locked
How to push script to client without sharing mdtshare to Everyone? RRS feed

  • Question

  • Hello, All

    I would like to ask help on how to limit the access to mdtshare while zerotouch should still work as expected in the target computers.

    By the way we are upgrading from Windows 7 Ent to Windows 10 Ent to more than 5000 target computers.

    I am only using MDTServer and BatchPatch.

    Scenario 1:

    When MDTshare folder (Deployment Share) is shared to specific AD account only (Executor), below deployment script doesn't work for ZeroTouch using below script via BatchPatch.

    cscript.exe \\mdtserver\mdtshare\scripts\LiteTouch.vbs /rulesfile:ZeroTouch.Ini /TaskSequenceID:DEP10ENT64ENOF

    Scenario 2:

    When MDTshare folder (Deployment Share) is shared to Everyone, the same script works fine for ZeroTouch deployment via BatchPatch.

    Scenario 3:

    When MDTshare folder (Deployment Share) is shared to specific AD account only (Executor), LiteTouch deployment in target computers (selecting/filling out one by one until clicking finish to start deployment) works fine.

    How can I limit to a few AD account only to access the mdtshare folder but still ZeroTouch deployment script will work via BatchPatch? This is to avoid any users accessing the MDTShare. Any help would be much appreciated.

    Cheers, Mike (Technical Support Engineer, Phils)





    Saturday, May 4, 2019 10:34 PM

All replies

  • There are two sides to sharing. First the share permissions have to be set to Everyone, because when you are booted to WinPE or using a system account, you're not logged in as a specific user. You might think that's not secure at all. But that why you set the ACL in the "security" tab of that folder. That's where you restrict access to specific accounts.

    Even though the share is set to Everyone, only the users listed will be able to access the network share. In WinPE, you be be prompted to enter a username, password and domain.

    If you want to ZeroTouch using a batch file, you're going to need to connect to the share using the authorized account.

    net use z: \\MDTSERVER\MDTSHARE /USER:domain\user PASSWORD
    z:\scripts\LiteTouch.vbs /rulesfile:ZeroTouch.Ini /TaskSequenceID:DEP10ENT64ENOF



    Daniel Vega

    Monday, May 6, 2019 1:30 PM
  • Hello, Daniel

    Thank you very much for your response. Much appreciated.

    I will check this out and feedback you the result.

    Again, thank you very much!

    Cheers,

    Mike

    Monday, May 6, 2019 2:34 PM