We've been using MDT 2012 previously 2010 with no problems. However, after a recent Administrator account password change this account can no longer be used for deploying images.
When using the WinPE environment (from F12) at a client if the Administrator credentials are used we get an Invalid Credentials. Access Denied error message and cannot continue any further.
We do not specify any user credentials in the Bootstrap.ini file as we prefer to enter them at run time.
Bizarrely, we get the same result with a newly created Domain Admins account and an existing Domain Admins account. However, 3 other Domain Admin accounts do work.
From the CMD prompt we cannot connect to the DeploymentShare with NET USE for the accounts that don't work. Not surprisingly with the working Domain Admins accounts we can successfully connect with NET USE.
We have updated the Deployment Share and Optimised the boot image(s) with no positive effect.
We're stuck! Any help would be much appreciated.
I put the blame on the server here.
MDT will simply make a UNC network connection with the deployment share. So you are correct to try to debug the scenario by pressing F8 in WinPE, and running the network commands manually:
Net use * \\server\deploymentShare$ /u:Server\User *
If this does *not* work then dump out the acls on the MDT Server:
C:\windows\system32>net share deploymentshare$ Share name DeploymentShare$ Path c:\DeploymentShare Remark Maximum users No limit Users Caching Manual caching of documents Permission NT AUTHORITY\Authenticated Users, FULL The command completed successfully.
C:\windows\system32>icacls c:\deploymentshare c:\deploymentshare NT AUTHORITY\Authenticated Users:(OI)(CI)(RX) BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Keith Garner - keithga.wordpress.com
- Proposed as answer by Keith GarnerModerator Saturday, September 28, 2013 12:07 AM
Thanks for the reply.
I have checked the Share and NTFS permissions as suggested and I did need to modify them slightly. However, the original problem remains.
Interestingly I can successfully map a drive with NET USE from my own pc. I presume this proves that the permissions are ok as I'm using the same sharename and path etc. to make the connection.
Also, as mentioned the other 3 working domain admin accounts don't have this problem.