Monday, May 07, 2012 10:04 AM
I configured AD, DHCP and DNS on one Server 2008 R2 machine and explored SQL and SCCM on other Server 2008 R2 machine. i have created a domain user called sccmadmin and added to domain admin groups, administrator group and local admin group of SCCM machine as well.
I configured sccm server with domain admin user (sccmadmin) only. But when i tried to access sccm shared folders got Access Denied Contact Network Administrator to get access !!!
I have checked folder properties/security tab. domain/admin group has there with full permission.
please help me on this.. kindly post your valuable tips....
- Moved by Brian Huneycutt [MSFT]Microsoft Employee Wednesday, May 09, 2012 1:44 PM Not a servicing issue (From:Configuration Manager Servicing)
Monday, May 07, 2012 7:53 PM
Your smsadmin should be only in the local admin group, there is no need to be a domain admin. Then that problem can occur if you've played with NTFS permissions. Try to get access via a network map.
Friday, May 11, 2012 10:19 AM
Thanks for your reply..
As per your comment i had created one test user in Domain and added this your on SCCM Server admin group( Local admin group). But still i am getting the same issue ACCESS DENIED..!!! NTFS permission only..
Friday, May 11, 2012 11:04 AM
access denied to what, specifically?
If you are talking about \\servername\someshare, the fact that servername just so happens to have ConfigMgr installed on it is not relevant. That would be like saying "I can't get to C$ on this specific windows 7 workstation, but I can on the other, the difference is that the failing one has Acrobat Pro, and the working one has Acrobat Reader". It just not relevant to the discussion.
Standardize. Simplify. Automate.
Tuesday, May 15, 2012 9:50 AM
when i try to access \\servername\someshare (this someshare is created by SCCM tool only like SMS_Site SMS_ etc) folders getting access denied message. this user is domain user.
Tuesday, May 15, 2012 12:03 PM
What problem are you trying to solve? Are you following documentation on setting up ConfigMgr? If so, which documentation? For me, ConfigMgr setup "just works". If it doesn't "just work", then I missed a step in documented process on setting up ConfigMgr on multiple servers, i.e., SQL on a different server. But it sounds like you have SQL on the same box as ConfigMgr.
So, basically, I'm not sure what problem you are trying to actually "solve". In general, a regular domain user doesn't need rights to your ConfigMgr installation. If you forget the fact that you are trying to get a domain user rights to those shares... is ConfigMgr working? the client installs? The Management Point is working and processing data?
What instructions are you following that you think you need this account?
Standardize. Simplify. Automate.
Tuesday, May 15, 2012 1:38 PM
Thanks for your reply.
here it is my current SCCM lab infrastructure
Created two Server 2008 R2 machine. one for AD,DHCP,DNS and other SQL 2008 Ent, SCCM 2007 and other pre-requisites.
had created a domain user called sccmadmin and added this user into domain admin group and SCCM server local admin group too. I logged in SCCM server with domain admin user that is sccmadmin (not local administrator account) then installed and configured SCCM tool. SCCM has installed successfully.
After this when i try to add sccm client package from software distribution >package> new>package from definition. Configure manage client upgrade > selected Always obtain files from a source directory
Source Directory is \\Servername\Sharename (\\SCCM\SMS_LAB\Clients) got error.So i tried to access this folder directly via windows explorer came to know access denied.
Other one When i try to add drivers into SCCM drivers folder like Drivers > Import driver> \\Servername\driver folder > here it is the problem when i try to create a new package for this driver was getting error that is config Mgr reported an error.
If you need more details please let me know
Tuesday, May 15, 2012 3:40 PMSo, the issue is the account that connects to a share is not that sccmadmin account. the account that needs rights is the computer account of the server that has cm installed.
Standardize. Simplify. Automate.
Tuesday, May 15, 2012 5:53 PMModerator
Source Directory is \\Servername\Sharename (\\SCCM\SMS_LAB\Clients) got error
If LAB is the sitecode for your site, then I think the problem is that you are using an sms managed share, and shhouldn't be. You need to create a new package share and setup the share and acl permissions so that local system has full control, then drop all your packages in there.
- Edited by Rob Marshall - MVPMVP, Moderator Tuesday, May 15, 2012 5:53 PM
Friday, May 18, 2012 8:42 AM
I think i know what you mean, i had this problem when i tried to access such a share or tried downloading windows updates to a share such as \\ServerName\Updates instead of its local patch \\ServerName\c$\Updates
Maybe try the following:
1. Open ServerManager > Expand Roles > Expand File Services > Click "Share and Storage Management"
2. find which "Share Name" you are having the problem with and make note of the "Local Path"
3. open "My Computer" and locate the folder("Local Path") e.g "F:\Program Files (x86)\Microsoft Configuration Manager\Client" that you experiancing this problem with, right click and select properties > Select the "Security" tab
4. Confirm all the correct groups are there e.g Domain admins(Full Control), SYSTEM(Full Control), LOCAL SERVICE, Administrator(ServerName\Administrators)(Full Control)
Let me know what happens, it could be a matter of disable UAC and then testing
Thursday, May 24, 2012 12:40 PMModerator
Friday, June 08, 2012 2:04 PM
Hi underc - I am also having this problem.
When I go into share management, the C:\Program Files (x86)\Microsoft Configuration Manager\ folder (which is shared as SMS_%SITECODE%) has Full rights for Local admins and domain admins. Domain admins are part of the local admins group, and my user is part of the domain admins group.
I cannot access the folder, either via \\SERVER\SMS_%SITECODE%\ (of using FQDN) or locally on the server unless I specifically give myself NTFS permissions on the folder. Even if I add myself to the Local admin group, I still get the same issue. I cann access other shares on this server, and all other folders under C:\Program Files (x86)\
As to why I might want to access this folder - it contains the LOG FILES I need to troubleshoot SCCM!!!
Thursday, September 20, 2012 5:36 PM
Sorry this clue arrives 3 months after the last post... but i face somehow the same issue in a production environment and was giving me a hard time...
Somehow, if you use a Alias in your DNS to solve the servername, the server uses the SMB access if you don´t have the everyone or Authenticated users there you'll get the Access Denied, contact your administrator.... Possible reasons?, UAC on Windows 7 or DNS + SMB + Netbios authentication not being performed.
Giving access to everyone in SMB i could create at any folder (Even with the NTFS only for another user), anything, and read any files etc. Correlative to the level of access that i granted to the users Everyone or Authenticated Users
Once i found this:
Solution inspired on that site:
Use a CNAME entry in the DNS instead the Alias of the host
And guess.. this worked.. the SMB and NTFS authenticated my user and give the propper access...
If you have any idea of why whould Windows not perform any type of authentication to the Netbios name or a Alias in Windows Server 2008 R2 would be welcome!, this could have another solution via GPO..... but so far this are my findings.
*For those who use that folders as local offline files, there's also a problem with the CSC cache... The creation via regedit of the DWORD FormatDatabase and restart the computers works...
Any other ideas are welcome!
This is my first post for MS Tech... i promised after making many test that if i found a solution i whould share it.