By
Johan Arwidmark
/ December 2, 2015
You probably know that a bug in MDT versions since MDT 2013 Update 1 have way too high security permissions being set on the deployment share created via Deployment Workbench – Only administrators can access them. Here is a script that sets them to a working level. If needed, modify the script to fit your environment, for example, your build account is probably not the VIAMONSTRA\MDT_BA account 🙂
# Check for elevation
Write-Host "Checking for elevation"
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script."
Write-Warning "Aborting script..."
Break
}
# Configure NTFS Permissions for the MDT Build Lab deployment share
$DeploymentShareNTFS = "E:\MDTBuildLab"
icacls $DeploymentShareNTFS /grant '"Users":(OI)(CI)(RX)'
icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'
icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'
icacls "$DeploymentShareNTFS\Captures" /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(M)'
# Configure Sharing Permissions for the MDT Build Lab deployment share
$DeploymentShare = "MDTBuildLab$"
Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -Force
Revoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force
I get error "no msft_smbshare objects found with property 'Name' equal to etc etc. Is that okay in some environments or is something broken?
Hi sappho – it looks like the Share doesn't exist. Could you provide the exact error you receive when running the script?
Hi Johan, what should be the variable for this? $DeploymentShare = "MDTBuildLab$" Is it just the deployment share name? How do I find that? Thank you I got back the following error: Grant-SmbShareAccess : No MSFT_SMBShare objects found with property 'Name' equal to 'E:\DeploymentShare'. Verify the value of the property and retry. At C:\Users\admin\Desktop\permissions.ps1:21 char:1 + Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" – … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (E:\DeploymentShare:String) [Grant-SmbShareAccess], CimJobException + FullyQualifiedErrorId : CmdletizationQuery_NotFound_Name,Grant-SmbShareAccess Revoke-SmbShareAccess : No MSFT_SMBShare objects found with property 'Name' equal to 'E:\DeploymentShare'. Verify the value of the property and retry. At C:\Users\admin\Desktop\permissions.ps1:22 char:1 + Revoke-SmbShareAccess -Name $DeploymentShare -AccountName… Read more »
Hi Nikko – you can find the Share Name in Computer Management > Shared Folders or using Get-SMBShare with PowerShell
Hi Andrew, I appreciate the reply. Unfortunately I do not see the deployment share name listed as an smbshare with get-smbshare. This could be because it lives on network storage and is mounted on the server. Is there a way I can get around this? Thanks
Hi nikko – so sorry for the delayed reply. Is the network storage where the Deployment Share lives a Windows Server? If so, I would try running it there and it should find the SMB share.
Whenever I run the script I get an error on the SMB portion, apparently the SMB share does not exist, however the folder is shared. Is this normal or is this why my connection to the WDS share is failing?
Hi Austin – could you share the specific error you're getting when you run the script?
Line 17, you reference the variable ""$DeploymentShareNTFSCaptures", but nowhere is it defined. Am I missing something?
Oops, there was a missing "\" in $DeploymentShareNTFS\Captures". Fixed that. Thanks for the headsup.
/Johan
Hi Johan Arwidmark,
can you tell me, where should i write this script. ?
You need to update the script to reflect the path of your MDT deployment share, as well as the domain and username you use for accessing the share. You then run the script on your MDT deployment server.
/ Johan
I know it's an old post, but helped me troubleshoot issues today. Thanks!
Hi there! I have this exact problem with a Microsoft Surface Laptop 4, it just can't access deployment share, giving me the error of possible invalid credentials. However, this only happens with this specific machine/model, all other pc's I have in my domain work just fine (HP, Lenovo, Dell). So I'm no totally confident using this script of yours, because I'm afraid I might ruin the deployment server for other machines I already have working… Could you give me your opinion on this? Btw, I'm using Windows 10 Enterprise x64 build 2004.
Thank you and best regards!
Hi Jack.
I would suspect some sort of network glitch, or drivers missing. If this is still an issue, please reach out to me on LinkedIn and I'll see what I can to do help.
Hi Johan,
Ive been using my shares for sometime now. All of a sudden getting the invalid creds. Blew everything away and started from scratch by regenerating etc. Still same issues of invalid creds. Any suggestions? The script didnt work for me.
Hi KTon – are you getting the invalid creds error during a sequence or when you run this script? Could you please provide some error details?