Re: Automatically write the custom IDMIFs to the client access point directory

In article <dl1mdb$g8l$1@xxxxxxxxxxxxxxxx>, dodo@xxxxxxxxxxxxxxxxxxx
says...
> Thanks for your support.
>
> I cannot copy the files to the %windir%\system32\ccm\inventory\idmifs
> directory because on that computer on which my service runs may not be
> installed any SMS Agent (that's why I need to copy the IDMIF files directly
> to the CAP directory on the server).
>
> I saw that SMS agent is running under the Local SYSTEM account and still has
> rights to copy the files on the CAP directory on the server. My question is
> how?
>
> Thanks for your support.
<snip>
I presume you are running the SMS Advanced client. In this case, the
client actually communicates with the management point - not the CAP -
and uses anonymous HTTP - this is why it works in the context of Local
System. The reason your service cannot write files to the CAP is that
the default NTFS permissions allow it only to read data (presuming
Authenticated Users is in the local Users on the CAP). As Jeff
suggested, the best approach would be to run your service under a domain
user account and grant this account permissions on inventry.box (details
follow). If this is not an option, I would recommend you create a domain
security group, place the computer accounts of all computers where your
service is installed in this group and grant it the Write NTFS
permission on the folder \<CAP server>\CAP_<site code>\inventry.box. As
an alternative, you can use the predefined domain global security group
Domain Computers, however, if only a subset of all computers require
these permissions this is a worse option from a security perspective.

HTH
--
Cheers,
Marin Marinov
MCT,MCSE,MCSE:Security,MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

"True knowledge exists in knowing that you know nothing."
Socrates
.

Relevant Pages

  • RE: Win 2000 service needs to access Win 2003 Web Server data
    ... The domain account "usr_test" has the permission of reading a log files ... However, for your application, I think if both of the two computers has one ... Microsoft Online Partner Support ...
    (microsoft.public.win32.programmer.networks)
  • RE: Win 2000 service needs to access Win 2003 Web Server data
    ... The domain account "usr_test" has the permission of reading a log files ... However, for your application, I think if both of the two computers has one ... Microsoft Online Partner Support ...
    (microsoft.public.win32.programmer.networks)
  • Re: ODP/APM Only Works Then Stops
    ... The client connection accounts are working on about 400 ... other computers in the office. ... Im puzzled because the log file says its looking for CAP ... >> No accessible CAP offer inbox found. ...
    (microsoft.public.sms.swdist)
  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)
  • RE: User template question
    ... Account tab). ... A new logon script was also assigned from the Profile tab. ... I'm afraid that your purpose cannot be achieved through User Template. ... Deploys software to user computers. ...
    (microsoft.public.windows.server.sbs)
Loading