How do you implement access control for Windows clients using Active Directory in ONTAP?

• A. Join the SVM to AD, configure SMB shares with ACLs, and optionally use LDAP/AD for authentication and group mapping
• B. Only use local user accounts; AD integration is not supported
• C. Use only NFS exports; SMB shares do not require AD
• D. Disable ACLs and use broad access to shares for simplicity

Answer: (A)

To control Windows access effectively, you integrate the SVM with Active Directory. Joining the SVM to AD lets the SMB service authenticate Windows users against AD and perform group resolution, so permissions can be assigned based on user and group identities defined in the domain. Applying Windows-style ACLs on SMB shares then enforces who can read, write, or manage each share, based on those identities.

Using LDAP/AD as an authentication backend and for group mapping further centralizes identity management, making it possible to map AD groups to file permissions and keep user lifecycles in sync with the directory service. This approach mirrors how Windows expects authentication and authorization to work in a domain, giving you scalable, centralized control.

Other options fall short for Windows access: relying only on local accounts lacks domain-wide authentication; using only NFS ignores Windows authentication and access control; and disabling ACLs eliminates the granular permissions Windows users rely on.