# Setting up an SMB server in a workgroup
You can configure a Server Message Block (SMB) server in a workgroup as an alternative to joining an [SVM to a Microsoft Active Directory](ad-integration-ontap.md) when the Microsoft Active Directory domain infrastructure is not available. A workgroup is a peer-to-peer network that uses the SMB protocol, and has only local accounts and groups.
The process of setting up an SMB server as a member in a workgroup consists of the following:
+ Creating the SMB server on a storage virtual machine (SVM).
+ Creating local users and groups.
+ Adding local users or groups as members of the workgroup.
Keep in mind that SMB servers in workgroup mode do not support the following SMB features:
+ SMB3 Witness protocol
+ SMB3 CA shares
+ SQL over SMB
+ Folder Redirection
+ Roaming Profiles
+ Group Policy Object (GPO)
+ Volume Snapshot Service (VSS)
Also, an SMB server in workgroup mode supports only NTLM authentication and does not support Kerberos authentication.
The following procedures take you through the process of setting up an SMB server on an SVM in a workgroup, create local accounts, and adding these accounts to the workgroup membership. You will use the NetApp ONTAP CLI from either the file system or SVM management interface to implement these procedures. For more information, see [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli).
**Topics**
+ [
# Creating an SMB server in a workgroup
](create-smb-server-workgroup.md)
+ [
# Creating a local user account on the SMB server
](smb-workgroup-create-local-accounts.md)
+ [
# Creating local groups on the SMB server
](smb-workgroup-create-local-groups.md)
+ [
# Adding local users to the local group
](smb-workgroup-add-users-to-group.md)
# Creating an SMB server in a workgroup
You can use the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-create.html) ONTAP CLI command to create an SMB server on the SVM and specify the workgroup to which it belongs.
## Before you begin
The SVM and volumes (and interfaces) that you are using to serve data must have been configured to allow the SMB protocol.
The LIFs must be able to connect to the DNS servers that are configured on the SVM. A CIFS license may be required on the file system, however a CIFS license is not required if the SMB server will be used for authentication only.
**To create an SMB server in a workgroup**
1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.
```
[~]$ ssh fsxadmin@management_endpoint_ip
```
For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli).
1. Create the SMB server in a workgroup:
```
FSxIdabcde123456::> vserver cifs create -vserver vserver_name -cifs-server cifs_server_name -workgroup workgroup_name [-comment workgroup_description]
```
The following command creates the SMB server `smb_server01` in the workgroup `workgroup01`:
```
FSxIdabcde123456::> vserver cifs create -vserver svm1 -cifs-server SMB_SERVER01 -workgroup workgroup01
```
If you are connected to management port of the SVM, you do not need to specify a `-vserver`.
1. Verify the SMB server configuration by using the `vserver cifs show` command.
In the following example, the command output shows that a SMB server named `smb_server01` was created on SVM `svm1` in the workgroup `workgroup01`:
```
FSxIdabcde123456::> vserver cifs show -vserver svm1
Vserver: svm1
CIFS Server NetBIOS Name: SMB_SERVER01
NetBIOS Domain/Workgroup Name: workgroup01
Fully Qualified Domain Name: -
Organizational Unit: -
Default Site Used by LIFs Without Site Membership: -
Workgroup Name: workgroup01
Authentication Style: workgroup
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: -
```
# Creating a local user account on the SMB server
You can create a local user account that can be used to authorize access to data contained in the SVM over an SMB connection. You can also use local user accounts for authentication when creating an SMB session. Local user functionality is enabled by default when the SVM is created. When you create a local user account, you must specify a user name and you must specify the SVM with which to associate the account.
**To create local user accounts on the SMB server**
1. Create the local user using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-user-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-user-create.html) ONTAP CLI command:
```
vserver cifs users-and-groups local-user create -vserver svm_name -user-name user_name optional_parameters
```
The following optional parameters might be useful:
+ `-full-name` – The user's full name.
+ `-description` – A description for the local user.
+ `-is-account-disabled {true|false}` – Specifies whether the user account is enabled or disabled. If this parameter is not specified, the default is to enable the user account.
The command prompts for the local user's password.
1. Enter a password for the local user, and then confirm the password.
1. Verify that the user was successfully created:
```
vserver cifs users-and-groups local-user show -vserver svm_name
```
The following example creates a local user `SMB_SERVER01\sue`, with a full name `Sue Chang`, associated with SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-user create -vserver svm1 ‑user-name SMB_SERVER01\sue -full-name "Sue Chang"
Enter the password:
Confirm the password:
```
```
FSxIdabcde123456::> vserver cifs users-and-groups local-user show
Vserver User Name Full Name Description
-------- -------------------------- ---------- -------------
svm1 SMB_SERVER01\Administrator Built-in administrator account
svm1 SMB_SERVER01\sue Sue Chang
```
# Creating local groups on the SMB server
You can create local groups that can be used for authorizing access to data associated with the SVM over an SMB connection. You can also assign privileges that define what user rights or capabilities a member of the group has.
Local group functionality is enabled by default when the SVM is created. When you create a local group, you must specify a name for the group and you must specify the SVM with which to associate the group. You can specify a group name with or without the local domain name, and you can optionally specify a description for the local group. You cannot add a local group to another local group.
**To create a local group on the SMB server**
1. create the local group using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-create.html) ONTAP CLI command.
```
vserver cifs users-and-groups local-group create -vserver svm_name -group-name group_name [-description local_group_description
```
Including a description for the local group is useful.
1. Verify that the group was successfully created:
```
vserver cifs users-and-groups local-group show -vserver svm_name
```
The following example creates a local group `SMB_SERVER01\engineering` associated with SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group create -vserver svm1 -group-name SMB_SERVER01\engineering
```
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group show -vserver svm1
Vserver Group Name Description
---------------- ---------------------------- ----------------------------
svm1 BUILTIN\Administrators Built-in Administrators group
svm1 BUILTIN\Backup Operators Backup Operators group
svm1 BUILTIN\Guests Built-in Guests group
svm1 BUILTIN\Power Users Restricted administrative privileges
svm1 BUILTIN\Users All users
svm1 SMB_SERVER01\engineering
```
# Adding local users to the local group
You can manage local group membership by adding and removing local or domain users, or adding and removing domain groups. This is useful if you want to control access to data based on access controls placed on the group, or if you want users to have privileges associated with that group. If you no longer want a local user, domain user, or domain group to have access rights or privileges based on membership in a group, you can remove the member from the group.
When adding members to a local group, keep the following in mind:
+ You cannot add users to the special *Everyone* group.
+ You cannot add a local group to another local group.
+ To add a domain user or group to a local group, ONTAP must be able to resolve the name to a SID.
When removing members from a local group, keep the following in mind:
+ You cannot remove members from the special *Everyone* group.
+ To remove a member from a local group, ONTAP must be able to resolve their name to a SID.
You need to have the `fsxadmin` role to run the commands used in this procedure. For more information, see [ONTAP roles and users](roles-and-users.md).
**To manage the local group membership**
+ Add a member to or remove a member from a group using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-add-members.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-add-members.html) and [vserver cifs users-and-groups local-group remove-members](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-remove-members.html) ONTAP CLI commands.
+ To add members to a workgroup:
```
vserver cifs users-and-groups local-group add-members ‑vserver svm_name -group-name group_name ‑member-names name[,...]
```
You can specify a comma-delimited list of local users, domain users, or domain groups to add to the specified local group.
+ To view members of a workgroup:
```
vserver cifs users-and-groups local-group show-members -vserver svm_name -group-name group_name
```
+ To remove members from a workgroup:
```
vserver cifs users-and-groups local-group remove-members ‑vserver svm_name -group-name group_name ‑member-names name[,...]
```
You can specify a comma-delimited list of local users, domain users, or domain groups to remove from the specified local group.
The following example adds a local user `SMB_SERVER01\sue` to the local group `SMB_SERVER01\engineering` on SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group add-members -vserver svm1 -group-name SMB_SERVER01\engineering -member-names SMB_SERVER01\sue
```
The following example removes the local user `SMB_SERVER01\sue` and `SMB_SERVER01\james` from the local group `SMB_SERVER01\engineering` on SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group remove-members -vserver svm1 -group-name SMB_SERVER01\engineering -member-names SMB_SERVER01\sue,SMB_SERVER01\james
```
The following example lists the members of the local group `SMB_SERVER01\engineering`:
```
FsxIdabcdef01234::> vserver cifs users-and-groups local-group show-members -vserver svm_name -group-name group_name
Vserver: svm1
Domain Name: SMB_SERVER01
Group Name: SMB_SERVER01\engineering
Member Name: SMB_SERVER01\anita
SMB_SERVER01\james
SMB_SERVER01\liang
```