This chapter outlines the following permissions and, where appropriate, how to grant them.

In This Topic

General Permissions

To fully administer a Windows Deployment Services server, you need the following permissions:

  • Local administrator of the Windows Deployment Services server. This gives you the following rights:

    • File permissions and permissions to the RemoteInstall folder (the management tools interact with the image store using UNC paths).

    • Registry hive permissions. Many settings for the Windows Deployment Services server are stored in HKEY_LOCAL_MACHINE\System, and you need appropriate permissions to these locations to change them.

  • Domain administrator of the domain that contains the Windows Deployment Services server. This gives you permissions on the Service Control Point (SCP) in Active Directory Domain Services (AD DS) for the Windows Deployment Services server. Some configuration settings for the server are stored here.

  • Enterprise administrator (optional). This gives you Dynamic Host Configuration Protocol (DHCP) authorization permissions. If DHCP authorization is enabled, the Windows Deployment Services server must be authorized in AD DS before it will be allowed to answer incoming client PXE requests. DHCP authorization is stored in the Configuration container in AD DS.

It is often useful to delegate the management of a Windows Deployment Services server to an account other than the domain administrator or enterprise administrator (and grant these general permissions to the delegated account). The delegated administrator account should be a local and domain administrator as specified above.

Permissions for Common Management Tasks

The following table contains common tasks and the permissions that are required for each.

Task Permissions Needed

Add or remove an image group

Full control over C:RemoteInstall\Images\ImageGroup.

Add or remove an image

Full control over C:RemoteInstall\Images\ImageGroup.

Disable an image

Permission to read and write attributes for the associated image file. Disabling an image means hiding the Windows image (.wim) file associated with the image.

Add a boot image

Read and write access to the following:

  • C:RemoteInstall\Boot

  • C:RemoteInstall\Admin (This folder is only present if you upgrade from Windows Server 2003).

  • %TEMP%

Remove a boot image

Read and write access to C:RemoteInstall\Boot.

Set properties on an image

Read and write permissions to the .wim metadata file that represents the image. This file is located within the image group at: C:RemoteInstall\Images\ImageGroup.

Prestage a computer

Permissions to create accounts in the domain, as well as write to the properties of a computer object.

To grant permissions to prestage a computer

  1. Open Active Directory Users and Computers.

  2. Right-click the organizational unit (OU) where you are creating prestaged computer accounts, and then select Delegate Control.

  3. On the first screen of the wizard, click Next.

  4. Add the user or group you wish to delegate control to, and then click Next.

  5. Select Create a Custom task to delegate.

  6. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.

  7. In the Permissions box, select the Write all Properties check box, and click Finish.

Approve a pending computer

Read and write permissions for the folder that contains the database file Binlsvcdb.mdb in the RemoteInstall share (for example, C:RemoteInstall\MGMT). The actual account of an approved pending computer is created by using the server’s authentication token, not the token of the administrator who is performing the approval. Therefore, in AD DS, you must grant rights to the Windows Deployment Services server’s account (WDSSERVER$) to create computer account objects for the containers and OUs where the approved pending computers will be created.

To grant permissions to approve a pending computer

  1. Open Active Directory Users and Computers.

  2. Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.

  3. On the first screen of the wizard, click Next.

  4. Change the object type to include computers.

  5. Add the computer object of the Windows Deployment Services server, and then click Next.

  6. Select Create a Custom task to delegate.

  7. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.

  8. In the Permissions box, select the Write all Properties check box, and click Finish.

Prestage a computer to join a domain

The user account must have permissions to join the domain. The JoinRights registry setting determines the set of security privileges, and the User registry setting determines which users have the right to join the domain. To change the per server (per architecture) defaults, you need read and write permissions to these registry keys.

  • The JoinRights setting is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\AutoApprove\<arch>

    Name: JoinRights

    Type: DWORD

    Value: 0 = JoinOnly.; 1 = Full.

    A user that has Join only rights cannot join the domain without administrator assistance (an administrator with proper permissions on the computer account object must reset the computer account before the client installation and domain join).A user that has Full rights can reset the account and join the domain without administrator assistance.

  • The User setting is stored at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\AutoApprove\<arch>

    Name: User

    Type: REG_SZ

    Value: Name of group or user. For this setting, there are two administration models that you can use.

    • (recommended) You can associate a primary user to the account at the time the computer is approved. When the computer is approved, the computer account will grant the primary user 1) read and write permissions on all properties on the computer object (JoinRights = JoinOnly or JoinRights = Full), and 2) reset and change password rights on the computer object (JoinRights = Full).

    • You can specify server defaults for the user and JoinRights that apply to all approved clients of a given architecture. The default values grant domain administrators the Full join right. If you do not assign a primary user to the computer account at the time of approval, these default values will take effect.

      Note

      If you are creating computer accounts against a non-English domain controller and you are using the default user property, you must set the Auto-Add settings to use a different account that does not contain extended characters. If the account contains a non-standard character (any character outside [A-Z, a-z, 0-9, \, -, and so on]), such as German's "Domänen-Admins", then Auto-Add will fail. To change this value, see the help at the command prompt for WDSUTIL /set-server /AutoAddSettings.

Convert a RIPREP image
  • Read and write permissions to the %TEMP% directory and destination location

  • Read permissions on the original RIPREP image

Create a discover or capture image
  • Read and write permission to the %TEMP% directory and destination location

  • Read permissions on the original boot image

Create a multicast transmission
  • Full control over the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\Multicast

  • Read permissions to RemoteInstall\Images\ImageGroup.

Modify a multicast transmission (for example, delete, deactivate, start, stop, disconnect, and so on)

Full control over the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\Multicast

Permissions for Client Installations

In general, performing a client installation requires domain user rights. However, additional permissions may be required depending on the scenario. This section outlines the minimal set of permissions that are required to perform common installation tasks.

Task Permissions Needed

PXE boot a client computer

No permissions are required to PXE boot a client, and no mechanism exists to secure the process of booting from the network. If security is the primary concern for you, we recommend that you use physical media (for example, that contains a discover image) to boot each computer.

Select a boot image

No permissions are required to select a boot image and no mechanism exists to secure entries that are displayed in the list. The first authentication mechanism occurs using the Windows Deployment Services client running within Windows PE.

Select an install image

The credentials provided in the user interface of the Windows Deployment Services client must be those of a domain account. After a client has been authenticated to the Windows Deployment Services server, the authenticated user must be able to read the install .wim file and Res.rwm file from the RemoteInstall folder. By default, authenticated users have permissions to do so.

Join a domain

The JoinRights registry setting determines the set of security privileges, and the User registry setting control which users have the right to join the domain. For more information about these settings, see the Prestaged a computer to join a domain section in the previous table.

If the computer is prestaged, then the user performing the installation (or the credentials in the Unattend file for the domain join) needs the appropriate JoinDomain rights. If the computer is not prestaged (meaning Windows Deployment Services will create a computer account in AD DS), the user performing the installation (or the credentials as specified in the Unattend file for the domain join) need rights to add a prestaged computer and the appropriate JoinRights.

Using /ResetBootProgram

If the ResetBootProgram functionality is enabled, the user needs read and write permissions to the netbootMachineFilePath property on the prestaged computer object. If this permission is not granted and the user's boot program is set to pxeboot.n12, Windows Deployment Services will not be able to reset the NBP to pxeboot.com, forcing the computer into an infinite reboot loop. For more information, see Managing Network Boot Programs.

Disabling access to the command prompt during installations

By default, users can gain access to a command prompt during Windows Deployment Services installations by:

  • Pressing Shift+F10 when Setup is running in Windows PE.

  • Pressing Shift+F10 when the Image Capture Wizard is running in Windows PE.

  • Holding down the CTRL key when Microsoft Windows Preinstallation Environment (Windows PE) is booting.

  • Pressing Shift+F10 when the Out of Box Experience (OOBE) is running (OOBE is the wizard that usually runs after Setup).

    Important

    A Command Prompt window that is opened during OOBE will be running in the system context. If this window is not closed at the conclusion of Setup, the user may have access to it and therefore, system rights, even though the user is not a local administrator on the client computer.

You can disable this functionality by adding a DisableCmdRequest.tag to the image.

To disable access for boot images

  1. In the Windows Deployment Services MMC snap-in, right-click the desired boot image and select Disable.

  2. Mount the image for read and write access using ImageX which is provided in the Windows Automated Installation Kit (AIK). For more information about ImageX, see the ImageX Technical Reference (http://go.microsoft.com/fwlink/?LinkID=120693).

  3. Create the file %windir%\Setup\Scripts\DisableCmdRequest.tag in the mounted image.

  4. Commit the changes and unmount the image.

  5. In the Windows Deployment Services MMC snap-in, right-click the desired boot image and select Enable. .

To disable access for install images

  1. In the Windows Deployment Services MMC snap-in, right-click the desired boot image and choose Disable.

  2. Export the image to an external .wim file.

  3. Mount the image for read and write access using the tools provided in the Windows AIK.

  4. Create the file %windir%\Setup\Scripts\DisableCmdRequest.tag in the mounted image.

  5. Commit the changes and unmount the image. .

  6. In the Windows Deployment Services MMC snap-in, right-click the disabled install image and choose Replace Image.

  7. Follow the instructions in the wizard to re-import the modified install image.

Permissions for Server Properties

The following section outlines the minimal set of permissions that are necessary to perform common management tasks using the server properties pages. To access these settings, open the Windows Deployment Services MMC snap-in, right click the server, and click Properties.

Tab Settings that Require Permissions

PXE Response Settings
  • PXE response policy. The PXE response policy (for example, responding only to known clients, or responding to all clients) is stored on the server’s SCP. Configuring these settings requires read and write permissions to the SCP object.

    To grant permissions to the SCP object

    1. Open Active Directory Users and Computers.

    2. Click View, and then click Advanced Features (if it is not already enabled).

    3. Right click the computer account for you Windows Deployment Services server, and click Properties.

    4. On the Remote Install tab, select Advanced Settings…

    5. Select the Security tab, and click Add…

    6. Select the user, and then select Full Control on this object.

  • PXE response delay. Configuring this setting requires read and write permissions to the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSSERVER\Providers\WDSPXE\Providers\BINLSVC

    Name: ResponseDelay

    Type: REG_DWORD

    Value: Number of seconds to wait before answering PXE client requests

Directory Services
  • New client naming policy. This setting is stored in the SCP object on the server. The property is called: netbootNewMachineNamingPolicy

  • Client account location. This setting is stored in the SCP object on the server. The property is called: netbootNewMachineOU

Boot

Default boot program

  • Server-wide: This option is controlled by the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\BootPrograms\<arch>

    Name: Default

    Type: REG_SZ

    Value: Path to server-wide client default boot program for this architecture. For example: boot\x86\pxeboot.com

  • Per computer: The computer account attribute is: netbootMachineFilePath

Default boot image

  • Server-wide: This option is controlled by the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\BootImages\<arch>

    Name: BootImagePath

    Type: REG_SZ

    Value: Path to server-wide client default boot image for this architecture. For example: boot\x86\images\boot.wim

  • Per computer: The computer account attribute is: netbootMirrorDataFile

Client

Unattend file

  • Server-wide: This option is controlled by the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WdsImgSrv\Unattend\x86

    Name: FilePath

    Type: REG_SZ

    Value: Path to server-wide client Unattend file relative to the RemoteInstall folder. For example: WdsClientUnattend\WdsUnattend.xml

  • Per computer: The computer account attribute is netbootMirrorDataFile

Client account creation

  • This option is controlled by the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC

    Name: NewMachineDomainJoin

    Type: DWORD

    Value: 0 to prevent domain joining by clients; 1 to enable it.

DHCP
  • Do not listen on Port 67. This option is controlled by the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSSERVER\Providers\WDSPXE

    Name: UseDhcpPorts

    Type: DWORD

    Value: 0 disabled; 1 enabled

  • Configure DHCP option 60 to "PXEClient". This requires that the user is able to configure the Microsoft DHCP server running on the local computer.

Advanced
  • DC/GC used by the Windows Deployment Services server (this server). These settings are stored at the following registry location:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC

    The keys for these settings are as follows:

    • Default domain controller: Name: DefaultServer, Type: REG_SZ, Value: FQDN for default domain controller.

    • Default global catalog server: Name: DefaultGCServer, Type: REG_SZ, Value: FQDN for default global catalog server.

  • DHCP authorization. Performed using DHCP APIs—you need permissions to authorize the Microsoft DHCP server.