Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, March 7, 2019 11:45 AM
Hi All
Hope someone can assist. I have a TS to deploy Windows 10 and I would like to add an AD group to a folder on C: and set the permission with a TS Step is this possible?
Thanks in advance
Best regards, Wayne
All replies (13)
Thursday, March 7, 2019 12:08 PM ✅Answered | 1 vote
Hi wmb37,
We can use the command line Icacls.exe to grant required permission to specific folders for domain user or group. For more detailed information and steps, please refer to:
Also, we can refer to this: Apply folder permission during SCCM 2007 task Sequence
Hope my answer could help you and look forward to your feedback.
Best regards,
Simon Ren
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, March 7, 2019 2:31 PM ✅Answered
Hi There
Thank you for your reply, before I create a package to run on my TS I am running the command on a test computer but I receive an access denied when I run the command is below. I am running the command prompt with elevated permissions
icacls "C:\Program Files (x86)\MyApplication\GP2013" /grant "Doman\10_Users_RW:(OI)(CI)(IO)M"
Best regards, Wayne
Thursday, March 7, 2019 2:35 PM ✅Answered | 1 vote
You need to have permissions first on whatever you are attempting to set the permissions on. Thus, are you testing from an elevate command-prompt?
Also, there's no reason to create a package for this as its a simple command-line. Just use a run command-line task in the TS and paste in the appropriate command. No need to use cmd.exe either since icacls.exe is an .exe already.
Jason | https://home.configmgrftw.com | @jasonsandys
Thursday, March 7, 2019 10:12 PM ✅Answered
If you want to test properly like SCCM would you need to run as System like SCCM would during a TS. you can do that with psexec
https://verbalprocessor.com/2007/12/05/running-a-cmd-prompt-as-local-system/
The TS does not have user rights like you do so in order to test it before adding it you need to run as System. Beyond that Simon is right.
Thomas Faherty
Friday, March 8, 2019 8:07 AM ✅Answered
Thank you all. I now have my test working I thought I was running my cmd with elevated permission but when I ran whoami I was not.
Thank you all once again
Best regards, Wayne
Friday, March 8, 2019 8:27 AM ✅Answered
Hi Simon
Thank you for your message, which I have only just seen. Do I have to run the step with an account? I thought TS run as a system so I assume I don't have to use an account to run the step am I wrong on this
Best regards, Wayne
Friday, March 8, 2019 3:19 PM ✅Answered
No, there is no reason to specify a run as account for this as you are correct that the TS task will be run as the local System account -- unless of course the local System account doesn't have permissions onthe folder in question which would be quite odd.
Jason | https://home.configmgrftw.com | @jasonsandys
Friday, March 8, 2019 3:50 PM ✅Answered
Once again Thank you all who have help. I now have the permissions assigned within my TS : ) I am still learning SCCM and there is so much to learn, but I am loving the challenge :)
Best regards, Wayne
Friday, March 8, 2019 3:57 PM ✅Answered
I hear you, Jason, I hear you:) My problem, I don't know SQL when I have put on my list to lease as I need to improve the performance of SCCM as the console sometime hangs
Best regards, Wayne
Friday, March 8, 2019 7:56 AM
Hi wmb37,
With correct permissions as Jason mentioned, I have done a test in my environment, and the task sequence works as expected. The steps are as below:
1.Create the folder C:\Program Files (x86)\MyApplication\GP2013 the same as yours.
- Create a new custom task sequence named folder permissions that only have one step Run Command Line to run the command icacls "C:\Program Files (x86)\MyApplication\GP2013" /grant "usergroup1:(OI)(CI)(IO)M"
This command will add my domain group named usergroup1 to the folder C:\Program Files (x86)\MyApplication\GP2013 and set the permissions. As shown below:
- On the client, I run the folder permissions task sequence in the software center.
- After the TS completed, the usergroup1 has permissions on the folder C:\Program Files (x86)\MyApplication\GP2013. And from the smsts.log, we can also see the TS successfully completed.
Hope my answer could help you and look forward to hearing from you. Thanks for your time
Thanks and regards,
Simon
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 8, 2019 3:53 PM
To be clear here, this really had nothing to do with ConfigMgr itself. Being successful with ConfigMgr means knowing and learning a lot about other technologies as well like Windows and SQL as ConfigMgr is simply a layer on top of these in many cases.
Jason | https://home.configmgrftw.com | @jasonsandys
Friday, March 8, 2019 5:23 PM
That's a separate thread, however, do you have amiantenance task in place to re-index the ConfigMgr DB and rebuild its statistics?
If not, do this: https://stevethompsonmvp.wordpress.com/2016/11/29/optimizing-sccm-databases-revisited/
Jason | https://home.configmgrftw.com | @jasonsandys
Saturday, March 9, 2019 1:15 PM
Thank you, I shall read and implement
Thank you once again
Best regards, Wayne