question

ChrisC-6419 avatar image
0 Votes"
ChrisC-6419 asked ChrisC-6419 edited

ConfigMgr Content Source Share - Share & NTFS Permissions

Hello, I wondered if you could help me with putting into place a secure source share with the correct Share and NTFS permissions.

The reason I ask is the permissions currently are a bit of a mess and I have picked up this project.

So what am i talking about?

The content source share that holds OSD content such as Images, Drivers, Applications such as Dell CCTK & Bios Updates. (This IS NOT any of the default SCCM folders (SMS***, Content Library etc) that are created during installation)

We have a Primary Site Server with MP and DP roles and a remote server with MP and DP roles.

From my understanding this folder is used as a source location for package creation and adding Images etc into SCCM and obviously has no relation to client distribution.

Share is \\Primarysiteserver\Source
Within this share we have an Application folders (Contains Dell CCTK and BIOS upgrades), OSD Folder which contains Images, Boot images, DriverSources, DriverPackages (during driver import you create a driver package and specify the package path)

What i need to know is what permissions should be on the actual share and then what permissions should be set via NTFS?

So for example, We will have a group of users who will administrate ConfigMgr (adding & updating packages, images, drivers etc)

What permissions on the actual share need to be there for (administrator users, and for Sccm site servers to be able to read this source content location and then what permissions for NTFS.

Source (share) (\\Primarysiteserver\Source)
-- Applications
---- Dell CCTK
---- BIOS (within this we have sub folders for each model)
-- OSD
---- Images
---- DriverSource
---- DriverPackage
---- Boot Images
-- Captures
-- StateCapture

I just need to know at the share level what needs granting and what needs granting at the NYFS granular level. Hoping to get this sorted by Monday. :)

Share:

Everyone = Full

NTFS:

Local Admins = Full

System = Full (because the source directory is on the primary site server?)

SCCM Admins = Full (users who work on sccm)

Network Accesss Account = Read

I do I need to add the primary site servers AD computer account to this aswell?

Would this stop everyone except those stated in NTFS from being able to see the contents within the subfolders of the source share?

Any help is greatly appreciated.

mem-cm-generalmem-cm-osdmem-cm-co-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So what access needs to be on the source folder share.

And then under NTFS what accounts I need to add permission and what level permission.

So for example Sccm administrators would have modify ntfs permission.

What other accounts need access to the share and ntfs permissions.

So does the network access account for example need to be in either.

Does System need to be in the ntfs permissions?
Does the AD computer account for the site server needed to be added to the share or ntfs permissions? Etc etc

0 Votes 0 ·
Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered ChrisC-6419 commented

Hi @ChrisC-6419,

Your thought about cleaning-up the permission is wonderful. Actually, there is no existing answer for this question, which varies from environment to environment. When we access a shared folder, the current logged on user's credential will be used. At such situation, we only need to grant read permission for the right user/group and that's enough. In our environment, granting \\Primarysiteserver\Source is ok.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the reply. What needs read access on the share and what permissions for NTFS so I need to have in place?

For example, what accounts need to be listed on the share and what accounts need to be on NTFS for it to work.

So I know for example on NTFS you would have a group of users who create packages etc to have wrote access to these locations, but I just wondered what accounts like the server AD accounts need to be on these with what level of access

0 Votes 0 ·

Basically I just need what is the minimum share permission and ntfs permissions on that structure for it to function. Just the basic principles so I can understand what I need to put in place

0 Votes 0 ·
GarthJones-8673 avatar image
0 Votes"
GarthJones-8673 answered ChrisC-6419 commented

There is no standards for this, Whatever works for you. The Site Server need read to both the share and files but I generally give it full.
It sound like you are trying to solve a problem but think the share / file permissions are they issue. Is there more to this story?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It just has all sorts of permissions added to it some folders are inherited others are not and it’s a complete mess.

I basically just want to lockdown the share and folders to bare minimum,

For example I don’t personally want anyone in the company to be able to navigate and read the share and it’s contents. I just need the minimal required permissions for packages (drivers, applications, osimages to be created from that share.

0 Votes 0 ·

There is no standards for this, make sure that the site server had read on both the share and file and you are good from a CM standpoint. everything else is up to you are to what you want.

0 Votes 0 ·

Share:
Everyone = Full
NTFS:
Local Admins = Full
System = Full (because the source directory is on the primary site server?)
SCCM Admins = Full (users who work on sccm)
Network Accesss Account = Read

I do I need to add the primary site servers AD computer account to this aswell?

Would this stop everyone except those stated in NTFS from being able to see the contents within the subfolders of the source share?

0 Votes 0 ·