3.8. The "AFS Client Admins" Authorization Group

The OpenAFS for Windows client supports a local Windows authorization group named "AFS Client Admins". This group is used in place of the "Administrators" group to determine which users are allowed to modify the AFS Client Service configuration via the AFS Control Panel (afs_config.exe) or fs.exe command line tool. The following fs.exe commands are now restricted to members of the "AFS Client Admins" group:

  • checkservers with a non-zero timer value

  • setcachesize

  • newcell

  • sysname with a new sysname list

  • exportafs

  • setcell

  • setserverprefs

  • storebehind

  • setcrypt

  • cscpolicy

  • trace

  • minidump

The creation or removal of mount points and symlinks in the Freelance "root.afs" volume are also restricted to members of the "AFS Client Admins" group.

The initial membership of the "AFS Client Admins" group when created by the installer is equivalent to the local "Administrators" group. If a user is added to the "Administrators" group after the creation of the "AFS Client Admin" group, that user will not be an AFS Client Administrator. Only users that are members of the "AFS Client Admins" group are AFS Client Administrators. The local "SYSTEM" account is an implicit member of the "AFS Client Admins" group.

Setting the default sysname for a machine should be done via the SysName registry value and not via "fs sysname".