Configuring the Appropriate Resource Access

  • Article

During the deployment to the target computers, the SMS client connects to the distribution point shares and shared folders. Create accounts within SMS for use by the SMS client when accessing these resources.

To configure the appropriate resource access

  1. Configure SMS client access accounts.

  2. Create additional shared folders.

  3. Configure shared folder permissions.

  4. Configure access to other resources.

  5. Configure credentials used in the Package Selection Phase.

On This Page

Configuring Client Access Accounts Configuring Client Access Accounts
Creating Additional Shared Folders Creating Additional Shared Folders
Configuring Shared Folder Permissions Configuring Shared Folder Permissions
Configuring Access to Other Resources Configuring Access to Other Resources
Configuring the Package Selection Phase Credentials Configuring the Package Selection Phase Credentials

Configuring Client Access Accounts

The SMS client needs an account to provide as credentials when accessing the SMS distribution points, BDD 2007 deployment point, and shared folders. The accounts to configure are listed in Table 4.

Table 4. Accounts That Must Be Configured

Account

Description

SMS advanced client network access account

Used by the SMS OSD Feature Pack on Windows 2000 Professional and later operating systems to access the distribution point that contains the operating system package.

To configure the client access accounts

  1. Create the user account and password in an Active Directory domain.

  2. In the SMS Administrator Console, navigate to the Client node, as illustrated in Figure 2.

    Figure 2. Adding Client Connection accounts

    Figure 2. Adding Client Connection accounts

  3. Right-click the Client node, click New, and then click Windows User Account.

  4. In the Connection Account Properties dialog box, click Set.

  5. Complete the Windows User Account dialog box by using the information in Table 5, and then click OK.

    Table 5. Information Required to Complete the Windows User Account Dialog Box

    For this

    Do this

    User name

    Type UserName (where UserName is the name of the user account to be used).

    Password

    Type Password (where Password is the password for the user account to be used).

    Confirm Password

    Type Password (where Password is the password for the user account to be used).

    Repeat steps 3–5 for each client access account to be created.

    In the SMS Administrator Console, navigate to the Component Configuration node, as illustrated in Figure 3.

    Figure 3. Configuring Software Distribution to use the Client Connection accounts

    Figure 3. Configuring Software Distribution to use the Client Connection accounts

  6. In the details pane, right-click Software Distribution, and then click Properties.

    The Software Distribution Properties dialog box, shown in Figure 4, appears.

    Figure 4. Configuring the Software Distribution properties

    Figure 4. Configuring the Software Distribution properties

  7. In the Software Distribution Properties dialog box, click the General tab, type the corresponding account in the Advanced Client Network Access Account text box, and then click OK.

  8. Close any open windows.

Creating Additional Shared Folders

After configuring the SMS client access accounts, create additional shared folders in which to store the user state migration data and the deployment logs. Table 6 lists the shared folders to be created and describes the purpose of each shared folder. For more information about the planning for these share folders, see “Providing Sufficient Storage for User State Migration Data” and “Providing Sufficient Storage for Deployment Logs,” earlier in this guide.

Table 6. Shared Folders and Their Descriptions

Shared folder

Description

MigData

Stores the user state migration data during the deployment process

Logs

Stores the deployment logs during the deployment process

Note   The files in Table 6 are recommended shared folder names. Team members can use any names for these shared folders. However, the remainder of the deployment process will refer to these shared folders by these names.

Configuring Shared Folder Permissions

After creating the additional shared folders, configure the appropriate shared folder permissions. Ensure that unauthorized users are unable to access user state migration information and the deployment logs. Only the target computer creating the user state migration information and the deployment logs should have access to these folders.

To configure the shared folder permissions for each folder listed in Table 6

  1. Start Windows Explorer, and navigate to SharedFolder (where SharedFolder is one of the shared folders listed in Table 7).

  2. Right-click SharedFolder (where SharedFolder is one of the shared folders listed in Table 7), and then click Properties.

  3. On the Security tab, click Advanced.

  4. On the Permissions tab, clear the Allow inheritable permissions from the parent to propagate to this object and all child objects check box.

  5. When the Remove when prompted to either Copy or Remove the permission entries that were previously applied from the parent dialog box appears, click Remove.

  6. On the Permissions tab, click Add.

  7. In the Enter the object name to select text box, type Domain Computers, and then click OK.

    This action allows domain computers to create subfolders.

  8. On the Permission Entry for SharedFolder dialog box, in the Apply onto list, select This folder only (where SharedFolder is one of the shared folders listed in Table 6.

  9. On the Permission Entry for SharedFolder dialog box, in the Permissions list, select Allow for the Create Folders/Append Data permission, and then click OK (where SharedFolder is one of the shared folders listed in Table 6.

  10. Repeat steps 6–9, substituting Domain Users for Domain Computers.

  11. On the Permissions tab, click Add.

  12. In the Enter the object name to select text box, type CREATOR OWNER, and then click OK.

    This action allows domain computers and domain users to access the subfolders they create.

  13. On the Permission Entry for SharedFolder dialog box, in the Apply onto list, select *Subfolders and files only ***(where SharedFolder is one of the shared folders listed in Table 6.

  14. On the Permission Entry for SharedFolder dialog box, in the Permissions list, select Allow for the Full Control permission, and then click OK (where SharedFolder is one of the shared folders listed in Table 6.

  15. Repeat steps 11–14 for each group to which administrative privileges will be granted.

    The permissions set in these steps allow a target computer to connect to the appropriate share and create a new folder in which to store user state information or logs, respectively. The folder permissions prevent other users or computers from accessing the data stored in the folder.

    Note   The default permissions on the SMS distribution point shares should provide the appropriate resource access by default.

Configuring Access to Other Resources

In addition to the shared folders created, the BDD 2007 scripts may require access to other resources. The resources include application or database servers (such as Microsoft SQL Server 2000 or Microsoft Exchange Server 2003):

  • The distribution point by using the user credentials supplied by the:

    • SMS 2003 Advance Client Network Access Account.

    • UserID, UserDomain, and UserPassword properties in CustomSettings.ini.

  • Other servers by using the Connect to Universal Naming Convention (UNC) action.

  • Other servers by using the Connect to UNC action.

Supply credentials when configuring a Connect to UNC action. In addition to a connection to shared folders, use the credentials supplied in the Connect to UNC action to authenticate to application or database servers.

To authenticate on these application or database servers, use the Connect to UNC action to connect to any share on that server. Other connections, such as Named Pipes or Remote Procedure Call (RPC), will use the same credentials supplied in the Connect to UNC action.

Configuring the Package Selection Phase Credentials

The deployment of the operating system packages to the target computer can be broken down into the phases described in Table 7. These phases occur during different sequences in the deployment process.

Table 7. Operating System Deployment Phases and the Credentials Available

Shared folder

Credentials available

Validation

Any credentials

State Capture

Any credentials

Package Selection

Credentials in Ripinfo.ini that provide access to the distribution point

Credentials in Ripinfo.ini that provide access to the shared folder specified in the [UserCommand] section

Preinstall

Any credentials

Postinstall

Any credentials

State Restore

Any credentials

When Windows PE is used to prepare the target computer for installation, the SMS OSD Feature Pack uses the information in the Ripinfo.ini file to locate and run the command in the

[UserCommand]

section (ZeroTouchInstallation.vbs). The SMS OSD Feature Pack ignores the FakePre-233c382fda3a432b991c73c4dc98c1dc-1b87be46ecd14f44ba14f347de39e5f7 section and passes control to ZeroTouchInstallation.vbs.

When initiating the installation of Windows PE from a CD, the CD-based method ignores the

[UserCommand]

section and uses the information in the FakePre-622383adad11405da050f0713daa053b-facf54196b4a4a92ab5a215db3350b1f section. The CD-based method is not automated and requires manual selection of the image to install. This phase exists only when team members are installing a new operating system installation (New Computer and Replace Computer scenarios).

During the Package Selection Phase, only a limited number of credentials are available. These credentials are stored in the Ripinfo.ini file and are used by OSD to provide access to the resources. The credentials supplied in Ripinfo.ini include credentials as specified in the:

  • [RIPInfo] section. The credentials in

    [RIPInfo]

are used to authenticate access for the shared folder on the distribution point where the package image is stored.

  • [UserCommand] section. The credentials in the

    [UserCommand]

section are used to authenticate access to the shared folder where the command-line program is stored (which may also be on the same distribution point).

A sample Ripinfo.ini file is illustrated in Listing 1.

Listing 1. Sample Ripinfo.ini

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

[RIPInfo]
Images=1
LocalImage=Yes
WizTitle=XPSP2
AllowMachineName=No
SiteCode=SMS
ManagementPoint=SERVER1:80
Reserved1=
5EDBD289503F9DA5B84F6BA5320EACCB250DA92CA96A46E265F7732A4071BF0BD196976C659D66
Reserved2=
E35E5E17C5AD023A280D3DBC9D5C0DF0042E583113F3A183CE7A9DDE0E15640B29D4AFC6BE517A
Reserved3=
66AEA099AE219FD2A1AB1C4E97D1D3E9C67E58F60B
[UserCommand]
CommandLine=""\\Server1\SMSPKGE$\SMS00001\ZeroTouchInstallation.vbs" 
/phase:NewComputer"  
/scriptlog
NetworkShare=\\Server1\SMSPKGE$\SMS00001
Reserved1=
2BDEF2AE706BC58AEA1B1DF04F0BD8CF5C0AAB5DDB1F43E25F2D6967E794E2F62416DCD3736A27
Reserved2=
965B5E10C5D97A355AA70B0082C94BADE1A90C403969116AF008F0618690CDAFB7A374FD7E7E56
Reserved3=
C3ABADA631DDDC0686C3C3CFF748EB6F0E5FCE89AD

Team members can only connect to the following two servers during the Package Selection Phase:

  • Distribution point specified in the [RIPInfo] section

  • Server hosting the network share specified in the [UserCommand] section

    Note   If both of these sections point to the distribution point, team members can only access resources on the distribution point.

Download

Get the Microsoft Solution Accelerator for Business Desktop Deployment 2007

Update Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions