System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager Desired Configuration Management
>
DCM Configuration Item for file or folder permissions
DCM Configuration Item for file or folder permissions
Hello
I am creating a Configuration Item to Check permissions of a Folder on clients. In the Add "group or username" it only gives option for Domain\user.
Is there a way we could add Local administrator or other local accounts of clients.
Checked for similar questions but couldn't find any..
Any pointers are appreciated. Thankyou !
Answers
- the only other option is to check for the Builtin accounts by using for example "Builtin\administrator".
What I have used to check for local permission is a powershell script created under settings
this one checks that "everyone" does not have any rights to the folder:
$null -eq (get-acl "e:\logfiles"| % {$_.access} |where {$_.identityreference -eq "everyone"})
this one checks that the group "data_rw" has modify rights on the folder
(get-acl "e:\data"| % {$_.access} |where {$_.identityreference -like "*data_rw"}| % {$_.filesystemrights}) -like "*modify*"
then just set the validation to true.
Hope this helps- Marked As Answer byVamsi Varma Ganaraju Thursday, November 05, 2009 7:35 PM
All Replies
- the only other option is to check for the Builtin accounts by using for example "Builtin\administrator".
What I have used to check for local permission is a powershell script created under settings
this one checks that "everyone" does not have any rights to the folder:
$null -eq (get-acl "e:\logfiles"| % {$_.access} |where {$_.identityreference -eq "everyone"})
this one checks that the group "data_rw" has modify rights on the folder
(get-acl "e:\data"| % {$_.access} |where {$_.identityreference -like "*data_rw"}| % {$_.filesystemrights}) -like "*modify*"
then just set the validation to true.
Hope this helps- Marked As Answer byVamsi Varma Ganaraju Thursday, November 05, 2009 7:35 PM
- great information! the "data_rw" group that you mention above, is that a local group?
My environment is all server 2003 - do I need to install powershell on the member servers for this to work?
also, where do I set the validation to "true"? I don't see true as an option.
new to this - so appreciate the help with newbie questions. - Glad to help.
the "data_rw" is a local group.
When you run DCM, the commands are running local to that machine, so you would need powershell installed on the PC you are checking. You could probably convert the above code to vscript and use xcals.
The important thing with DCM checks is that the output of whatever you write is what the validation is checked against. So if the output is either a true or false the you validate for that. I have also used it on the past to check the correct version of an installed program.
When you create your script under settings, there is a validation tab. Click "new" and enter "equals true". This way if the rights exists the output of the script is true adn it validates. - Raymond,
Thanks for the response. :)
