Document Details

You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status. * <a name="backup-policy-users"></a> **Backup policy users** This option grants addition security privileges to AD DS domain users or groups that require elevated backup privileges to support backup, restore, and migration workflows in Azure NetApp Files. The specified AD DS user accounts or groups will have elevated NTFS permissions at the file or folder level.  The following privileges apply when you use the **Backup policy users** setting: | Privilege | Description | |---|---| | `SeBackupPrivilege` | Back up files and directories, overriding any ACLs. | | `SeRestorePrivilege` | Restore files and directories, overriding any ACLs. <br> Set any valid user or group SID as the file owner. | | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traversed (`x`) permissions to traverse folders or symlinks. | * **Security privilege users** <!-- SMB CA share feature --> This option grants security privilege (`SeSecurityPrivilege`) to AD DS domain users or groups that require elevated privileges to access Azure NetApp Files volumes. The specified AD DS users or groups will be allowed to perform certain actions on SMB shares that require security privilege not assigned by default to domain users.  The following privilege applies when you use the **Security privilege users** setting: | Privilege | Description | |---|---| | `SeSecurityPrivilege` | Manage log operations. | This feature is used for installing SQL Server in certain scenarios where a non-administrator AD DS domain account must temporarily be granted elevated security privilege. >[!NOTE] > Using the Security privilege users feature relies on the [SMB Continuous Availability Shares feature](azure-netapp-files-create-volumes-smb.md#continuous-availability). SMB Continuous Availability is **not** supported on custom applications. It's only supported for workloads using Citrix App Layering, [FSLogix user profile containers](/azure/virtual-desktop/create-fslogix-profile-container), and Microsoft SQL Server (not Linux SQL Server). > [!IMPORTANT] > Using the **Security privilege users** feature requires that you submit a waitlist request through the **[Azure NetApp Files SMB Continuous Availability Shares Public Preview waitlist submission page](https://aka.ms/anfsmbcasharespreviewsignup)**. Wait for an official confirmation email from the Azure NetApp Files team before using this feature. >This feature is optional and supported only with SQL server. The AD DS domain account used for installing SQL server must already exist before you add it to the **Security privilege users** option. When you add the SQL Server installer account to **Security privilege users** option, the Azure NetApp Files service might validate the account by contacting an AD DS domain controller. This action might fail if Azure NetApp Files can't contact the AD DS domain controller. For more information about `SeSecurityPrivilege` and SQL Server, see [SQL Server installation fails if the Setup account doesn't have certain user rights](/troubleshoot/sql/install/installation-fails-if-remove-user-right). * <a name="administrators-privilege-users"></a>**Administrators privilege users** This option grants additional security privileges to AD DS domain users or groups that require elevated privileges to access the Azure NetApp Files volumes. The specified accounts will have elevated permissions at the file or folder level. >[!NOTE] >The domain admins are automatically added to the Administrators privilege users group.  >[!NOTE] >This privilege is useful for data migrations. The following privileges apply when you use the **Administrators privilege users** setting: | Privilege | Description | |---|---| | `SeBackupPrivilege` | Back up files and directories, overriding any ACLs. | | `SeRestorePrivilege` | Restore files and directories, overriding any ACLs. <br> Set any valid user or group SID as the file owner. | | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. | | `SeTakeOwnershipPrivilege` | Take ownership of files or other objects. | | `SeSecurityPrivilege` | Manage log operations. | | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. | * Credentials, including your **username** and **password**  >[!IMPORTANT] >Although Active Directory supports 256-character passwords, Active Directory passwords with Azure NetApp Files **cannot** exceed 64 characters. 3. Select **Join**. The Active Directory connection you created appears.  ## <a name="multi-ad"></a> Create one Active Directory connection per NetApp account The current default behavior of Azure NetApp Files supports one AD connection per subscription and region. By enabling this feature, you modify behavior so that each NetApp account within an Azure subscription can have its own AD connection. When this feature is enabled, _newly created_ NetApp accounts maintain their own AD connection. Once configured, the AD connection of the NetApp account is used when you create an [SMB volume](azure-netapp-files-create-volumes-smb.md), a [NFSv4.1 Kerberos volume](configure-kerberos-encryption.md), or a [dual-protocol volume](create-volumes-dual-protocol.md). That means Azure NetApp Files supports more than one AD connection per Azure subscription when multiple NetApp accounts are used. >[!NOTE] >If a subscription has both this feature and the [Shared Active Directory](#shared_ad) feature enabled, its existing accounts still share the AD configuration. Any new NetApp accounts created on the subscription can use their own AD configurations. You can confirm your configuration in your account overview page in the [AD type](#netapp-accounts-and-active-directory-type) field. >[!IMPORTANT] >The scope of each AD configuration is limited to its parent NetApp account. ### Register the feature The ability to create one AD connection per NetApp account is generally available. You need to register the feature before using it for the first time. After registration, the feature is enabled and works in the background. 1. Register the feature:

Get-ADUser -Identity <ANF AD connection account username> Set-ADUser -KerberosEncryptionType <encryption_type>