Fixing MDT deployment share permissions using PowerShell

You probably know that a bug in MDT versions since MDT 2013 Update 1 have way too high security permissions being set on the deployment share created via Deployment Workbench – Only administrators can access them. Here is a script that sets them to a working level. If needed, modify the script to fit your environment, for example, your build account is probably not the VIAMONSTRA\MDT_BA account 🙂

# Check for elevation
Write-Host "Checking for elevation"

If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
    [Security.Principal.WindowsBuiltInRole] "Administrator"))
    Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script."
    Write-Warning "Aborting script..."

# Configure NTFS Permissions for the MDT Build Lab deployment share
$DeploymentShareNTFS = "E:\MDTBuildLab"
icacls $DeploymentShareNTFS /grant '"Users":(OI)(CI)(RX)'
icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'
icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'
icacls "$DeploymentShareNTFS\Captures" /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(M)'

# Configure Sharing Permissions for the MDT Build Lab deployment share
$DeploymentShare = "MDTBuildLab$"
Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -Force
Revoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force
About the author

Johan Arwidmark

5 3 votes
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
Greg Bond
Greg Bond
3 months ago

Line 17, you reference the variable ""$DeploymentShareNTFSCaptures", but nowhere is it defined. Am I missing something?

3 months ago

Hi Johan Arwidmark,

can you tell me, where should i write this script. ?

4 months ago

I know it's an old post, but helped me troubleshoot issues today. Thanks!

Jack Daniels
Jack Daniels
9 months ago

Hi there! I have this exact problem with a Microsoft Surface Laptop 4, it just can't access deployment share, giving me the error of possible invalid credentials. However, this only happens with this specific machine/model, all other pc's I have in my domain work just fine (HP, Lenovo, Dell). So I'm no totally confident using this script of yours, because I'm afraid I might ruin the deployment server for other machines I already have working… Could you give me your opinion on this? Btw, I'm using Windows 10 Enterprise x64 build 2004.
Thank you and best regards!