none
MDT 2013 User Authentication RRS feed

  • Question

  • I have successfully setup and can deploy OS through MDT. My problem is, I need it to prompt admin in order to be able to install the operating system. This will prevent our students from being able to reimage just any machine at any time. Right now, I have it set to prompt for the admin password, but no matter what password you input, it allows the process to continue. I cannot use the MDT at this time until I have this solved. Any help would be appreciated.
    Wednesday, March 21, 2018 3:28 PM

All replies

  • Just to clarify, do you want to protect your deployments with a pssword? Wouldn‘t it be easier to simply omit user credentials from the boot media? Or do you require to use a specific service account to connect to your deployment share?

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, March 21, 2018 6:05 PM
  • I have successfully setup and can deploy OS through MDT. My problem is, I need it to prompt admin in order to be able to install the operating system. This will prevent our students from being able to reimage just any machine at any time. Right now, I have it set to prompt for the admin password, but no matter what password you input, it allows the process to continue. I cannot use the MDT at this time until I have this solved. Any help would be appreciated.

    If I understand you correctly you are setting what the admin password will be when the OS installs.

    What you may want to do is set the NTFS permissions such that only a certain set of users can Read or Execute.


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Thursday, March 22, 2018 12:55 AM
    Moderator
  • As Ty mentioned make sure your deployment share is properly secured. 

    There are essentially two sets of permissions. In the "sharing" tab (go to the properties of the folder) you will want the permissions to be set to Everyone - Read, Change. 

    Use the ACL to lock it down, by going to the Security tab. The System account and Administrators group is fine to leave, but make sure only the account or accounts that you want to allow are listed with Read & Execute rights.

    You can even use this nice PowerShell script, just adjust it to point to your share.

    # Check for elevation
    Write-Host "Checking for elevation"
     
    If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
        [Security.Principal.WindowsBuiltInRole] "Administrator"))
    {
        Write-Warning "Uh Oh, you need to run this script from an elevated PowerShell prompt! Please start the PowerShell prompt as an Administrator and re-run the script."
        Write-Warning "Aborting script..."
        Break
    }
     
    # Configure NTFS Permissions for the MDT Admin deployment share
    $DeploymentShareNTFS = "C:\DeploymentShare"
    icacls $DeploymentShareNTFS /grant '"DOMAIN\USERNAME":(OI)(CI)(RX)'
    icacls $DeploymentShareNTFS /grant '"DOMAIN\MDT-ADMIN-ACCOUNT":(OI)(CI)(M)'
    icacls $DeploymentShareNTFS /grant '"Administrator":(OI)(CI)(F)'
    icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'
    icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'
     
    # Configure Sharing Permissions for the MDT Admin deployment share
    $DeploymentShare = "DeploymentShare$"
    Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -Force
    Revoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force

    In my example script the first user listed would be the "technician" account or rather the person who would do deployments. The second account is the "MDT admin" or the person who should have rights to modify the deployment share. You're welcome to change it to fit your use.


    Daniel Vega

    • Proposed as answer by Dan_Vega Tuesday, March 27, 2018 9:04 PM
    Thursday, March 22, 2018 2:52 PM
  • The only thing I might add is that in PS 4.0 and later you could use

    #Requires -RunAsAdministrator


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Saturday, March 24, 2018 5:03 AM
    Moderator