MDT Shares and Permissions

To deploy from MDT and access the MDT Deployment Share requires a service account, the standard approach is to add this service account to Administrators Group or maybe add 'Everyone'  to the Deployment Share with full share and NTFS permissions. The least awful approach would be to add the service account to the Deployment Share and provide Full Share and NTFS permissions. The first 2 should definitely be avoided. If you're after any type of Zero Touch then the MDT Service Account will be listed in CustomSettings and BootStrap.ini files with its password in clear text. A hackers dream is to access files with embedded passwords. This is why the up most attention should be given ensuring the least privileges are assigned.

The MDT Service Account only requires Read Share and NTFS permissions to the MDT Share and no Administrative rights what so ever. Two additional shares will be required, one for Logs and the other for Captures with the service account requiring Change\Modify Share and NTFS permissions.

Its going to be assumed that all the pre-requisites for MDT have been completed with the WDS Feature installed, MDT and ADK packages installed. There is a D:\ partition for the MDT share and data. A domain service named 'svc_mdt' is available with domain user permissions.

The following script will require Administrative privileges and will perform the following actions:

Create the MDT Deployment Share and its folder structure at D:\DeploymentShare and sets:

svc_mdt = Read Share\NTFS permissions

Administrators = Change Share permissions

Creates Log Share at D:\DeploymentShare\Logs

svc_mdt = Change Share\NTFS permissions

Creates Captures Share at D:\DeploymentShare\Captures

svc_mdt = Change Share\NTFS permissions

$hn = hostname


#MDT Service Account
$mdtsvc = "tenaka\svc_mdt"

 

#Folder inheritance variables
$inherNone = [System.Security.AccessControl.InheritanceFlags]::None
$propNone = [System.Security.AccessControl.PropagationFlags]::None
$inherCnIn = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
$propInOn = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$inherObIn = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propNoPr = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit


#Add MDT Powershell support
Add-PSSnapin Microsoft.BDD.PSSnapin


#Deployment Root Share
$pathDeploy = 'D:\DeploymentShare'
$descrip = "Deployment Share"
$shareDeploy = "DeploymentShare$"

 

#Create new folder D:\DeploymentShare

New-Item -Path $pathDeploy -ItemType Directory

 

#Import MDT PowerShell module
Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name 'DS001' -PSProvider "MDTProvider" -Root $pathDeploy -Description 'MDT Production' -networkpath "\\$hn\$shareDeploy" | Add-MDTPersistentDrive 

 

#DEPLOYMENT SHARE

#Sets svc_mdt NTFS permission for D:\DeploymentShare
$aclRt = Get-Acl $pathDeploy
$arRt = New-Object System.Security.AccessControl.FileSystemAccessRule("$mdtsvc","READ","$inherCnIn,$inherObIn","None","Allow")
$aclRt.SetAccessRule($arRt)
Set-Acl $pathDeploy $aclRt

#Shares MDT Root to MDTUser READ 

#Administrators required to allow updating of unattend.xml files

New-SmbShare -ReadAccess $mdtsvc -ChangeAccess Administrators -Path $pathDeploy -Name $shareDeploy -Description $descrip


#LOGS

#Creates new folder for D:\DeploymentShare\Logs
$pathLogs = "$pathDeploy\Logs"
New-Item -Path $pathLogs -ItemType Directory -Force

#Removes Inherit
$aclInhLogs = Get-Acl $pathLogs
$aclInhLogs.SetAccessRuleProtection($true,$true)
Set-Acl $pathLogs $aclInhLogs

#Sets MDTuser Modify over the Logs Folder
$aclLogs = Get-Acl $pathLogs
$arLogs = New-Object System.Security.AccessControl.FileSystemAccessRule("$mdtsvc","MODIFY","$inherCnIn,$inherObIn","None","Allow")
$aclLogs.SetAccessRule($arLogs)
Set-Acl $pathLogs $aclLogs


#Shares MDT Logging as MODIFY Access
$ShareLogs = "Logs$"
New-SmbShare -ChangeAccess $mdtsvc -Path $pathLogs -Name $ShareLogs -Description "MDT Logging Share"

 


#CAPTURES

#Removes Inherit
$aclInhCap = Get-Acl $pathCapture
$aclInhCap.SetAccessRuleProtection($true,$true)
Set-Acl $pathCapture $aclInhCap

#Sets Modify permission for D:\DeploymentShare\captures
$acCap = Get-Acl $pathCapture
$arCap = New-Object System.Security.AccessControl.FileSystemAccessRule("$mdtsvc","MODIFY","$inherCnIn,$inherObIn","None","Allow")
$aclCap.SetAccessRule($arCap)
Set-Acl $pathCapture $aclCap


#Shares MDT Captures as MODIFY Access
$shareCapture = "Captures$"
$pathCapture = "$pathDeploy\Captures"
New-SmbShare -ChangeAccess $mdtsvc -Path $pathCapture -Name $shareCapture -Description "MDT Capture Share"