MDT Installation - Deployment Share Permissions (Part 3)

 

Part 1, WDS and DHCP network dependencies for installing Windows systems over the network were installed and configured. 

Part 2, MDT, ADK and PE for ADK were downloaded and installed.

Welcome to Part 3, in this article, the MDT Share will be setup and permissioned correctly, the service account created and assigned the required Share and NTFS permissions to both deploy and capture Windows. 

In a previous article, I explained why its important to go off-piste creating additional Shares and setting additional access rights. It maybe an idea to take a quick look, the steps will be covered below but without the explanation or the script. 

From the Start Menu of the MDT Server (MDT01), launch 'Deployment Workbench'. 

Right click on 'Deployment Shares' and select 'New Deployment Share'.

Update the path from C:\ to D:\.

Accept the share name.

Provide a friendly description for the share name.

Un-select all options.

Review and accept.

Wait while the MDT Share is created, 

Before closing the Window, click on the 'View Script' button. This is useful for creating the next deployment share.

At the Run Command type 'compmgmt.msc' and create a new user account named 'svc_mdtuser'.

The account doesn't require any Administrative privilege or any special 'User Rights Assignments'.

When the MDT server is a Domain Member a domain service account without privileges is to be used.

On the 'Members Of' tab for the local service account remove the 'Users' group.

The removal of the 'Users' group prevents the account being listed at Ctrl, Alt and Del and being interactive.

Now for the additional shares and permissions. Either follow the abbreviated description below or follow the blow by blow screenshots.

D:\DeploymentShare

svc_mdtuser - Read Share Permissions\Read NTFS Permissions

Remove 'Everyone'

D:\DeploymentShare\Logs (Logs$)

svc_mdtuser - Change Share Permissions\Modify NTFS Permissions

D:\DeploymentShare\Captures (Captures$)

svc_mdtuser - Change Share Permissions\Modify NTFS Permissions

For those who require additional details please read on.

 

The default Deployment Share lists 'Everyone', remove.

Add the Service Account 'svc_mdtuser' and for the Deployment Share, set as Read.

Read for NTFS permissions. 

Create a new subfolder named 'Logs' and share, 'svc_mdtuser' requires either 'Change' or 'Full Control'.

Set 'Modify' for the svc_mdtuser NTFS permissions under the security tab.

The service account will be used to upload logs from the client at the end of the deployment.

Set 'Modify' for the svc_mdtuser NTFS permissions under the security tab.

The service account will be used to upload .wim files from the client during the deployment and capture process.

Hope that wasn't too painful, but I need to cater for both the IT demi god and the noob.

Part 4, Custom Settings and Bootstrap.ini are created.

Share the 'Captures' subfolder, 'svc_mdtuser' requires either 'Change' or 'Full Control'.