Restricting permissions on SMS/SCCM software distribution share - ( SMSPKG$)
Credit to Jake Cohen who suggested this on the MyITForum email list.
Someone asked for a way to restrict people from browsing the default distribution shares and installing whatever they feel like. Below is one method of “locking” down this common share without inhibiting SMS/SCCM software distribution.
We are not going to set or change anything on the default share permissions, default is that Everyone has read/write access, that’s fine, we’ll control it at the NTFS level, since that will apply locally and over the network.
Another thing to note is that this will set the permission on all existing packages, however any newly created packages won’t have these permissions until you re-apply the permissions from the root folder.
First lets go into our share properties:
Next we want to go to the security tab:
Then we want to click on “Add”:
Add “Domain Computers”, click on “Check Names”, then Click on “OK”:
Verify that you have read permissions for Domain Computers (should be selected by default):
Next, we will want to modify the permissions for the server\users group:
Again, we want to uncheck the “List” permissions, then click “OK”:
Next, we want to check the box for “Replace permissions….”, then Click on “OK”
Click “Yes” On this box:
You can verify your permissions for Domain Computers and Users here, then click “OK” when you are done:
Now you have modified the default file security permissions for your package distribution share in SMS/SCCM.
Hope this helps,
-Chris