Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to use the Cluster.exe command to modify the Security Descriptor object on Windows 2000 and Windows Server 2003 clusters


View products that this article applies to.

Introduction

This article describes how to use the Cluster.exe command to update the list of users and groups who can administer the cluster. You can configure permissions for particular users to administer a cluster by modifying the security descriptor properties on Microsoft Windows 2000 and Microsoft Windows Server 2003 cluster objects. This access control operation does not affect the security on resources, but it does define who can administer the server cluster.

Note Access to the server cluster must be Full Control for Cluster.exe and Cluster Administrator to operate properly, .

↑ Back to the top


More information

Cluster.exe is a command-line tool for administering clusters. The security descriptor for a cluster is a data structure that contains security information that is associated with that cluster. A security descriptor for a cluster typically includes the following information:
  • An owner security identifier (SID) -- the account that owns the object.
  • A primary group SID -- the account or the group that can access the object.
  • A discretionary access control list (DACL) -- the feature that controls access to the object.
  • A system access control list (SACL) -- the feature that logs attempts to access a secured object.
Cluster-aware programs or cluster-aware services can query or add information that is stored in the cluster security descriptor.

When you use the Cluster.exe command to modify the permissions on a cluster, you also modify the security descriptor properties of that same cluster. The security descriptor properties store the Windows 2000 and the Windows Server 2003 access permission details, including information about who owns the object, who can access the object and by what method, and what types of access are audited.

The following syntax permits you to modify cluster permissions by using the properties parameter (/prop) of the Cluster.exe command:
Cluster ClusterName /prop "security descriptor"=DOMAIN\USER,grant,f:security
Note ClusterName is the name of the cluster that you want to add users to.

Access types include grant, deny, set, and revoke. An access mask is required for the grant, the deny, and the set types. Access masks include R for read, C for change, and F for full control.

You can use the Cluster.exe command to modify the security descriptor object in Windows 2000 and Windows Server 2003 clusters by using the following sample command lines:
  • Cluster clustername /prop security descriptor=domain\user,grant,f:security
    This command line grants the domain user account full access to the clustered object.
  • Cluster clustername /prop security descriptor=domain\user,revoke:security
    This command line revokes the domain user account security permissions for the clustered object.
  • Cluster clustername /prop security descriptor=domain\user,deny,f:security
    This command line explicitly denies access to the security descriptor for the domain user account on the cluster.
  • Cluster clustername /prop security descriptor=domain\user,set,f:security
    This command line sets the access level to Full control for the domain user account on the clustered object.
Note When you run the Cluster.exe command from one of the cluster nodes, you can use a period instead of the Cluster name to designate the local cluster service, as in the following example:
Cluster . /prop security descriptor=DOMAIN\USER,grant,f:security
For more information about the cluster command and the switches that can be used with Cluster.exe, visit the following Microsoft Web site:

↑ Back to the top


Keywords: KB828289, kbinfo, kbclustering

↑ Back to the top

Article Info
Article ID : 828289
Revision : 5
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 360