Jump to content

JohnGruhn

Member
  • Posts

    14
  • Joined

  • Last visited

  • Donations

    $0.00 
  • Country

    United States

Posts posted by JohnGruhn

  1. We will be moving to IMTU within the next 6 months or so but I need to resolve this now as it is now begining to cause issue's where machines are not being patched. I managed to have this mess dumped on me as it was being rotated around a team of tech's that never used the standards scripts that were provided to them to use :realmad:

    Just a thought but what is preventing you from using ITMU now? The hardest part of your solution is creating the detection logic and that alone is valuable time that SMS could be fixing your computers. Within one detection cycle after advertising the sync agent you would have a complete picture of what you need to fix and the packages you need to create. Even better, the reports for software compliance are updated along with the inventory so you can track your progress much mroe easily, something your homegrown solution will probably not do. OS detection is easy but ITMU gives you the rest of the detection. If your waiting for SMS 2003 SP3, that will be out on 27 APR 07 (ie Friday) and its more than worth it to switch and take two weeks to figure it out rather then reinvent the wheel. If your network is as borked as you say it is (been there, done that way too much), spending the week or so to figure out how to use ITMU which is not that hard will more than payoff in total time to completion.

    SGT Gruhn, John L

    BCT1 D101 S6 AMO NCOIC

  2. If most of your computers are Windows XP, 2000, and 2003 (the mainline support OS from Microsoft), why are you not using ITMU v3 (http://www.microsoft.com/technet/prodtechnol/sms/sms2003/downloads/tools/msupdates.mspx) for detection and distribution of patches? ITMU v3 will detect and push anything pushed by Microsoft Update, ie Windows, Office, SQL, Exchange, etc. NT4 ITMU v3 will not work because it is way out of lifecycle. For those you will have to use you detection logic from above but you should be able to take out the OS detection and make a collection based on the OS. SMS2003's default collections allow for targeting by OS to reduce bandwidth. If you need to further define collections based on critera, you probably should have your AD structured to account for the different policies so you can make collections based on that for the patch pushing.

    Implementation of this will last for SMS 2003, although as a previous poster has pointed out, eventaully it will go to a WSUS server setup in SCCM 2007. It will still be controlled via SMS, but the back operations will be SUS with a little added on.

    If you want to know more about SMS; most of the user groups I use are on www.myitforum.com. That covers the entire System Center Family (SMS, MOM, etc)

    SGT Gruhn, John L

    BCT1 D101 S6 AMO NCOIC

  3. Does anybody know command line options for VistaSetupPrep.exe ? Im interested to know if it leaves the extracted Vista DVD files after the install. On another blog it tells the process

    (https://blogs.msdn.com/windowsmarketplace/archive/2007/01/29/what-do-you-get-when-you-download-windows-vista-from-marketplace.aspx)

    If it does, can this be used with the WAIK or BDD 2007 to create a bootable Vista DVD? Im thinking I could use oscdimg.exe, but curious if someone else has figured it out. I don't like the idea of downloading Vista and then not having a bootable physical copy of it.

  4. Hello,

    Im trying to change the default autorun sequence for USB disk drives only. I have a script that detects drives that use USBSTOR.sys and matches them against a list of known good PNP IDs named USBDetect.vbs. If unauthorized, the script then shuts down USB Storage via devcon and sends an alert to an admin. Id like this script to run each time someone inserts a USB device. If this works, the easier it is to deploy in my domain the better. Any ideas on where to look? I have looked at google and yahoo and have yet to find what Im looking for.

    Thanks in advance

  5. The bottom line is that the US military is going to have more headaches with vista than they had with xp.

    That may be true. However, as a sysadmin in the military and having used the Vista beta2 and being aware of the Longhorn beta builds, I can tell you there are things in Vista to like from a military point of view. Network Access Control, USB access control, more modular design, and IE7+ all seem worthwhile things. Bitlocker, ALSR, and some of the new wizards are also nice from the security point of view. Additionally, the expanded group policy is something that interests me as a Army sysadmin.

    Will we move to it at RTM? Almost certaintly not. Having said that does it make sense in the Longhorn timeframe? Yes, assuming that they work the kinks out. I admit that the beta sucks up memory, but internal builds that have not gone public improve upon this alot. The real time to make that decison is after it RTMs and we can commit to a full torture test. I for one look forward to the offical testing. I will judge it then.

  6. I installed Dell's mraid35x mass storage drivers for Win2k3 by editing txtmode.sif and moving a makecab compressed copy of mraid35x.sys into my i386, replacing the previous versionn. I am using RIS on Win2k3 and setup runs fine, identifying my Dell 1750's raid, formatting, installing updates etc. Upon the first boot after setup however, the driver seems to be lost and I get a 0x7B BSOD. If it worked during setup, what would casuse it to not use it post setup? The relevant settings for mraid35x from my txtsetup.sif are listed below.

    [SourceDisksFiles]
    mraid35x.sys = 1,,,,,,4_,4,0,,,1,4

    [HardwareIdsDatabase]

    PCI\VEN_101E&DEV_9010 = "mraid35x"
    PCI\VEN_101E&DEV_9060 = "mraid35x"
    PCI\VEN_8086&DEV_1960&SUBSYS_11121111 = "mraid35x"
    PCI\VEN_8086&DEV_1960&SUBSYS_11111111 = "mraid35x"
    PCI\VEN_8086&DEV_1960&SUBSYS_09A0101E = "mraid35x"
    PCI\VEN_8086&DEV_1960&SUBSYS_11111028 = "mraid35x"
    PCI\VEN_8086&DEV_1960&SUBSYS_04671028 = "mraid35x"
    PCI\VEN_101E&DEV_1960&SUBSYS_04711028 = "mraid35x"
    PCI\VEN_101E&DEV_1960&SUBSYS_04931028 = "mraid35x"
    PCI\VEN_101E&DEV_1960&SUBSYS_04751028 = "mraid35x"
    PCI\VEN_1028&DEV_000E&SUBSYS_01231028 = "mraid35x"
    PCI\VEN_1028&DEV_000F&SUBSYS_013B1028 = "mraid35x"
    PCI\VEN_1028&DEV_000F&SUBSYS_014A1028 = "mraid35x"
    PCI\VEN_1028&DEV_000F&SUBSYS_014C1028 = "mraid35x"
    PCI\VEN_1028&DEV_000F&SUBSYS_014D1028 = "mraid35x"
    PCI\VEN_101E&DEV_1960&SUBSYS_05111028 = "mraid35x"
    PCI\VEN_1000&DEV_1960&SUBSYS_05181028 = "mraid35x"
    PCI\VEN_1000&DEV_1960&SUBSYS_05201028 = "mraid35x"
    PCI\VEN_1028&DEV_0013&SUBSYS_016C1028 = "mraid35x"
    PCI\VEN_1028&DEV_0013&SUBSYS_016D1028 = "mraid35x"
    PCI\VEN_1028&DEV_0013&SUBSYS_016E1028 = "mraid35x"
    PCI\VEN_1028&DEV_0013&SUBSYS_016F1028 = "mraid35x"
    PCI\VEN_1028&DEV_0013&SUBSYS_01701028 = "mraid35x"
    PCI\VEN_1000&DEV_0408&SUBSYS_00011028 = "mraid35x"
    PCI\VEN_1000&DEV_0408&SUBSYS_00021028 = "mraid35x"

    [SCSI.Load]
    mraid35x = mraid35x.sys,4

    [SCSI]
    mraid35x = "AMI MegaRaid RAID Controller"

    -- Gruhnj

  7. You can automate the process using dsquery and dsrm. Run from the command prompt

    dsquery computer  -inactive X >InactComps.txt

    where X is the number of weeks of inactivty you want to check for. After you check this file place a ";" at the end of each line using search and replace. Then run the following command line to delete them.

    for /f "delims=;" %i in (InactComps.txt) do dsrm -noprompt %i

    This same procedure can also be used for users; just replace computer with user and you get a similar list of inactive users.

  8. Your missing the /t switch. From my own dos boot disk command,

    @echo off
    REM started in dos only
    REM started from the boot disk
    REM
    if /i %OS% == Windows_NT echo Already Running Windows! Halting.
    if /i %OS% == Windows_NT echo I can only be run from Baseline Builder Bootdisk
    if /i %OS% == Windows_NT echo If you want to upgrade, run Upgrade2XP.bat
    if /i %OS% == Windows_NT pause
    if /i %OS% == Windows_NT goto end
    echo Installing WinXP Full Reload Unattended Low Side
    z:\WinXP\i386\winnt.exe /s:z:\WinXP\i386 /u:z:\WinXP\low.txt /t:c:\Source
    :end

    I use bart's modboot to get to this point and map my network drive to z: . Works out well since I have most new systems build overnight. This file goes on the server and I call differing versions of this based on the final loadout.

  9. Once they have gotten the physical media, all bets are off. If you have admins sign for using the CDs, you can tell who is taking what. Since you are in a corp enviroment, I assume you have a user agreement the end user signs. Include in this user agreement that software taken from work is assumed to be stolen unless granted by your admin group in writing.

    Physical copies such as what you have should remain in the admin group area unless in use. Nobody except the admin group has legit right to use them, so don't lend them out. If they are taking without your permission, slam them with the user agreement you make them sign from above. Since they signed it, it makes it hard for them to claim ignorance.

    Rather than have the CDs in a locked cabinet, you should probably invest in a safe with a combo lock that you can change. That way you can change the combo at any random time and keep it a roaming target. Have your admin group sign a seperate statement that says they wont divulge the combo as a term of employment. Its still not foolproof and you will have leaks, but you will have enough paperwork to go after them when they do.

    Hope this helps.

  10. As long as you have enough drivers to boot the target computer you should be fine. Just add the BuildMassStorage section and add enough mass storage drivers if need be (use Bâshrat the Sneaky's MassStorage DriverPack) to your sysprep.inf . If space is an issue, you should still add some drivers to OemPnPDrivers, but leave the least used out.

    You might also want to simply expand to 4 CDs. A bare bones method still means that you have to add all the driver disks later on. CDs are fairly cheap and if your sites are well connected, you could just set up a dumb box with a big pipe and host your image there.

    Hope this helps.

  11. If your using different images for different hardware configurations but they have the same software, you should try using the BuildMassStorage section in sysprep to reduce the number of images as much as possible and extending your OemPnpDriversPath to cover all 4 sets. Everything else can be accomplished using GuiRunOnce or cmdlines.txt . For renaming the computer, you should look into this Workstation Renamer. After you have renamed the box you can add it to the domain using netdom (from the support tools).

    Id need to know more about your boot disk. Are you using modboot? WinPE\BartPE? normal Dos bootdisk? Assuming that you can use the normal ipconfig in your boot disk, you can use this to get the mac address.

    @echo off
    ipconfig /all | Find /i "physical">mac.txt
    for /f "tokens=1* delims=Physical " %%1 in (mac.txt) do @echo %%2>mac.txt
    for /f "tokens=1* delims=Address " %%1 in (mac.txt) do @echo %%2>mac.txt
    for /f "tokens=1* delims=. " %%1 in (mac.txt) do @echo %%2>mac.txt
    type mac.txt

    Hope this helps

  12. I have a universal image for every computer in my office using ghost. As long as you set up your computer EXACTLY as you want it, you can copy it with no extra work simply by using the clone function of ghost. If you want multiple hardware configs OR want to deplot this in a domain, you should create a sysprep.inf for each OS you wish to support, and create a collection of drivers to add to the OEMPnPDrivers line of that file. As long as you do that, you can image all day long and have one image per software config. For more info check the DEPLOY.CAB in the SUPPORT\TOOLS\ dir on your windows CD. It takes work upfront, but depending on how many computers you load and the varience in your software baselines, it more than pays off. I started loading every computer by hand, now I update the image once a month and thats it. One image for 1,000 computers + corporate ghost makes it very easy to admin. B)

  13. I work in a large office. As such, I build ghost images for each section on a regular basis. Each of these sections has an unattended install with multiple configurations. These are started by running a batch script with the desired install. I would like to be able to do two or more runs at a time over the network from a common source and block others from changing the current config while the client downrange is reading it. I basicly want to make a semaphore using a file to avoid a race condition. I thought about copying over the cmdlines.txt portion at the end, but it still leaves me with copying a file after the "default" config gets to the machine. I probably have to copy the files beforehand, make the changes, then start the install, but I want to see if there is another way to do it.

  14. Is is possible to run a program at the end of the copy phase of dos mode? I am using unattneded installs and want to run different cmdlines.bat files in each config. Running them from the same directory would be nice, but they currently run into a race condition so I thought of putting down a file to lock the current config. At the end of the copy phase I want to unlock this so the next user can begin their loadout and be sure they get the config they selected. Ideas?



×
×
  • Create New...