Deployment Solution

When I installed ITSM 7.1 I created the altservice account specifically for entering into the installation as the service account. This account is a member of the local administrators group.

After Wiresharking some deployment issues, I noticed I was getting lots of STATUS_ACCESS_DENIED responses on the SMB2 protocol. The initial share map (TreeConnect) is successful which means authentication is OK, but navigating any deeper than \\SERVER\Deployment results in access errors.

When I map a drive from a remote machine as administrator, I can see the folders "Agent" and "Task Handler" under the Deployment directory. However when I map a drive as altservice I see nothing -an empty folder. If I try to navigate specifically into the "Agent" or "Task Handler" folders on the command line, I receive the error Access Denied.

This doesn't make sense though -the administrators group has full access to these shares, and I can confirm again that the altservice account is a member of the local administrators group.

The only resolution I have at the moment is to specifically add the altservice account to the share security.

Anyone else see this? It's most odd, but entirely reproducible on my box..... 

Did you verify that?  Is it possible that when we set up the share point we didn't configure the security correctly?

Hi Thomas,

In short -the share permissions look FINE... grr... it seems to be setup perfectly fine.

But, have verified, again and again. And rebooted, and verified again too! If I add the altservice account explicitly to the share permissions its OK and I can see the subfolders and deployment works. Remove the account, then the folders disappear and deployment hangs forever.

The administrator account however always works, and the altservice account is definitely in the administrators group. I even got a couple of others here to confirm what I'm seeing, and they are as confused on this one as I am.

I have also tried creating other accounts and adding them to the administrators group. When mapping a drive, these too see an empty deployment folder.

Tried explictly adding the everyone group with full permissions at the share level, and that didn't help either.

I did the install as administrator by the way, and then entered the altservice admin account details in during the install.

For instance, create your own share point, with inherited Administrative rights in a completely different area, and try mapping to that.  There's a chance that something in the OS is holding on or blocking out non-explicitely declared permissions...  I've seen things like this before, and since MS is constantly adding more keys and modifying rights, it wouldn't surprise me much.

What do you think?

Hi,

I've been suffering the same issues with the Software Library share. Unless the altservice account is added specifically to the NTFS folder security (rather than just the administrators group) then there is no visibility of the library.

In the console, this means that you can't actually fill in the command line fields as when you try to scan for the files it comes up empty.

I've created and shared other folders too... same thing.

I take it "This Is Just Me (TM)", but I can't fathom why this is happening. And could well be the  root of a few anomolies I'm seeing on this beta... 

Kind Regards,
Ian./

I've decided to rebuild this again from scratch. Will post back if its still an issue....

After a lot of beating around the houses, It looks like the NTFS security is not UAC aware. So when the UAC strips the administrators group from the user's token, the NTFS security layer isn't smart enough to realise what's happened and so just sees the reduced security token.

Solution is to disable UAC, which I guess is what others have done already.....

Will raise with Microsoft to see if this is a bug, or 'feature'.

Worth adding disable UAC to the docs with explanation -if not already tucked in there already of course... ;-)

Kind Regards,
Ian./

We're finding a lot of things "like" this as we roll out to newer OS's that have all the "nice" security features.  What a fun thing to discover.  Keep us posted on what MS says, K?