I'm wondering if it's feasible to configure an SMB share so that it can be accessed by scripts running as the NT System for domain computer objects, while ensuring that regular non-admin domain users who log into the PC cannot access it. My initial plan is to set permissions to deny for users while allowing access for the computer accounts. I inherited a system that had overly permissive settings, allowing everyone read/write access. I've already restricted generic public accounts to read-only but want to tighten security further. Has anyone successfully implemented this setup before?
5 Answers
Considering that this is how SCCM operates, you should be in good shape to set this up as planned. Just make sure to test thoroughly!
If you're facing the need to deny permissions, you might want to rethink your approach. In most cases, I can't recall requiring to set deny permissions for anyone on shares I've configured. Instead, set sharing permissions for authenticated users, including computer principals, and grant NTFS full access to System and computer administrators. Just add the relevant computer principals too, and you should be set. Oh, and for this kind of setup, consider using gMSA accounts for better security management.
Definitely add the 'Domain Computers' group to your share setup. When running scripts as 'Local System,' they will connect to the share seamlessly. Just be cautious about making permissions too broad—that might expose the share to unnecessary risks.
Why go with 'Domain Computers?' Seems too broad to me. A single computer account should suffice.
It's typically recommended to tailor share permissions on a per-user basis, but if you're looking to streamline automation, employing a service account could definitely be the way to go. Just keep in mind, if you do opt for a service account, you’d need any network access to the share to be run under that account. That could complicate things for tasks like Group Policy Objects (GPOs) that set desktop backgrounds, though you could potentially cache the images locally and reference them from there.
Good catch! A service account could work here. Thanks for the insight!
Yeah, I'm weighing the implications of that.
A way to achieve what you're aiming for is to add a group that contains the necessary computer accounts to the share. This acts like adding 'Client1SYSTEM' to that group, which should keep other domain or local accounts out. It’s crucial to ensure that both the generic accounts and their permissions reflect those settings accurately.
That's the plan for my test on Monday. I'll assign a group for the computer objects and restrict permissions for other accounts.
I appreciate the suggestion! I will ensure my provisioning runs under the network service account as I'm setting this up.