Systems Management Question

Packages distributed via SMS - restricting access per user

01/07/2009 3754 views
Hi everyone,
I hope that someone has encountered this before and that a better way can be found to deal with the issue than it is proposed in the organization I work for. The plan is to start using SCCM 2007 to distribute packages to clients and obviously this has to be a per-machine install. However, the organization wants to restrict the access to those locally installed applications only to members of specific application-related AD groups, so the proposal is that the package sets NTFS permissions on application shortcuts and/or executables allowing access only to those AD groups.

To me, this seems a rather awkward way of doing things, but I have no better proposal as I've got no detailed knowledge of SCCM and in the past I never had to deal with this sort of issue. It was either a GPO user-based assignment, or SMS/Tivoli/USD per machine install but with no need for restricted access.

Any ideas/comments/suggestions are appreciated.
0 Comments   [ + ] Show comments


Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

All Answers

Your SCCM collections will take care of distribution to a restricted audience but there's no mechanism therein to control local access. For that, you'll need to permission the EXEs. It's pointless doing that to the shortcuts, since if I'm desperate enough to want to run a program I'm not allowed to, I'm savvy enough to seek out the EXE.

Some words of advice:
- avoid using the LockPermissions table, unless you're truly a masochist. Use SetACL, XCACLS or your favoured command line tool in a Custom Action.
- newcomers will almost always apply permissions AFTER the InstallFiles action. Do it after CreateFolders instead: files copied into those folders will inherit the folder's ACLs.
Answered 01/07/2009 by: VBScab
Red Belt

Thanks VBScab. I was hoping there might be a more ellegant way but never mind. You are right about the permision on the folder containing the exes, but I will also set permissions on the shortcuts so that the users do not get tempted to click on something that will return an error and generate a call to the helpdesk.
Answered 01/08/2009 by: trawler
Senior Yellow Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ