MDT Shares and Permissions
To deploy from MDT and access the MDT Deployment Share requires a service account, the standard approach is to add this service account to Administrators Group or maybe add 'Everyone' to the Deployment Share with full share and NTFS permissions. The least awful approach would be to add the service account to the Deployment Share and provide Full Share and NTFS permissions. The first 2 should definitely be avoided. If you're after any type of Zero Touch then the MDT Service Account will be listed in CustomSettings and BootStrap.ini files with its password in clear text. A hackers dream is to access files with embedded passwords. This is why the up most attention should be given ensuring the least privileges are assigned.
The MDT Service Account only requires Read Share and NTFS permissions to the MDT Share and no Administrative rights what so ever. Two additional shares will be required, one for Logs and the other for Captures with the service account requiring Change\Modify Share and NTFS permissions.
Its going to be assumed that all the pre-requisites for MDT have been completed with the WDS Feature installed, MDT and ADK packages installed. There is a D:\ partition for the MDT share and data. A domain service named 'svc_mdt' is available with domain user permissions.
The following script will require Administrative privileges and will perform the following actions:
Create the MDT Deployment Share and its folder structure at D:\DeploymentShare and sets:
svc_mdt = Read Share\NTFS permissions
Administrators = Change Share permissions
Creates Log Share at D:\DeploymentShare\Logs
svc_mdt = Change Share\NTFS permissions
Creates Captures Share at D:\DeploymentShare\Captures
svc_mdt = Change Share\NTFS permissions
$hn = hostname
#MDT Service Account
$mdtsvc = "tenaka\svc_mdt"
#Folder inheritance variables
$inherNone = [System.Security.AccessControl.InheritanceFlags]::None
$propNone = [System.Security.AccessControl.PropagationFlags]::None
$inherCnIn = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
$propInOn = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$inherObIn = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propNoPr = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit
#Add MDT Powershell support
#Deployment Root Share
$pathDeploy = 'D:\DeploymentShare'
$descrip = "Deployment Share"
$shareDeploy = "DeploymentShare$"
#Create new folder D:\DeploymentShare
New-Item -Path $pathDeploy -ItemType Directory
#Import MDT PowerShell module
Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name 'DS001' -PSProvider "MDTProvider" -Root $pathDeploy -Description 'MDT Production' -networkpath "\\$hn\$shareDeploy" | Add-MDTPersistentDrive
#Sets svc_mdt NTFS permission for D:\DeploymentShare
$aclRt = Get-Acl $pathDeploy
$arRt = New-Object System.Security.AccessControl.FileSystemAccessRule("$mdtsvc","READ","$inherCnIn,$inherObIn","None","Allow")
Set-Acl $pathDeploy $aclRt
#Shares MDT Root to MDTUser READ
#Administrators required to allow updating of unattend.xml files
New-SmbShare -ReadAccess $mdtsvc -ChangeAccess Administrators -Path $pathDeploy -Name $shareDeploy -Description $descrip
#Creates new folder for D:\DeploymentShare\Logs
$pathLogs = "$pathDeploy\Logs"
New-Item -Path $pathLogs -ItemType Directory -Force
$aclInhLogs = Get-Acl $pathLogs
Set-Acl $pathLogs $aclInhLogs
#Sets MDTuser Modify over the Logs Folder
$aclLogs = Get-Acl $pathLogs
$arLogs = New-Object System.Security.AccessControl.FileSystemAccessRule("$mdtsvc","MODIFY","$inherCnIn,$inherObIn","None","Allow")
Set-Acl $pathLogs $aclLogs
#Shares MDT Logging as MODIFY Access
$ShareLogs = "Logs$"
New-SmbShare -ChangeAccess $mdtsvc -Path $pathLogs -Name $ShareLogs -Description "MDT Logging Share"
$aclInhCap = Get-Acl $pathCapture
Set-Acl $pathCapture $aclInhCap
#Sets Modify permission for D:\DeploymentShare\captures
$acCap = Get-Acl $pathCapture
$arCap = New-Object System.Security.AccessControl.FileSystemAccessRule("$mdtsvc","MODIFY","$inherCnIn,$inherObIn","None","Allow")
Set-Acl $pathCapture $aclCap
#Shares MDT Captures as MODIFY Access
$shareCapture = "Captures$"
$pathCapture = "$pathDeploy\Captures"
New-SmbShare -ChangeAccess $mdtsvc -Path $pathCapture -Name $shareCapture -Description "MDT Capture Share"