Deployment Solution

I have DS 6.8 SP1. I am trying to lock down permissions to the express share unsuccessfully. For example, I stored a .reg file on the share. Created a job in the console to "regedit /S pathtoregfile". The job will say it succeeded in the log, but the registry changes do not occur.

I set the permissions on the .reg file to:

Administrators - Full control
System - Full control

The Domain admin account used to process jobs in DS is in the local admins group. If I grant the local Users group read permission to the file, then the job will run successfully. This creates a huge problem since the Domain users group is in the local Users group. Anyone on the domain can browse the express share.

I have tested this with many different types of jobs. The local Users group on the server or Everyone must have read permissions to the express share or job will not process correctly.

Has anyone else seen this behavior?

Thanks,
Dave

My usual preference is to give SysAdmins read/write/execute permissions while the Altiris server admins are Full Access.  The eXpress share is readable to others and history is locked from within the console so that all job history is saved regardless of who does what to which system.  That makes it easier to go back and track what happens.