How to use the Cluster.exe command to modify the Security Descriptor object on Windows 2000 and Windows Server 2003 clusters

This article describes how to use the Cluster.exe command to update the list of users and groups who can administer the cluster. You can configure permissions for particular users to administer a cluster by modifying the security descriptor properties on Microsoft Windows 2000 and Microsoft Windows Server 2003 cluster objects. This access control operation does not affect the security on resources, but it does define who can administer the server cluster.

Note Access to the server cluster must be Full Control for Cluster.exe and Cluster Administrator to operate properly, .

Cluster.exe is a command-line tool for administering clusters. The security descriptor for a cluster is a data structure that contains security information that is associated with that cluster. A security descriptor for a cluster typically includes the following information:

• An owner security identifier (SID) -- the account that owns the object.
• A primary group SID -- the account or the group that can access the object.
• A discretionary access control list (DACL) -- the feature that controls access to the object.
• A system access control list (SACL) -- the feature that logs attempts to access a secured object.

Cluster-aware programs or cluster-aware services can query or add information that is stored in the cluster security descriptor.

When you use the Cluster.exe command to modify the permissions on a cluster, you also modify the security descriptor properties of that same cluster. The security descriptor properties store the Windows 2000 and the Windows Server 2003 access permission details, including information about who owns the object, who can access the object and by what method, and what types of access are audited.

The following syntax permits you to modify cluster permissions by using the properties parameter (/prop) of the Cluster.exe command: Note ClusterName is the name of the cluster that you want to add users to.

Access types include grant, deny, set, and revoke. An access mask is required for the grant, the deny, and the set types. Access masks include R for read, C for change, and F for full control.

You can use the Cluster.exe command to modify the security descriptor object in Windows 2000 and Windows Server 2003 clusters by using the following sample command lines:

• Cluster clustername /prop security descriptor=domain\user,grant,f:security
  This command line grants the domain user account full access to the clustered object.
• Cluster clustername /prop security descriptor=domain\user,revoke:security
  This command line revokes the domain user account security permissions for the clustered object.
• Cluster clustername /prop security descriptor=domain\user,deny,f:security
  This command line explicitly denies access to the security descriptor for the domain user account on the cluster.
• Cluster clustername /prop security descriptor=domain\user,set,f:security
  This command line sets the access level to Full control for the domain user account on the clustered object.

Note When you run the Cluster.exe command from one of the cluster nodes, you can use a period instead of the Cluster name to designate the local cluster service, as in the following example: For more information about the cluster command and the switches that can be used with Cluster.exe, visit the following Microsoft Web site: