Package Access Accounts are not actually accounts; they enable you to set NTFS permissions to specify the users and user groups that can access a package folder. By default, Microsoft System Center Configuration Manager 2007 grants access only to the generic access accounts Users and Administrators, but the administrator can control access for client computers by using additional Windows accounts or groups.
|Although an Access Accounts node is under Mobile Device Management, devices retrieve all package content anonymously so the access accounts are not used by the device.|
Required Rights and Permissions
By default, when Configuration Manager 2007 creates the package share on a distribution point, it grants Read access to the local Users group and Full Control to the Administrators group. The actual permissions required will depend on the package.
If you have clients in workgroups or in untrusted forests, those clients will use the Network Access Account to attempt to reach the package content. Make sure that the Network Access Account has permissions to the package using the defined Package Access Accounts.
Account and Password Creation
The account is not automatically created. The Configuration Manager 2007 Administrator creates the accounts or groups, or uses existing accounts or groups.
The account must be created in a domain where it can access the distribution points.
The administrator changes the account or password in the operating system, and then configures Configuration Manager 2007 to use the new account or password. After changing the access account, the administrator must refresh the package. Updating the package does not change the NTFS permissions on the package.
Security Best Practices
Configure the package access permissions so that only authorized installers of the software have access to the files on the distribution points.
When the clients have joined the site, they can receive any software distributions that are available at that site and where the computer or user meets the qualifications of the relevant collections. For this reason, software that should be limited to specific users should be secured at the package access level to those users, rather than being limited by site availability or collection criteria.
|In some cases, removing the Users group as a package access account might cause software distribution to fail. If the distribution point is in a native mode site, you must add IUSR_<computername> as a package access account with the permissions required to access to the package. If a distribution point is configured to allow anonymous access for mobile device clients, you must also add the Internet Guest account as a package access account.|
Changes to the access accounts on the package files (as opposed to the distribution point shared folders) become effective only when you refresh the package. Therefore, you should set the package access permissions carefully when you first create the package, especially if the package is large, if you are distributing the package to many distribution points, or if your network capacity for package distributions is limited.
There is no need to add the Network Access Account as a Package Access Account because it is a member of Users and thus included by default. Also, restricting the Package Access Account to only the Network Access Account does not prevent any client from accessing the package because Configuration Manager 2007 clients can request use of the Network Access Account when necessary.