Packages distributed via SMS - restricting access per user
Hi everyone,
I hope that someone has encountered this before and that a better way can be found to deal with the issue than it is proposed in the organization I work for. The plan is to start using SCCM 2007 to distribute packages to clients and obviously this has to be a per-machine install. However, the organization wants to restrict the access to those locally installed applications only to members of specific application-related AD groups, so the proposal is that the package sets NTFS permissions on application shortcuts and/or executables allowing access only to those AD groups.
To me, this seems a rather awkward way of doing things, but I have no better proposal as I've got no detailed knowledge of SCCM and in the past I never had to deal with this sort of issue. It was either a GPO user-based assignment, or SMS/Tivoli/USD per machine install but with no need for restricted access.
Any ideas/comments/suggestions are appreciated.
I hope that someone has encountered this before and that a better way can be found to deal with the issue than it is proposed in the organization I work for. The plan is to start using SCCM 2007 to distribute packages to clients and obviously this has to be a per-machine install. However, the organization wants to restrict the access to those locally installed applications only to members of specific application-related AD groups, so the proposal is that the package sets NTFS permissions on application shortcuts and/or executables allowing access only to those AD groups.
To me, this seems a rather awkward way of doing things, but I have no better proposal as I've got no detailed knowledge of SCCM and in the past I never had to deal with this sort of issue. It was either a GPO user-based assignment, or SMS/Tivoli/USD per machine install but with no need for restricted access.
Any ideas/comments/suggestions are appreciated.
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
anonymous_9363
15 years ago
Your SCCM collections will take care of distribution to a restricted audience but there's no mechanism therein to control local access. For that, you'll need to permission the EXEs. It's pointless doing that to the shortcuts, since if I'm desperate enough to want to run a program I'm not allowed to, I'm savvy enough to seek out the EXE.
Some words of advice:
- avoid using the LockPermissions table, unless you're truly a masochist. Use SetACL, XCACLS or your favoured command line tool in a Custom Action.
- newcomers will almost always apply permissions AFTER the InstallFiles action. Do it after CreateFolders instead: files copied into those folders will inherit the folder's ACLs.
Some words of advice:
- avoid using the LockPermissions table, unless you're truly a masochist. Use SetACL, XCACLS or your favoured command line tool in a Custom Action.
- newcomers will almost always apply permissions AFTER the InstallFiles action. Do it after CreateFolders instead: files copied into those folders will inherit the folder's ACLs.
Posted by:
trawler
15 years ago
Thanks VBScab. I was hoping there might be a more ellegant way but never mind. You are right about the permision on the folder containing the exes, but I will also set permissions on the shortcuts so that the users do not get tempted to click on something that will return an error and generate a call to the helpdesk.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.