Could anyone tell me if it's safe to remove Domain Users from the local users group of any and all of the site servers in the SCCM site heirarchy? I'm working on locking down the permissions of the smspkg<drive letter>$ share. I've noticed that when you replicate a new package to the distribution points, it by default gives local users read permissions and local administrators write permissions. By default, Windows adds Domain Users to the local users group, thus allowing Domain Users read access to the package share. I don't want this, so I'm looking to remove Domain Users from the local users group of the server's permissions. I'm a little gunshy about playing with permissions in the land of SCCM for obvious reasons. Thanks in advance

This link might be useful to you: http://myitforum.com/cs2/blogs/cnackers/archive/2009/06/05/restricting-permissions-on-sms-sccm-software-distribution-share-smspkg-smssig.aspx

Thanks Wilfred, I have seen that article before. The trouble is that when you add new packages, you have to go back through and re-apply the permissions again to the new folder. If I'm able to remove Domain Users from the local users group, I'll be all set as far as what I need to do. I'll control my permissions using the domain users group which I believe will be a more practical solution.

Just wanted to bump this thread up to see if anyone can comment on whether I can remove domain users from the local users group on site servers. Thanks

Having domain users in the local users group is not a requirement of SCCM. So long as all permissions are correct on distribution shares, you should be fine.Nicholas Jones, MCITP Core Infrastructure Consultant | Sparkhound https://www.mcpvirtualbusinesscard.com/VBCServer/nicholas.jones/profile