By default, when Configuration Manager 2007 creates the package share on a distribution point, it grants Read access to the local Users group and Full Control to the Administrators group. However, it is often useful to exercise greater control over who can access the packages on this share, and package access accounts provide that means.

Package access accounts enable you to set permissions to specify the users and user groups that can access a package folder. In this way, if packages contain sensitive data or should otherwise have restricted access, you can configure package access accounts to limit access to specific users and user groups. If a client does not have sufficient rights to the package folder, the advertised programs within the package will not run.

When adding a new access account or modifying an existing one, it's highly recommended that you refresh all distribution points associated with your package to ensure that the current access account information will be propagated to each distribution point.

Two types of access accounts are available:

The following permissions can be specified for users and user groups:

Permission Description

No Access

Prevents the account from reading, writing, or deleting files on the package share.


Enables the account to view and copy files, run programs, change folders within the shared folder, and read extended attributes of files.


Enables the account to change the contents and extended attributes of files and to delete files. Change permission is required for applications that need to write information back to the shared package folder on the distribution point.

Full Control

Enables the account to view or change the contents and extended attributes of files. This includes all rights specified by both the Read and Change permissions.

If you remove the Administrators default account, Configuration Manager 2007 components cannot update and modify the package data.

See Also