This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 83%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Hello, I wondered if you could help me with putting into place a secure source share with the correct Share and NTFS permissions.
The reason I ask is the permissions currently are a bit of a mess and I have picked up this project.
So what am i talking about?
The content source share that holds OSD content such as Images, Drivers, Applications such as Dell CCTK & Bios Updates. (This IS NOT any of the default SCCM folders (SMS***, Content Library etc) that are created during installation)
We have a Primary Site Server with MP and DP roles and a remote server with MP and DP roles.
From my understanding this folder is used as a source location for package creation and adding Images etc into SCCM and obviously has no relation to client distribution.
Share is \Primarysiteserver\Source
Within this share we have an Application folders (Contains Dell CCTK and BIOS upgrades), OSD Folder which contains Images, Boot images, DriverSources, DriverPackages (during driver import you create a driver package and specify the package path)
What i need to know is what permissions should be on the actual share and then what permissions should be set via NTFS?
So for example, We will have a group of users who will administrate ConfigMgr (adding & updating packages, images, drivers etc)
What permissions on the actual share need to be there for (administrator users, and for Sccm site servers to be able to read this source content location and then what permissions for NTFS.
Source (share) (\Primarysiteserver\Source)
-- Applications
---- Dell CCTK
---- BIOS (within this we have sub folders for each model)
-- OSD
---- Images
---- DriverSource
---- DriverPackage
---- Boot Images
-- Captures
-- StateCapture
I just need to know at the share level what needs granting and what needs granting at the NYFS granular level. Hoping to get this sorted by Monday. :)
Share:
Everyone = Full
NTFS:
Local Admins = Full
System = Full (because the source directory is on the primary site server?)
SCCM Admins = Full (users who work on sccm)
Network Accesss Account = Read
I do I need to add the primary site servers AD computer account to this aswell?
Would this stop everyone except those stated in NTFS from being able to see the contents within the subfolders of the source share?
Any help is greatly appreciated.
So what access needs to be on the source folder share.
And then under NTFS what accounts I need to add permission and what level permission.
So for example Sccm administrators would have modify ntfs permission.
What other accounts need access to the share and ntfs permissions.
So does the network access account for example need to be in either.
Does System need to be in the ntfs permissions?
Does the AD computer account for the site server needed to be added to the share or ntfs permissions? Etc etc
Hi @Anonymous ,
Your thought about cleaning-up the permission is wonderful. Actually, there is no existing answer for this question, which varies from environment to environment. When we access a shared folder, the current logged on user's credential will be used. At such situation, we only need to grant read permission for the right user/group and that's enough. In our environment, granting \Primarysiteserver\Source is ok.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for the reply. What needs read access on the share and what permissions for NTFS so I need to have in place?
For example, what accounts need to be listed on the share and what accounts need to be on NTFS for it to work.
So I know for example on NTFS you would have a group of users who create packages etc to have wrote access to these locations, but I just wondered what accounts like the server AD accounts need to be on these with what level of access
Basically I just need what is the minimum share permission and ntfs permissions on that structure for it to function. Just the basic principles so I can understand what I need to put in place
There is no standards for this, Whatever works for you. The Site Server need read to both the share and files but I generally give it full.
It sound like you are trying to solve a problem but think the share / file permissions are they issue. Is there more to this story?
It just has all sorts of permissions added to it some folders are inherited others are not and it’s a complete mess.
I basically just want to lockdown the share and folders to bare minimum,
For example I don’t personally want anyone in the company to be able to navigate and read the share and it’s contents. I just need the minimal required permissions for packages (drivers, applications, osimages to be created from that share.
There is no standards for this, make sure that the site server had read on both the share and file and you are good from a CM standpoint. everything else is up to you are to what you want.
Share:
Everyone = Full
NTFS:
Local Admins = Full
System = Full (because the source directory is on the primary site server?)
SCCM Admins = Full (users who work on sccm)
Network Accesss Account = Read
I do I need to add the primary site servers AD computer account to this aswell?
Would this stop everyone except those stated in NTFS from being able to see the contents within the subfolders of the source share?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 30%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
I'd like to bring this back to top. Has there been a standard for managing permissions for the Content_Library share within MECM set since this conversation occurred? Or even a direct answer to this question? Or is there an article for best practices on following least privilege principals to apply a stronger security posture to MECM permissions in general? Thanks in advance.
Wow, nearly 3 years later.
A lot of time has passed and knowledge has been gained since this question. Since this i have also implemented a completely new environment for MCM.
For those who come across this and are looking for an answer, we set the following ACL's on the ConfigMGR Source Share.
Share:
Everyone - Full Control
NTFS:
Administrators - Full Control (Local Server Admin Group)
SCCM-Admins - Full Control (Custom AD Group for SCCM Admins)
SCCM NAA - Read (Network Access Account)
Hope this helps!