Tag Archives: permissions

MDT – requirements sheet

Published / by Rens Hollanders / 6 Comments on MDT – requirements sheet

Hi my friends, very very long time no see. I sincerely apologize for my period of absence, however this is partially due to lack of new content to write, which is caused by a period of not working with deployment tools.

In previous blog posts, I’ve set out some default settings to configure MDT with, such as the CustomSettings.ini and Bootstrap.ini, and then there is this script which configures your MDT environment automatically with PowerShell.

This time I thought it would be useful to write about the requirements you need for implementing MDT on (a customers) site:

table 1.1 Server Details:
Server Details
Operating System Windows Server 2012R2
(v)CPU 2
(v)MEM 4 Gb
Disk 0 50 Gb
Disk 1 100 Gb

If you want to incorporate the MDT database integration, you’ll need a database on a SQL server, with service accounts with the following permissions:

table 1.2 Database Details:
Object Details
Database Microsoft SQL 2005 or higher
Database permissions MDT Database Service Accounts; dbo_owner
Database permissions MDT Administrators; db_datareader, db_datawriter

If you install Windows Deployment Services to transport your MDT boot image with PXE boot, you’ll need to configure certain scope options in DHCP, take notice that the DHCP option 60 is only needed to be configured when DHCP and WDS run on one and the same server:

table 1.3 DHCP Details:
Scope Option Option Value
60 Client identifier PXEClient
66 Boot Server Host Name
67 Bootfile Name \Boot\x64\wdsnbp.com

The IP helper address needs to be configured, when your DHCP and WDS server are not on the same subnet. This prevents the boot image from being loaded into and over the memory of the network device, but point’s directly to the WDS server.

table 1.4 Network Details:
IP Helper Address

Next up, service accounts, based on least privileges needed to function, and, for setting the OU permissions for the domain join account, there is this very neat little script from MDT guru Johan Arwidmark:

table 1.5 Service Account Details:
Account Name Permissions Object
SA-MDT NTFS: Read & execute, List folder contents, Read Share: Read Folder: DeploymentShare
SA-MDTDomainJoin Create Computer Objects; Delete Computer Objects; Read All Properties; Write All Properties; Read Permissions; Modify Permissions; Change Password; Reset Password; Validated write to DNS host name; Validated write to service principle name; Active Directory: Organizational Unit
SA-MDTDB dbo SQL Server: database user mapping

You can put accounts in groups and give permissions to groups if more people need the same permissions to work with MDT:

table 1.6 Domain Group Details:
Group Name Type Member of Members
DM-MDT Domain local - Security n.a. GM-MDT
GM-MDT Global - Security DM-MDT SA-MDTDB
DM-MDT-Admins Domain local - Security n.a. GM-MDT-Admins
GM-MDT-Admins Global - Security DM-MDT-Admins Individual Active Directory users

Lastly again folder permissions based on least privileges, and also the SQL Share for authentication of unknown users during Operating System Deployment – WinPE phase

table 1.7 Folder permission Details:
Folder Account / Group NTFS Permissions Share Permissions
DeploymentShare SA-MDT Read & execute, List folder contents, Read Read
DeploymentShare Authenticated Users n.a. Read
SQL Share Authenticated Users n.a. Read

So next time you’re going to implement MDT, keep in mind some (preferably all) of the mentioned requirements, and hopefully this will make life again much easier.

~Things not working, privileges wrong? Don’t hesitate to let me know!

Cheers! Rens