Martin Zugec

And when you use cd instead of tftp, diskpart is working?

We all are learning all the time I was glad I could help

Hmmm, never saw this error. AFAIR there are two reasons for this error - first is missing Csrss plugin and the second is when you try to run diskpart from HDD instaed of CD

You can of course use my technique (store command on DC and call them from clients). Yep, it is really great tool, however quite hard for normal administrators... I discovered it when I needed to grant permission for one user to restart one specified service (of course without giving him server admin permissions)

Are you using diskpart.txt? Select Disk=0 etc?

Netsh is internal command (see netsh /?). You can download psexec from www.sysinternals.com) - it will allow you to run commands on remote computers.

There is plugin called Csrss blabla... It is for XP SP2 build only, however I think you should try to enable it. It helped in my case

You can create WMI script, or use psexec + netsh.

So after network is initialized use command NET LOGON user_account password /DOMAIN:your_domain /YES /SAVEPW:NO > nul

You are lucky boy today http://www.kilievich.com/fpinger/

It is really powerfull tool: SubInAcl version USAGE ----- Usage : SubInAcl [/view_mode] [/test_mode] [/output=FileName] /object_type object_name [/action[=parameter] [/action[=parameter]]... /view_mode : /noverbose /verbose (default=/verbose=2) /verbose=1 /verbose=2 /test_mode : /notestmode (default=/notestmode) /testmode /object_type : /service /keyreg /subkeyreg /file /subdirectories /share /clustershare /kernelobject /metabase /printer /onlyfile /action : /display(default) /setowner=owner /replace=[DomainName\]OldAccount=[DomainName\]New_Account /changedomain=OldDomainName=NewDomainName /migratetodomain=SourceDomain=DestDomain /findsid=[DomainName\]Account[=stop] /suppresssid=[DomainName\]Account /confirm /ifchangecontinue /cleandeletedsidsfrom=DomainName /testmode /accesscheck=[DomainName\]Username /setprimarygroup=[DomainName\]Group /grant=[DomainName\]Username[=Access] /deny=[DomainName\]Username[=Access] /revoke=[DomainName\]Username Usage : SubInAcl [/view_mode] /playfile file_name Usage : SubInAcl /help [keyword] SubInacl /help /full keyword can be : features usage syntax sids view_mode test_mode object_type domain_migration substitution_features editing_features - or - any [/action] [/object_type] SYNTAX ------ The SubInAcl syntax is analog to the UNIX find tool. For each object, SubInAcl : 1. retrieves the security descriptor of the object 2. applies the /action(s). The /actions are executed in the order of the command line 3. If : - the security descriptor has been modified and - the /testmode switch has not been specified the changes are applied to the object For instance : - SubInAcl /output=result.txt /subdirectories \\Server\c$\temp\*.* /grant=Dom\John=F /noverbose /display For each file below \\Server\c$\temp, SubInAcl will - open the file - grant full control for dom\john - display the security setting in noverbose mode - save the security descriptor. All outputs will be saved in result.txt You can specify as many /actions as you wish. You must specify at least 3 characters for each action. The command line is not case-sensitive Ex: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display for each *.txt file will - replace John with Smith - display the whole security descriptor - apply the changes if any SubInAcl error messages are sent to the Standard error. You can use the /output switch to save both outputs and errors in the same file. FEATURES -------- SubInAcl was designed to help administrators to manage security on various objects. It provides : - a unified way to manipulate security for different kinds of objects (files, registry keys, services, printer,...) - a console tool that allows to write scripts to automate security tasks - some features that help administrators to modify security if some changes occur in their organization: - user, group deletions (/suppresssid, /cleandeletedsidsfrom ) - user, group migrations (/replace) - domain migration (/changedomain, /migratetodomain) ... - security descriptor editing features : - owner ( /setowner ) - primary group ( /setprimarygroup ) - permissions ( /grant , /deny , /revoke ) - access to remote objects - save and restore permissions (/playfile , /output , /display ) You need SeBackupPrivilege SeRestorePrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool Type SubInAcl /help to get extended help SIDS ---- The security descriptor references a user,group,.. with a SID (Security Identifier). An SID can be expressed in one of the following form : + DomainName\Account (ex: DOM\Administrators ) + StandaloneServer\Group + Account ( see LookupAccount API ) + s-1-x-x-x-x . x is expressed in decimal (ex: S-1-5-21-56248481-1302087933-1644394174-1001) Warning : In that case, no check is done to verify the existence of this SID. SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name" translation network cost VIEW_MODE --------- SubInAcl can be used in a quiet mode (/noverbose) or a in 2 verbose modes (/verbose , /verbose=1 ) You can specify these switches either : - for the entire comand line : SubInAcl /noverbose /file *.dat /display - after a specific action : SubInacl /file *.dat /display /noverbose /display The /verbose=1 mode may be used with /display to display perm. ACEs using /grant or /deny notations. TEST_MODE --------- If /testmode is specified, the changes will not be reflected to the object security descriptor. This option is usefull to test the validity of a comand. Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB /ifchangecontinue /noverbose /display /testmode For each file modified this comand displays the modified security descriptor. But these changes will not physically apply to the files OBJECT_TYPE ----------- SubInAcl can work with various objects: - Files : /file /subdirectories /onlyfile - Registry keys : /keyreg /subkeyreg - Services : /service - Shares : /share /clustershare - Printer : /printer - Kernel named objects : /kernel - IIS adminidstration rights : /metabase The actions are valid for all objects Most of them support the enumeration with the * character DOMAIN_MIGRATION ---------------- The main purpose of SubInAcl is to help administrators to migrate user(s) if the domain architecture has changed. For instance, the user John has moved and is now member of the DOMB organization. You can reflect this change with : SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\John N.B: A trust relationship must be enabled between the domain of server and OldDomain and NEWDOMAIN Sample : You have worked with a unique domain. You want to migrate a BDC named MIGRCONTROL with all the files and the users utilized on a new domain 1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files) 2. Create the users on NEWDOMAIN 3. Create a "trusted relationship" with OLDDOMAIN 4. Run SubInAcl /noverbose /subdirectories x:\*.* /changedomain=OLDDOMAIN=NEWDOMAIN 5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.* Sample : You have worked with a standalone server named SERVER in a workgroup environment. You want to move this server (including users) to a domain DOM. 1. Move SERVER to the domain DOM 2. Create the users in the DOM domain 3. SubInAcl /noverbose /subdirectories \\server\share /changedomain=SERVER=DOM See /changedomain /migratedomain /replace actions EDITING_FEATURES ---------------- SubInAcl allows to modify each part of a a security descriptor : - owner see /owner=SID or /setowner=SID - primary group see /setprimarygroup=GroupSID - system ACL (SubInAcl name = Audit ACL) with Access Control Entries (SubInAcl name= AAce = Audit ACE) see /audit /aace=xxx - discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE) see /perm /pace=xxx /revoke=SID /grant=SID=Access /deny=SID /SERVICE -------- manipulate service - \\ServerName\Messenger - Messenger /KEYREG ------- manipulate registry keys - HKEY_CURRENT_USER\Software - HKEY_CURRENT_USER\Software\*Version - \\Srv\HKEY_LOCAL_MACHINE\KeyPath /SUBKEYREG ---------- manipulate registry keys and subkeys - HKEY_CURRENT_USER\Software - HKEY_CURRENT_USER\Software\*Version - \\Srv\HKEY_LOCAL_MACHINE\KeyPath /FILE ----- manipulate files N.B: SubInAcl is not supported on DFS volumes - *.obj - c:\temp\*.obj - \\servername\share\*.exe /SUBDIRECTORIES --------------- manipulate files in specified directory and all subdirectories - c:\temp\*.obj : work with all obj files - c:\temp\test : work with all test files under temp directory - c:\temp\test\*.* : work with all files uner temp\test /ONLYFILE --------- open a file without using the FindFilexxx mechanism. Can be used to access named pipes or mailslot - \\.\pipe\pipename /SHARE ------ access a network file share. - \\server\share /CLUSTERSHARE ------------- access a cluster file share resource. - \\clustername\FileShare_Resource_Name - \\clustername\s* /KERNELOBJECT ------------- access a named kernel object. Can be used to view mutex, sections, events objects /METABASE ---------- access to IIS metabase AdminACL metabase property Note that this property can only be used with these Metabase paths /LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/ This object doesn't support enumeration. - SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F /DISPLAY -------- display the security descriptor The /noverbose display can be used to reapply the security descriptor (see /playfile) /PLAYFILE PLAYFILE.TXT ---------------------- - You can reapply security settings saved with with the /noverbose /display option 1. save settings : SubInAcl /output=c:\subinaclsave.txt /noverbose /display 2. replay settings : SubInAcl /playfile c:\subinaclsave.txt - The playfile.txt can contain any valid options and can be used to batch SubInAcl commands playfile.txt : +subdirec *.txt /noverbose /grant=everyone=R +services RkillSrv /display /OUTPUT ------- /output=filename.txt all outputs and errors will be send in the filename.txt /OWNER ------ will change the owner of the object /owner=SID owner = DomainName\Administrators will retrieve the Administrators Sid on the server where the object is (see Win32 SDK LookupAccountName function). /REPLACE -------- /replace=DomainName\OldAccount=DomainName\New_Account replace all ACEs (Audit and Permissions) in the object Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID retrieves from NEWDOM domain /CLEANDELETEDSIDSFROM --------------------- /cleandeletedsidsfrom=DomainName delete all ACEs containing deleted (no valid) Sids from DomainName /CHANGEDOMAIN ------------- /changedomain=OldDomainName=NewDomainName replace all ACEs with a Sid from OldDomainName with the equivalent Sid found in NewSamServer Ex: /changedomain=DOM_MARKETING=NEWDOMAIN replace all ACEs containing DOM_MARKETING\ChairMan SID with the ChairMan's SID retrieved on NEWDOMAIN computer The NEWDOMAIN must have a trusted relationship with the server containing the object /MIGRATETODOMAIN ---------------- /migratetodomain=FromDomainName=ToDomainName same behavior than /changedomain except that news ACEs will added instead of replacing Ex: /migratetodomain=DOM1=DOM2 each ace with DOM1\User will be duplicated with DOM2\User (If DOM2\User exists) If during the migration there was a serious oversight you can instruct the user to log back onto DOM1. N.B: Owner and Primary Group are migrated to DOM2 /FINDSID -------- /findsid=DomainName\Account[=stop] display the object name containing a reference to DomainName\Account in the security descriptor /SUPPRESSSID ------------ /suppresssid=DomainName\Account suppress all ACES containing the DomainName\Account SID. If the object's owner is DomainName\Account, the owner is set to Everyone's SID. /PERM ----- /perm suppress all existing permissions aces (PACEs) /AUDIT ------ /audit suppress all existing auditing aces (AACEs) /IFCHANGECONTINUE ----------------- /ifchangecontinue continue to process the next actions only if some changes have been made in the previous actions /TESTMODE --------- /testmode changes will not be applied to the object. This allows to test the modifications /ACCESSCHECK ------------ /accesscheck=Domain\Username display the access granted to the Domain\Username. The password will be asked. This option requires the SeTcbName privilege (Act as Part of the Operating System). This option cannot be used with remote object. Note : the access is checked with the NETWORK security identified granted to the Domain\UserName /SETPRIMARYGROUP ---------------- /setprimarygroup=[DomainName\]Group change the primary group /DENY ----- /deny=[DomainName\]User[=Access]= add a denied Permission Ace for the specified User (or group) If Access is not specified, all accesses will be denied. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC /REVOKE ------- /revoke=[DomainName\]User suppress all Permission Ace(s) for the specified User (or group) /GRANT ------ /grant=[DomainName\]User[=Access] will add a Permission Ace for the user. if Access is not specified, the Full Control access will be granted. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC

It is from Resource Kit (available for free from www.microsoft.com)

Why would you need such utility???

First you need to initialize network as Shamwari said. You want to connect to workgroup or domain?

Command for advanced ACL setting is SubInAcl. You can also control ACL for services etc.

Try EN version...

One of my favourites authors Jerry Honeycutt wrote a book Windows XP Registry Guide. It is not about different values etc, it is more about principes etc, really nice. http://www.honeycutt.com/ BTW this guy also wrote really great Windows Desktop Deployment Resource Kit

There is easier way, just disable Indexing service...

Hmmm, I just noticed tree.xml. Wouldnt it be better if the tree will be generated from all included xml files? E.g. you could add one control for sections, one for parameters etc.?

Well, I am still missing something like advanced setup manager (setup manager, that will include ALL available settings). If you will provide "framework", I will try to create xml for every section. Could you please have a look at branding.xml I provided? Dont know why it isnt working. It would be also great if you could make less chaotical XML input... One line for all xmls isnt really comfortable And please dont forget about Save .sif file I spoke about - it is really important for me.

Few more questions: a.) Why isnt this working??? <winstaller> <item> <id>1</id> <Title>Use answer file to configure Internet Explorer</Title> <Summary>Specifies whether to use Unattend.txt or an .ins file to brand Internet Explorer during an unattended Setup.</Summary> <sifsection>Branding</sifsection> <sifname>BrandIEUsingUnattended</sifname> <type>yesno</type> <default>no</default> </item> <item> <id>2</id> <Title>Ins file to configure Internet Explorer</Title> <Summary>Specifies the name of the .ins file (created by the IEAK) for branding Internet Explorer.</Summary> <sifsection>Branding</sifsection> <sifname>IEBrandingFile</sifname> <type>text</type> <default>IEBrandingFile = ietest.ins</default> </item> </winstaller> b.) I am missing button "Save .sif". Usefull when you want to use winstaller just to create winnt.sif file.

Hey JD, I know what I am missing - selection description. E.g. Choice=DefaultHide Description=blablabla

MS was releasing ONLY service packs since NT4 SP4. With SP2 they finally decided to combine service packs (like SP1) with feature packs (like Advanced Networking) to one packages. This is only service pack, so it is not interesting for me

It is service pack only or also feature pack???

I agree with Wesmosis... BTW my favourite is Raxco