Appendix F: Restricting File Permissions on Deployment Servers
When the Client Installation Wizard runs on the target computer, it prompts the administrator for domain credentials. This domain user account must have read access to the hidden distribution share. By default, when the Deployment Workbench creates the distribution share, it grants Full Control to the local Administrators group and Read access to the local Users group. By default, any members of the Domain Admins group will also be a member of the local Administrator group, and all Domain Users will be members of the local users group.
Therefore, if the accounts used to deploy client computers are members of the Domain Users group, team members will have sufficient access to the distribution share. Further protect the NTFS file system permissions on this shared folder by removing the default Administrators and Users permissions. At a minimum, only users who will be updating images (for example, users running the Deployment Workbench) require Full Control. Users who are deploying client computers require Read access. Additionally, if storing user state data on a shared folder, the account must have permissions to read and write files to that shared folder.
To restrict file permissions on deployment servers
On the distribution computer, open Windows Explorer.
Right-click the distribution share configured in Deployment Workbench, and then click Properties.
Click Add. In the Select Users, Computers, Or Groups dialog box, type the name of the group that will manage images. Then, click OK.
In the Properties dialog box, select the Allow Full Control checkbox.
Click Add. In the Select Users, Computers, Or Groups dialog box, type the name of the group that will install new client computers. Then, click OK.
The default Read permissions are sufficient.
Click the default Administrators permission, and then click Remove.
Click the default Users permission, and then click Remove.
Click OK to close the Properties dialog box.