What share and NTFS permissions must I give users to deploy software through SCCM?

What share and NTFS permissions must I give users to deploy software through SCCM? I have one folder with all of the applications and would like to know.

April 27th, 2015 11:16am

Are you asking about users who will install apps through Software Center or the application catalog? Or are you asking about the users who create deployments?

In any case, your network access account should have Full access to the content source folders.  Give Everyone full control for share permissions and lock down the folders using NTFS permissions.

Jason has a good reference here: http://blog.configmgrftw.com/configmgr-folder-structure/

Jeff

Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 11:28am


In any case, your network access account should have Full access to the content source folders.  

No way! The network access account will never be used to access source files and no client will ever read from that sources. 
The SMS provider / distmgr will read from it, copy it to the contentlib and distribute it to DPs. 
April 27th, 2015 11:31am

Guess I got that wrong.  Thanks for correcting my inaccurate information, Torsten.

Where are the requirements for content source folder permissions documented?

Jeff


Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 11:37am

I am speaking of applications that will be distributed. Other's will be in software center. I will assume the user must have read access...?
April 27th, 2015 11:39am

Read access to what?

There is nothing you need to do to file level security for ConfigMgr to deploy software.

Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 11:44am

Read access to what?

There is nothing you need to do to file level security for ConfigMgr to deploy sof

April 27th, 2015 11:48am

Once again, where are you talking about? You are providing no context for your question whatsoever so we're having to guess.

Are you talking about on the DP and MP? If so, then you should *not* touch anything that ConfigMgr has set up NTFS or share wise. It will set up everything needed.

Or, are you talking on the client?

Also, ConfigMgr does not use a service account.

Ultimately, please tell *much* more about what you're asking, why you're asking, are you troubleshooting a problem, etc.

Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 11:55am

Software deployments- There is a share that holds files for software deployments. What are the needed permissions for that folder? Why? Because I want to know. What- This is for software deployments and items listed in Software Center. Actually there is a service account that is setup here.

April 27th, 2015 12:07pm

Guess I got that wrong.  Thanks for correcting my inaccurate information, Torsten.

Where are the requirements for content source folder permissions documented?

Jeff



I need exactly what Jeff is referencing.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 12:08pm

That still doesn't help. We're not prying, we're trying to help but we honestly have no idea what you are talking about. The more and better details that you can provide, the better we can help.

"Because I want to know" adds no value and does not help us help you. We need technical details -- we can't see what you are seeing and we can't read your mind.

And, you didn't really answer any of my questions.

I'll take another wild-guess though: If you are talking about the source file locations referenced within packages and applications, users do not access those. The computer account for the systems hosting the SMS Provider needs read access to the location(s) specified. Yes, this means both NTFS and share permissions assuming they are being referenced via a UNC.

Finally, there is no service account. If you've changed the account that the SMS_EXECUTIVE is running under, you're are now in a completely unsupported state that will have many issues. If instead you are talking about the Network Access Account, that is *not* a service account and is *not* used to access content source files.

Once again though, we're simply guessing because no one has any idea what you're doing. Please provide actual, technical de

April 27th, 2015 12:14pm

Torsten already indicted this in his reply: "The SMS Provider" copies the files. As mentioned in my reply below, the computer account or the system hosting the SMS Provider is used and to copy a file, you need read access to that file.

None of this has anything to do with a user seeing a deployment in Software Center t

Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 12:17pm

Torsten already indicted this in his reply: "The SMS Provider" copies the files. As mentioned in my reply below, the computer account or the system hosting the SMS Provider is used and to copy a file, you need read access to that file.

None of this has anything to do with a user seeing a deployment in Software Center t

April 27th, 2015 12:24pm

Now, moving beyond that, is there a specific location where source files should be stored? In our environment we just use a folder called Software.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 12:28pm

It doesn't matter much where they are stored. I'd use a DFS share so that you are not tied to a se
April 27th, 2015 1:03pm

Guess I got that wrong.  Thanks for correcting my inaccurate information, Torsten.

Where are the requirements for content source folder permissions documented?

Jeff


Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 3:35pm

What share and NTFS permissions must I give users to deploy software through SCCM? I have one folder with all of the applications and would like to know.

You don't, because, it doesn't work like that.

When you create an application (or a classic package), the "package source" folder/files, are copied/ingested into the content library (this is performed by the SMS Provider component/service).

Clients never access the package source. not ever.

April 27th, 2015 5:40pm

Someone changed the permissions on our end. I get the follow error when trying to deploy an application.

This is why I need to know default permissions (Share and NTFS) for the folder software for deployments is kept in.

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 12:05pm

What are the steps that lead up to the error message?

Jeff

April 28th, 2015 1:37pm

What are the steps that lead up to the error message?

Jeff


I clicked on Software Library. Right clicked Application. Create application. Selected MSI. Browsed to the MSI. Clicked next.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 1:50pm

That has nothing to do with deploying or distributing the content then. It's as simple as your account does not have permissions to the MSI itself. When ConfigMgr creates an Application from an MSI, the console (using the person that is logged into console's credentials) opens the MSI and extracts some metadata from it. If it can't do that, then it won't be able to create the application.
April 28th, 2015 2:08pm

That has nothing to do with deploying or distributing the content then. It's as simple as your account does not have permissions to the MSI itself. When ConfigMgr creates an Application from an MSI, the console (using the person that is logged into console's credentials) opens the MSI and extracts some metadata from it. If it can't do that, then it won't be able to create the ap
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 2:19pm

That has nothing to do with deploying or distributing the content then. It's as simple as your account does not have permissions to the MSI itself. When ConfigMgr creates an Application from an MSI, the console (using the person that is logged into console's credentials) opens the MSI and extracts some metadata from it. If it can't do that, then it won't be able to create the applicat

April 28th, 2015 2:25pm

Guess I got that wrong.  Thanks for correcting my inaccurate information, Torsten.

Where are the requirements for content source folder permissions documented?

Jeff



Is there a place we can get this? Thanks
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 2:30pm

The actual issue was that system was not listed.

I guess you mean the computer account for the server where SMS Provider is running? (by default this would be your site server).

The computer account, where the SMS Provider is running, needs permissions to the application installation source, so that the SMS Provider can access/ingest the installation source into the content library.

Many operations within ConfigMgr require that the various components, running on servers, use there computer account to perform tasks. It can be misleading/confusing, when the console user has the access permissions, but some things fail, because behind the scenes, the component/server computer account performs tasks in the background (triggered by the console actions). This is one of the main reasons why ConfigMgr servers need to be domain members - because computer accounts are used for many background tasks.

April 28th, 2015 5:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics