JulesKr

Ok.

Yes, it is w2k3 and up. It works a lot better than sus or the current official version of wsus. But it still leaves you every now and then with clients who fail to install a update. It is not the fault of WSUS 3, but it would be nice if it would help you with information to resolve the issue. Sometimes the client feedback ends up in dev/null. That's a problem.... Jules

Not wanting to start a yes or no discussion, I think I read all the posts in this thread of the original thread starter, and it does cover his/her questions. Jules

A locked down linux system isn't hard to use. For sure there are ready images for internet cafe use, maybe even including timed access or stuff like that. I have never been in the position where I had to use an Kiosk setup, but if I had to these would be my first things to do. It will never get infected by a virus (accept for the ram drive that is...) It will allways fire up mean and lean (and yes, clean). They will never be able to install their software themself, and have the next user with the 'benefits'. You can't install keyloggers, accept for the hardware ones. It is just impossible to lock a Windows system down any other way, it wil just collect garbage (and slow down) or it is 'hacked' in minutes if not seconds. Jules

It isn't about blocking the drive, it is about preventing the customer to be able to do illegal things. A Windows boot CD with a little ramdrive without harddisk will prevent disk WRITE access. Locking down USB ports for file transfer (like drivelock does) will prevent them to be able to hook up their own diskspace. It wil still allow to hook up webcams and stuff like that. But, all of the above only helps in your own shop. There is no sure way to prevent access to remote storage facilities. They will still be able to share and distribute, it's just not physical on a disk in your shop. Jules

I encountered the same problem, the whole documents and settings directory of one user was inaccessible, kept on complaining about insufficient access rights. Never found out what happened during patching (that was the time it occured). I was only able to copy all the data to a fat32 disk when running knoppix (linux with tools running from cd). Then I wiped the disk, ran a fresh install and restored the data. Jules

Ok, I think that will do the job.

Ok, can you tell me how to do that? Is there a tool I can use to create an ADM? Jules

Or even better, run a Linux image and lock it down for free.

Why don't you run Windows from a CD image, retract the drive a little, put in a blank front and go. There is commercial ware to block USB drives (drivelock I believe) and your image stays OK, your functionality also. Jules

I would like to be able to change the default file/directory list sorting setting, preferably through and ADM file via gpo. Registry key as last resort is possible... How to do it? Jules

Yes, something like that, I would like having something to generate output like that.

You can try TrueCrypt (its freeware, make a (hidden) volume and store your passwords there, or use a GnuPG encryption if you won't use a SecureLogon tool like the one above this reply Jules

Just stay at the XP level, it works there, it probably won't in Vista. Ride out the first two years, then reconsider. Jules

Is there some documentation or posibility to generate a complete layout of your policy settings just by the policy structure? Jules

Depending on your imaging solution, it is possible to set IP addres info in your image safe data, so after restore it will be restored aswell. I use this to set the original netbios name to the old value, and leaving auto naming on during restore. If no old name is found, it defaults to auto generated name. In my solution it is possible to set other info aswell (SID, ip addres, dns info, etc) Jules

IN addition to the solutions provided above, its possible to set those settings in gpedit.msc to have them stick more to the user. You shouldn't give them rights to use gpedit.msc themselves though. I use this to have settings fixed to a computer when they are not in our network, and a network setting superimposed on them when they are connected (in case of laptops that is, for instance windows update settings/ anti-virus update settings, to influence behaviour diffrences when on or offline, maintaining minimum settings.) Jules

It is possible using the normal setupmgr.exe tool to fill in your domain settings. Why do you want to insert tcp/ip settings aswell? If you do that, you have to think about duplications and stuff like that. Why don't you use DHCP to distribute those ? You can use fixed assignment using dhcp. It's changable afterwards. Jules

I accept the normal auto generated pc names, but they get all overwritten (along with some other data) just after imaging, after the first reboot done by the sysprep script. The machine contains ZenWorks ZisWin, which is able to reset the computername to its old value (and with SID, workgroup name, DNS settings and so on.) It is derived from image-safe-data part (part of MBR) ZenWorks rulez!!!! Jules

It shouldnt be too hard to test for it, disable your hotfixes and test them top down (adding one each time). If it fails first time round, it might be your ie7. Else it's a hotfix. Jules

I had more or less the same problem, solved it with another possibility to install software, Directly in $OEM$ I dropped CMDLINES.TXT, containing; ----cmdlines.txt snip------- [COMMANDS] "install.cmd" ---end snip----- There (in $OEM$) I also dropped the install.cmd, containing (amongst other lines); -----install.cmd snip---------- @echo off ECHO Installing ZfD Agent start /wait msiexec.exe /i "c:\install\ZfDAgent701\ZfDAgent.msi" /qn ADDLOCAL=ALL EDITABLE_MT_ADDRESS=1 STARTUP_APPWINDOW=0 STARTUP_APPEXPLORER=0 EXIT ---snip--------- Note; the start /wait etc is one line, all the way up to STARTUP_APPEXPLORER=0. I chose not to InstallShield / .mst this install, but did it this way. There is no reason why it shouldn't work though. In my install.cmd I kick off all my installs (client 32 491sp3 using acu.exe and other installs aswell, like userhyve cleanup and more of this sorts.). I'll also implement rollup patches for XP this way. It's fast, and trouble free. You don't have to admin login for this, it starts before cleanup, just after basic install from sysprep. I also do my install cleanup here, triggering another cmd file (not suprisingly called cleanup.cmd....), removing or clearing all small leftovers (like zenworks history file, hostfile wich I always used to do just before sysprep but sometimes were left behind or just triggered before sealing) Greetz Jules

Ok, that did the trick. I also solved my *.cmd installation issues. I found out that extreme long names were not copied correctly. And I no longer kick-off the installation script (install.cmd) using the winnt.sif file, but I put the needed files accompanied with a cmdlines.txt file in $oem$ and then it runs fine, even if there is a password on the administrator. Cool. Jules

I created an Unattended CD image, but I'm left with some manual screens. The first is a confirmation of a change in screen resolution, a welcome screen, a automatic update screen, a internet connection check sreen, a registration screen (not serial, but registering at microsoft as a user), an add user screen (although there is a oobe.ini file, but I've to check on the location... and an error stating it's unable to execute c:\install\scripts\install.cmd Who can help me to solve this? winnt.sif is as follows ;SetupMgrTag [Data] AutoPartition=0 MsDosInitiated="0" UnattendedInstall="Yes" AutomaticUpdates=yes [Unattended] UnattendMode=FullUnattended OemPreinstall=Yes TargetPath=\WINDOWS OemSkipEula=Yes DriverSigningPolicy=Ignore LegacyNIC=1 OemPnPDriversPath="Install\chipset\IntelINF;Install\chipset\Intelraid;Install\chipset\heci; Install\chipset\lms;Install\chipset\ati;Install\chipset\nforce3;Install\chipset\nforce4itl; Install\chipset\nforce4amd;Install\chipset\nforce430;Install\network\broadcom; Install\network\pro100;Install\network\pro1000;Install\network\wlan\intel\drivers; Install\network\wlan\eminent\driver;Install\network\marvell;Install\network\nforce430; Install\network\realtek;Install\graphics\IntelVga;Install\graphics\ati;Install\graphics\nvidia; Install\graphics\intel8xx" [GuiUnattended] AdminPassword=-<removed>- EncryptedAdminPassword=Yes OEMSkipRegional=1 TimeZone=110 OemSkipWelcome=1 AutoLogon=Yes AutoLogonCount=1 [UserData] ProductKey=....you wish.... FullName="ICT" OrgName="Syncera B.V." ComputerName=* [Display] BitsPerPel=32 Xresolution=1024 YResolution=768 [TapiLocation] CountryCode=31 Dialing=Tone AreaCode=015 [RegionalSettings] SystemLocale=00000413 UserLocale=00000413 InputLocale=0413:00020409 [Identification] JoinWorkgroup=syncera [Networking] InstallDefaultComponents=Yes [Branding] BrandIEUsingUnattended=Yes [Components] msmsgs=off zonegames=off [URL] Home_Page=www.syncera.net [Proxy] Proxy_Enable=0 Use_Same_Proxy=0 [GuiRunOnce] Command0="c:\install\scripts\install.cmd"