NFS permissions on the NFS share using one of the following methods:
- The NFS Sharing tab in the folder properties in Windows Explorer as described in the "To create a shared resource using the Windows interface" section in Add Clients and Groups to the NFS Share Permissions List.
- The Nfsshare.exe tool as described in the "To add clients and groups to the NFS share permissions list using the Windows interface" section in Add Clients and Groups to the NFS Share Permissions List.
- The Share and Storage Management console as described in the "NFS permission" section in Managing Permissions for Shared Folders.
NTFS permissions on the files and folders in the NFS share using one of the following methods:
- The Share and Storage Management console as described in the "NTFS permissions" section in Managing Permissions for Shared Folders.
- The Nfsfile.exe tool as described in Using Nfsfile.exe to Manage User and Group Access.
- The Security tab in the folder properties in Windows Explorer as described in Set, View, Change, or Remove Permissions on Files and Folders.

You can view user and group access to an NFS share by using one of the following methods:

The NFS Sharing tab in the folder properties in Windows Explorer as described in the "To create a shared resource using the Windows interface" section in Create an NFS Shared Network Resource.
The Nfsshare.exe tool as described in the "To create a shared resource using the command prompt section" in Create an NFS Shared Network Resource.
The Provision a Shared Folder Wizard in the Share and Storage Management console as described in Share a Resource.

Using Nfsfile.exe to Manage User and Group Access

Nfsfile.exe is a command line tool that allows you to manage files that are created on a share with Unmapped UNIX User Access enabled and is included in Windows Server 2008 R2 and Windows Storage Server 2008 R2. You can use Nfsfile.exe to view and manage the permissions assigned to NFS shares using UNIX–like mode bits. You can also use Nfsfile.exe to convert the custom SIDs created by Unmapped UNIX User Access to the mapped SIDs (regular Windows SIDs) used by a mapped user access method.

Nfsfile.exe Syntax

You can view the command line parameters for Nfsfile.exe by typing nfsfile.exe /? at an elevated command prompt and then pressing ENTER, as shown in the following example:

C:\Users\Administrator>nfsfile.exe /?
Manipulates attributes of Services for NFS files.

NFSFILE [/v] [/s] [/i[[u=<uid>]|[g=<gid>]|[wu=<account>]|[wg=<account>]]]
        [/r[[u=<uid>]|[g=<gid>]|[m=<mode>]]] [/c[w|x]] <filespec>

/? - this message
/v - verbose
/s - scan sub-directories for matching files
/i - include files matching the specified criteria
        u <uid> - NFS owner SID matches <uid>
        g <gid> - NFS group SID matches <gid>
        wu <account> - NFS owner SID matches <account>
        wg <account> - NFS group SID matches <account>
/r - replace specified option on file
        u <uid> - set uid
        g <gid> - set gid
        m <mode> - set modebits to <mode>
        wu <account> - Set Windows Owner account
        wg <account> - Set Windows Group account
/c - convert the file according to
        w - Windows style ACL (Mapped)
        x - Unix Style ACL (Unmapped)

The following sections include a more detailed description of each parameter.

/? Parameter

This parameter displays the syntax of Nfsfile.exe. No other parameters are required. An example of this parameter is shown in the previous Nfsfile.exe Syntax section in this document.

filespec Parameter

This parameter specifies the target files for the command and can include the "*" and "?" wildcard characters.

The following example shows sample output by specifying wildcard character usage:

C:\SharedFolders>nfsfile.exe /s /v /cw *.*
Start to process '*.*'...

Modified file: C:\SharedFolders\NFS_Share_01.
Modified file: C:\SharedFolders\NFS_Share_01\test_file.txt.

Successfully processed 2 files; Failed processing 0 files

The following example shows sample output by specifying the Test_File.txt file name:

C:\SharedFolders\NFS_Share_01>nfsfile.exe /s /v Test_File.txt
Start to process 'Test_File.txt'...

W -rwxr-xr-x <0755>  NFS\user02  NFS\Domain Users  C:\SharedFolders\NFS_Share_01
\test_file.txt

Successfully processed 1 files; Failed processing 0 files

/v Parameter

This parameter displays verbose information about assigning access to the files specified in the filespec parameter.

The following example shows sample output without the /v parameter:

C:\SharedFolders>nfsfile.exe /s /cw *.*
Start to process '*.*'...

Successfully processed 2 files; Failed processing 0 files

The following example shows sample output with the /v parameter:

C:\SharedFolders>nfsfile.exe /s /v /cw *.*
Start to process '*.*'...

Modified file: C:\SharedFolders\NFS_Share_01.
Modified file: C:\SharedFolders\NFS_Share_01\test_file.txt.

Successfully processed 2 files; Failed processing 0 files

/s Parameter

This parameter searches sub-folders beneath the current folder for the files specified in the filespec parameter, as shown in the following example:

C:\SharedFolders>nfsfile.exe /v /s *.*
Start to process '*.*'...

W drwxr-xr-x <0755>  BUILTIN\Administrators  NFS\Domain Users  C:\SharedFolders\
NFS_Share_01
W -rwxr-xr-x <0755>  BUILTIN\Administrators  NFS\Domain Users  C:\SharedFolders\
NFS_Share_01\test_file.txt
Successfully processed 2 files; Failed processing 0 files

Note

You can also use the /i parameter to specify additional selection criteria for the values in the filespec parameter.

/i Parameter

This parameter allows you to filter the files based on the user or group identity based on the options in the following table.

Table 17. Options for the /i Parameter

Option	Description
u	Only returns files that are owned by the UID specified with this option. In the following example, only files that are owned by the user with a UID of "101" are returned: `nfsfile.exe /v /s /i u=101 .`
g	Only returns files that have the primary group of the GID specified with this option. In the following example, only files that have the primary group with a GID of "401" are returned: `nfsfile.exe /v /s /i g=401 .`
wu	Only returns files that are owned by the user specified with this option. In the following example, only files that are owned by the user "user01" are returned: `nfsfile.exe /v /s /i wu=user01 .`
wg	Only returns files that have the primary group specified with this option. In the following example, only files that are have the primary group of "group01" are returned: `nfsfile.exe /v /s /i wg=group01 .`

/r Parameter

This parameter allows you to set (replace) the owner and primary group for a file or folder and to specify the access permissions based on the standard UNIX file access mode permissions, such as configured by the UNIX chmod command.

Table 18. Options for the /r Parameter

Note

Option

In the following example, the user with a UID of "101" is configured as the owner of the Test_File.txt file:

nfsfile.exe /v /s /r u=101 /cx Test_File.txt

Sets the primary group of the file to the GID specified with this option. You can also use this option in conjunction with the u and m options.

In the following example, the primary group with a GID of "401" is configured as the primary group of the Test_File.txt file:

nfsfile.exe /v /s /r g=401 /cx Test_File.txt

Specifies the access permissions to a file using the standard UNIX file access mode permissions. You can use this option with either the:

u and the g options to specify the owner and group using a UID and GID.
wu and wg options to specify owner and group using the owner and group name respectively. The owner and group accounts can be domain accounts or local accounts.

In the following example, the UNIX file access mode permissions are set to "755" on the Test_File.txt file:

nfsfile.exe /v /s /r m=755 /cx Test_File.txt

Sets the owner of the file based on the user specified with this option. You can use this option in conjunction with the wg and m options.

In the following example, the user "user01" is configured as the owner of the Test_File.txt file:

nfsfile.exe /v /s /r wu=user01 /cw Test_File.txt

Sets the primary group of the file based on the group specified with this option. You can use this option in conjunction with the wu and m options.

In the following example, the primary group "group01" is configured as the primary group of the Test_File.txt file:

nfsfile.exe /v /s /r wg=group01 /cw Test_File.txt

/cw Parameter

This parameter converts a file that was created using Unmapped UNIX User Access to a file that uses mapped UNIX user access.

/cx Parameter

This parameter converts a file that was created using mapped UNIX user access to a file that uses Unmapped UNIX User Access.

NFS Account Mapping Task Reference

NFS User and Group Account Mapping Management Using ADSI Edit

NFS User Account Mapping Using Windows PowerShell

How to View NFS User Account Mapping for an Individual User Using the Get-ADUser Cmdlet

How to View NFS User Account Mappings for Multiple Users Using Windows PowerShell Cmdlets

How to View NFS User Account Mappings for Multiple Users Using the –Filter Parameter

How to View NFS User Account Mappings for a Specific Set of Users Using a .csv File

How to Add or Modify NFS User Account Mappings for an Individual User Using the Set-ADUser Cmdlet

How to Add or Modify NFS User Account Mappings for a Specific Set of Users Using a .csv File

How to Remove NFS User Account Mappings for an Individual User Using the Get-ADUser Cmdlet

How to Remove NFS User Account Mappings for Multiple Users Using Windows PowerShell Cmdlets

How to Remove NFS User Account Mappings for Multiple Users Using the –Filter Parameter

How to Remove NFS User Account Mappings for a Specific Set of Users Using a .csv File

How to Find User Objects with Duplicate uidNumber Attribute Values Using the Get-ADUser Cmdlet

NFS Group Account Mapping Using Windows PowerShell

How to View NFS Group Account Mapping for an Individual Group Using the Get-ADGroup Cmdlet

How to View NFS Group Account Mappings for Multiple Groups Using Windows PowerShell Cmdlets

How to View NFS Group Account Mappings for Multiple Groups Using the –Filter Parameter

How to View NFS Group Account Mappings for a Specific Set of Groups Using a .csv File

How to Add or Modify NFS Group Account Mapping for an Individual Group Using the Set-ADGroup Cmdlet

How to Add or Modify NFS Group Account Mappings for a Specific Set of Groups Using a .csv File

How to Remove NFS Group Account Mappings for an Individual Group Using the Get-ADGroup Cmdlet

How to Remove NFS Group Account Mappings for Multiple Groups Using Windows PowerShell Cmdlets

How to Remove NFS Group Account Mappings for Multiple Groups Using the –Filter Parameter

How to Remove NFS Group Account Mappings for a Specific Set of Groups Using a .csv File

How to Find Group Objects with Duplicate gidNumber Attribute Values Using the Get-ADGroup Cmdlet

Unmapped UNIX User Access Management

How to Enable Unmapped UNIX User Access

Table 14. Methods to Enable Unmapped UNIX User Access

How to View Unmapped UNIX User Access Configuration

Table 15. Methods to View Unmapped UNIX User Access Configuration

How to Disable Unmapped UNIX User Access

Table 16. Methods to Enable Unmapped UNIX User Access

Server for NFS Resource Management Tasks

Provision an NFS Share

Manage User and Group Access to an NFS Share

View User and Group Access to an NFS Share

Using Nfsfile.exe to Manage User and Group Access

Nfsfile.exe Syntax

/? Parameter

filespec Parameter

/v Parameter

/s Parameter

/i Parameter

Table 17. Options for the /i Parameter

/r Parameter

Table 18. Options for the /r Parameter

/cw Parameter

/cx Parameter

Additional resources