search

Azure / ArcEnabledServersGroupPolicy

Guidance and sample code to perform at-scale onboarding of servers to Arc via Group Policy
MIT License
10 stars 12 forks source link

Domain Admins require full permissions to network share to run the script #31

Open Borgquite opened 5 months ago

Borgquite commented 5 months ago

The documentation is slightly incorrect - it says that for the Network Share, it is sufficient for Domain Admins to have Change permissions. This is incorrect - the user running the script requires Full Control.

Running DeployGPO.ps1 as a Domain Admin with only Change permissions (instead of Full Control) results in:

Remote path  \\contoso.com\Deployment\Azure Arc Servers Onboarding found!
Creating remote folder's structure...
Assigning appropriate permissions...
Set-Acl : Attempted to perform an unauthorized operation.
At C:\Users\<username>\Downloads\ArcEnabledServersGroupPolicy_v1.0.8\ArcEnabledServersGroupPolicy_v1.0.8\DeployGPO.ps1:
108 char:1
+ Set-Acl -Path $AzureArcDeployPath -AclObject $Acl
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: [\\contoso.com...\AzureArcDeploy:String) [Set-Acl], UnauthorizedAcce
   ssException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Borgquite commented 4 months ago

Azure docs is now updated (https://github.com/MicrosoftDocs/azure-docs/issues/121689) - only the README needs updating now, this is done by pull request #32