One image to rule them all..

[michael.thomas]

I just thought I would document what I have done for a "one image to rule them all" build here - in case the information is useful to other people..

Outline of what this does:

1) Basic installation on any hardware platform (only NIC+Mass storage are included)

2) Detect machine type (desktop/laptop) and model (bios model)

3) "Fix" computer accounts in A/D (explained later on..)

4) Join domain, download drivers for model and install

5) Install software (configurable per machine)

6) Copies user profiles (if found for that computer)

7) Updates via WSUS/Windows update etc..

Why in gods name does it do this "stuff"?!

I inherited this network in a rather sad state:

* No standard hardware (a quick scan of the network yeilds ~60 different configurations)

* No standard naming convention (Bob1, Warehouse2, Lenovo-123456)

* Slow (aging hardware, domain migration, patch bloat..)

* Software on many machines is non-standard (eg. alot of the workstations have one-off pieces of software installed)

Now for the fun part..

<Image Path>\i386\Templates\image.sif

[Unattended]
    UnattendMode=FullUnattended
    OemPreinstall=Yes
    TargetPath=\WINDOWS
    NtUpgrade=No
    OverwriteOemFilesOnUpgrade=No
    OemSkipEula=Yes
    DUDisable=Yes
    DriverSigningPolicy=Ignore
    ExtendOemPartition=1
    ForceHALDetection=Yes
    Repartition=Yes
    OemSkipWelcome=1
    UnattendSwitch=Yes
    OemPnPDriversPath = Drivers\Nic
[GuiUnattended]
    AdminPassword=<password here>
    EncryptedAdminPassword=Yes
    OEMSkipRegional=1
    TimeZone=290
    OemSkipWelcome=1
[Identification]
    JoinWorkgroup=RIS_BUILD
[GuiRunOnce]
    Command0=%SYSTEMDRIVE%\INSTALL\post_install.cmd

Only relavent code is included for brevity.. so a very basic sif.. JoinWorkgroup is used because I don't want to expose passwords in the sif..

<Image Path>\$OEM$\cmdlines.txt

[COMMANDS]
"create_installer_account.cmd"

<Image Path>\$OEM$\create_installer_account.cmd

net user Installer installer /add
net localgroup Administrators Installer /add
net accounts /maxpwage:unlimited
REGEDIT /S installer_autologon.reg
EXIT

<Image Path>\$OEM$\installer_autologon.reg

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName"="Installer"
"DefaultPassword"="installer"
"AutoAdminLogon"="1"

Right, so during the GUI setup, create a local admin account called "Installer", password "installer", then patch the registry so it will log in automatically.. easy!

Now here's where things get tricky..

<Image Path>\$OEM$\$1\INSTALL\post_install.cmd

@echo off
SETLOCAL ENABLEDELAYEDEXPANSION

REM Some configuration..

SET RIS_SERVER=<WDS SERVER>
SET FILE_SERVER=<FILE SERVER>


REM ensure we are in the correct folder.. not really needed..
%SYSTEMDRIVE%
CD \INSTALL
SET INSTALLDIR=%SYSTEMDRIVE%\INSTALL

REM now where were we...
REM dir command used to check if we have a state, create one if not..
DIR "%INSTALLDIR%\STATE.CMD" >NUL 2>NUL|| CALL :SET_STATE FIRST_BOOT

REM load known settings
DIR "%INSTALLDIR%\SETTINGS.CMD" >NUL 2>NUL && CALL "%INSTALLDIR%\SETTINGS.CMD"

CALL "%INSTALLDIR%\STATE.CMD"

IF "%INSTALLSTATE%"=="FIRST_BOOT" (
	ECHO Starting Setup..
	ECHO ****************
) ELSE (
	ECHO Resuming Setup..
	ECHO ****************
)

REM go to where we left off..
GOTO %INSTALLSTATE%

REM #######################################
:FIRST_BOOT

	SET WSUS_ITERATION=0
	CALL :SET_SETTING WSUS_ITERATION %WSUS_ITERATION%

	CALL :CRUDE_WAIT_FOR_NETWORK
	REM We aren't on the domain yet, so use a VERY limited local account on RIS server
	REM to retrieve information we need..
	NET USE \\%RIS_SERVER%\COMPUTER_CONFIG /USER:%RIS_SERVER%\Ris_Installer R1s1nstaller /PERSISTENT:NO
	REM determine what type of PC we are on..
	SET PLATFORM=
	FOR /F %%I IN ('CSCRIPT //NoLogo get_computer_type.vbs') DO SET PLATFORM=%%I
	REM Default to Laptop if not sure.. can't hurt too much!
	IF "%PLATFORM%"=="Other" SET PLATFORM=Laptop

	REM see if there is a configuration for this MAC address..
	SET MACADDRESS=
	FOR /F %%I IN ('CSCRIPT //NoLogo determine_used_mac_address.vbs') DO SET MACADDRESS=%%I
	REM default to "default" configuration
	IF "%MACADDRESS%"=="" (
		SET MACADDRESS=%PLATFORM%
		SET NAME=%COMPUTERNAME%
	) ELSE (
		FOR /F %%I IN ('TYPE \\%RIS_SERVER%\COMPUTER_CONFIG\%MACADDRESS%\name.txt') DO SET NAME=%%I
	)

	REM Get list of software to install..

	SET SOFTWARE=
	FOR /F %%i IN ('TYPE \\%RIS_SERVER%\COMPUTER_CONFIG\%MACADDRESS%\software.txt') DO SET SOFTWARE=!SOFTWARE! %%i

	REM Set up a "bootstrap" for subsequent boots..
	REM Use "5" so model specific scripts, app install etc.. can sort before us, if they want..
	echo @CALL %INSTALLDIR%\post_install.cmd>"%ALLUSERSPROFILE%\Start Menu\Programs\Startup\5.cmd"

	REM Save for later use..
	CALL :SET_SETTING PLATFORM %PLATFORM%
	CALL :SET_SETTING MACADDRESS %MACADDRESS%
	CALL :SET_SETTING NAME %NAME%
	CALL :SET_SETTING SOFTWARE %SOFTWARE%

	ECHO Detected Platform:   %PLATFORM%
	ECHO Using Configuration: %MACADDRESS%
	ECHO Computer Name:       %NAME%
	ECHO Packages to install: %SOFTWARE%

	REM "Prompter.hta" attempts to:
	REM	Join the domain
	REM Change computer name
	REM Record Credentials in registry for autologon
	REM Reboot

	REM If for whatever reason it fails to perform the domain functions
	REM It will inform the user of the failure, and request that they 
	REM Manually join/rename the PC, then reboot

	REM Arguments are: [<CompterName> <MacAddress>] [<Username> <Password>]
	REM eg. IT001 ab-cd-ef-12-34 Administrator MyPassword
	CALL :SET_STATE CHECK_DOMAIN
	mshta %INSTALLDIR%\Prompter.hta %NAME% %MACADDRESS%

	CALL :REBOOT

GOTO :EOF
REM #######################################
:CHECK_DOMAIN

	CALL :CRUDE_WAIT_FOR_NETWORK

	REM Crude.. but effective..
	ECHO Checking domain..
	DIR \\<Domain Controller>\netlogon 2>NUL >NUL || GOTO :NOT_JOINED

	CALL :SET_STATE INSTALL_DRIVERS
	GOTO :INSTALL_DRIVERS

	:NOT_JOINED
		ECHO "ERROR:    Computer is not joined to the domain"
		ECHO "          Please resolve and press a key to continue"
		PAUSE
		CALL :REBOOT

GOTO :EOF
REM #######################################
:INSTALL_DRIVERS

	CALL :WAIT_FOR_NETWORK

	REM first, get drivers for current platform (or FAILSAFE)
	ECHO Getting drivers from %RIS_SERVER%..
	CSCRIPT //NoLogo "%INSTALLDIR%\get_model_drivers.vbs"

	REM Install the drivers using DPInst..
	ECHO Installing Drivers..
	PUSHD %SYSTEMDRIVE%\Drivers
		DPINST.EXE /c /s /sh /lm /el /sa
	POPD

	REM run post-install script
	ECHO Running driver post-install script..
	DIR "%INSTALLDIR%\driver_post_install.cmd" 2>NUL >NUL && CALL "%INSTALLDIR%\driver_post_install.cmd"

	CALL :SET_STATE SET_RESOLUTION
	CALL :REBOOT	

GOTO :EOF
REM #######################################
:SET_RESOLUTION

	REM Change resolution - some app installers require a minimum res..
	ECHO Setting resolution..
	ECHO     Trying 1024x768/auto
	"%INSTALLDIR%\QRes.exe" /x:1024 /y:768 > NUL 2>NUL
	ECHO     Trying 1024x768/24
	"%INSTALLDIR%\QRes.exe" /x:1024 /y:768 /c:24 > NUL 2>NUL
	ECHO     Trying 1024x768/32
	"%INSTALLDIR%\QRes.exe" /x:1024 /y:768 /c:32 > NUL 2>NUL

	CALL :SET_STATE INSTALL_SOFTWARE
	GOTO INSTALL_SOFTWARE

GOTO :EOF
REM #######################################
:INSTALL_SOFTWARE

	CALL :WAIT_FOR_NETWORK
	ECHO Installing Software..
	CSCRIPT //NoLogo \\%FILE_SERVER%\applications\installers\install.js %SOFTWARE%
	CSCRIPT //NoLogo \\%FILE_SERVER%\applications\installers\check_install.js %SOFTWARE% || GOTO SOFTWARE_NOT_FINISHED

	CALL :SET_STATE COPY_USER_PROFILES
	GOTO COPY_USER_PROFILES

	:SOFTWARE_NOT_FINISHED
	ECHO Not all software installed correctly, rebooting for retry..
	CALL :REBOOT

GOTO :EOF
REM #######################################
:COPY_USER_PROFILES

	CALL :WAIT_FOR_NETWORK
	ECHO Copying user profiles..
	FOR %%i in (\\%RIS_SERVER%\COMPUTER_CONFIG\%MACADDRESS%\profiles\*.*) DO CALL "%%i"

	CALL :SET_STATE WSUS_UPDATES
	GOTO WSUS_UPDATES

GOTO :EOF
REM #######################################
:WSUS_UPDATES

	CALL :WAIT_FOR_NETWORK
	REM use 3 iterations for WSUS..
	IF %WSUS_ITERATION% GEQ 3 GOTO WSUS_FINISHED

	SET /A WSUS_ITERATION=0%WSUS_ITERATION%+1 >NUL 2>NUL
	CALL :SET_SETTING WSUS_ITERATION %WSUS_ITERATION%

	CSCRIPT //NoLogo "%INSTALLDIR%\wsus_update.vbs" action:install mode:silent restart:1 force:1
	CALL :REBOOT
	GOTO :EOF

	:WSUS_FINISHED

	CALL :SET_STATE CLEANUP
	GOTO CLEANUP

GOTO :EOF
REM #######################################
:CLEANUP

	NET USER Installer /delete
	REG delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f
	REG delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f
	DEL "%ALLUSERSPROFILE%\Start Menu\Programs\Startup\5.cmd"
	%SYSTEMDRIVE%
	CD \
	RMDIR /s /q %INSTALLDIR% && shutdown -r -t 0	

GOTO :EOF
REM #######################################
:SET_STATE
	SETLOCAL
	SET STATE=%1
	ECHO SET "INSTALLSTATE=%STATE%"> %INSTALLDIR%\STATE.CMD
	ENDLOCAL
GOTO :EOF

:SET_SETTING
	SETLOCAL
	SET SETTING=%1
	SET VALUE=%2
	REM just append it to the end of the file.. even if there are duplicate entries, the last
	REM set value will always overwrite, so it's OK..
	ECHO SET "%SETTING%=%VALUE%">> %INSTALLDIR%\SETTINGS.CMD
	ENDLOCAL
GOTO :EOF

:REBOOT
	SETLOCAL
	ECHO Rebooting..
	shutdown -r -t 0
	ENDLOCAL
GOTO :EOF

:WAIT_FOR_NETWORK
	SETLOCAL
	ECHO Waiting for network..
	:WAIT_FOR_NETWORK_LOOP
	DIR \\<Domain Controller>\netlogon >NUL 2>NUL || GOTO WAIT_FOR_NETWORK_LOOP
	ENDLOCAL
GOTO :EOF

:CRUDE_WAIT_FOR_NETWORK
	SETLOCAL
	ECHO Waiting for network..
	:CRUDE_WAIT_FOR_NETWORK_LOOP
	PING 192.168.45.210 -n 1 2>NUL| find "Reply" | find "time" >NUL || GOTO CRUDE_WAIT_FOR_NETWORK_LOOP
	ENDLOCAL
GOTO :EOF

This nasty looking batch file is basically a state machine, it calls various scripts, reboots.. and continues where it left off..

Initally the batch file sets up some basic configuration, loads previous settings (STATE.CMD and SETTINGS.CMD), then jumps to it's current "state"

FIRST_BOOT

Get the computer type via get_computer_type.vbs (returns either Laptop or Desktop)

Get the mac address (OK.. this is a little bit of a lie.. determine_used_mac_address.vbs checks if there is a folder with the computers mac address, if present it returns the mac address.. otherwise nothing)

Default mac address to computer type (explained later..)

If a valid mac address is found.. get further configuration from a folder on the WDS server (name, software to install)

Create a cmd file in the all users startup folder, for subsequent reboots..

Show the "prompter", which requests a username/password/computer name, "fixes" computer accounts, saves the username/password in the registry for autologon, and reboots..

CHECK_DOMAIN

Try and connect to the domain controllers netlogon share, post a message if it fails..

INSTALL_DRIVERS

Calls the get_mode_drivers.vbs script, which determines the computer model, then looks on the WDS server for drivers for that model, then copies them locally. This script has a "failsafe", which copies everything from driverpacks.net..

Use DPINST.EXE to install PnP drivers

Note: some hardware configurations don't have drivers that install cleanly (eg. nvidia graphics cards), so the driver_post_install.cmd can be used to run driver executables to "fix" things like that..

SET_RESOLUTION

Some software we use will not install if the resolution/colour depth are set too a low level..

Uses QRes to (try) change the resolution

INSTALL_SOFTWARE

Ug.. not gonna go into any detail on my software installation scripts here (happy to answer questions though..), needless to say, I have written a set of scripts that behave somewhat similar to apt-get/yum etc.. (eg. software is installed as a "package", packages can have dependcies etc..)

COPY_USER_PROFILES

Does what it says, profile backup script included below to show how it works..

WSUS_UPDATES

calls the wsus_update.vbs script, then reboots.. 3 times for sanity

CLEANUP

Remove autologon information, remove the script "bootstrapper" from the all users profile, then self destruct

Phew! hope that high level description is enough for you guys.. feel free to ask questions..

Right.. now onto the scripts themselves.. (in order of execution)

<Image Path>\$OEM$\$1\INSTALL\get_computer_type.vbs

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colChassis = objWMIService.ExecQuery _
    ("Select * from Win32_SystemEnclosure")

dim strType

For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType
            Case 1
                strType = "Other"
            Case 2
                strType = "Other"
            Case 3
                strType = "Desktop"
            Case 4
                strType = "Desktop"
            Case 5
'                strType = "Other"
            Case 6
                strType = "Desktop"
            Case 7
                strType = "Desktop"
            Case 8
                strType = "Laptop"
            Case 9
                strType = "Laptop"
            Case 10
                strType = "Laptop"
            Case 11
                strType = "Laptop"
            Case 12
'                strType = "Other"
            Case 13
'                strType = "Other"
            Case 14
                strType = "Laptop"
            Case 15
'                strType = "Other"
            Case 16
'                strType = "Other"
            Case 17
                strType = "Desktop"
            Case 18
'                strType = "Other"
            Case 19
'                strType = "Other"
            Case 20
'                strType = "Other"
            Case 21
'                strType = "Other"
            Case 22
'                strType = "Other"
            Case 23
                strType = "Desktop"
            Case 24
                strType = "Desktop"
            Case Else
                strType = "Unknown"
            End Select
    Next
Next

WScript.echo strType

Fairly straight forward.. look at the ChassisType(s) for the computer, then spit it out to stdout..

<Image Path>\$OEM$\$1\INSTALL\determine_used_mac_address.vbs

strComputer = "."
set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
	("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True")

For Each objItem in colItems
	strMac = Replace(objItem.MACAddress,":","-")
	if objFSO.FolderExists("\\<WDS SERVER>\COMPUTER_CONFIG\" & strMac) then
		Wscript.Echo strMac
		Wscript.quit
	end if
Next

Iterate through each MAC address the computer has, check if \\<WDS SERVER>\COMPUTER_CONFIG\<Mac Address> exists and spit it to stdout, otherwise nothing..

<Image Path>\$OEM$\$1\INSTALL\Prompter.hta

<html>
<head>
<HTA:APPLICATION 
     ID="objInstaller" 
     APPLICATIONNAME="Installer"
     SCROLL="no"
     SINGLEINSTANCE="yes"
     WINDOWSTATE="normal"
     BORDER="dialog"
     CAPTION="Installer"
>
<title>Installer</title>
<body>
<script language="VBScript">

	Const JOIN_DOMAIN = 1
	Const ACCT_CREATE = 2
	Const ACCT_DELETE = 4
	Const WIN9X_UPGRADE = 16
	Const DOMAIN_JOIN_IF_JOINED = 32
	Const JOIN_UNSECURE = 64
	Const MACHINE_PASSWORD_PASSED = 128
	Const DEFERRED_SPN_SET = 256
	Const INSTALL_INVOCATION = 262144

	private function readRegString(strKeyPath,strValueName)
		const HKEY_LOCAL_MACHINE = &H80000002
		strComputer = "."

		Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ 
			strComputer & "\root\default:StdRegProv")

		oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue

		readRegString = strValue 

	end function

	private sub WriteRegistry(strPath,strValue)
		Set objShell = CreateObject("WScript.Shell")
		objShell.RegWrite strPath, strValue, "REG_SZ"
	end sub

	private function dostuff()

		strComputerName = document.getelementbyid("computername").value
		strUserName     = document.getelementbyid("username").value
		strUserPassword = document.getelementbyid("password").value

		if not fix_computer_account(strUserName,strUserPassword,strComputerName,strOldComputerName,strMacAddress) then
			exit function
		end if

		WriteRegistry "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName", "<DOMAIN>\" & strUserName
		WriteRegistry "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", "<DOMAIN>"
		WriteRegistry "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword", strUserPassword
		WriteRegistry "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon", "1"

		if not join_domain_and_rename(strUserName,strUserPassword,strComputerName) then
			Msgbox "An error occured during domain configuration, you can try again with a different username/password" & vbcrlf & _
				"or close this window and attempt to fix it yourself"
			exit function
		end if

		Set arrOS =	GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery _
			("select * from Win32_OperatingSystem where Primary=true")

		for each objOS in arrOS
			objOS.Reboot()
		next

		self.close

	end function

	function fix_computer_account(strUser,strPassword,strNewComputerName,strOldComputerName,strMacAddress)

		Set objShell = CreateObject("WScript.Shell")

		strCmd1 = objShell.ExpandEnvironmentStrings("%INSTALLDIR%") & "\RunasPro.exe " & _
			strUser & "@DOMAIN.COM " & strPassword & " c:\"

		strCmd2 = """cscript " + objShell.ExpandEnvironmentStrings("%INSTALLDIR%")+"\fix_compter_account.vbs"
		strCmd2 = strCmd2 & " " & strOldComputerName & " " & strNewComputerName & " " & strMacAddress & """"

		objShell.Run strCmd1 & " " & strCmd2, 0, True

		fix_computer_account = true

	end function

	function join_domain_and_rename(strUser,strPassword,strNewCompterName)

		'Right, here's where things get.. interesting
		'WScript doesn't appear to support binding to LDAP using alternate
		'Credentials, unless you can bind to it via NTLM first! (unless..
		'presumably.. you mess with the premissions in AD.. let's not..
		'So.. what the hell do we do?!
		'We CAN connect to another PC's WMI service, supplying credentials..
		'So.. we proxy the compter account "fudging" through it! what a task!

		join_domain_and_rename = True

		strDomain = "DOMAIN.COM"

		Set objNetwork = CreateObject("WScript.Network")
		strComputer = objNetwork.ComputerName

		Set objWMIService = GetObject ("winmgmts:" & "!\\" & strComputer & "\root\cimv2")

		Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
			strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
				strComputer & "'")

		ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strDomain & "\" & strUser, "OU=Workstations,DC=DOMAIN,dc=COM", _
				JOIN_DOMAIN)

		if ReturnValue <> 0 then
			ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strDomain & "\" & strUser, "OU=Workstations,DC=DOMAIN,dc=COM", _
				JOIN_DOMAIN + ACCT_CREATE)
		end if

		If ReturnValue <> 0 Then
			MsgBox "Computer not added to domain successfully. Return value: " & ReturnValue
			join_domain_and_rename = false
			exit function
		End If

		if lcase(strNewCompterName) <> lcase(strCompter) then

			strComputer = "."
			Set objWMIService = GetObject("winmgmts:" _
				& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
				Set colComputers = objWMIService.ExecQuery _
				("Select * from Win32_ComputerSystem")

			For Each objComputer in colComputers
				ErrCode = objComputer.Rename(strNewCompterName, strPassword, strUser)
				If ErrCode <> 0 Then
					MsgBox "Eror changing computer name. Error code: " & ErrCode
					join_domain_and_rename = false
					exit function
				End If
			Next
		end if
	end function

	Dim strComputerName,strUserName,strUserPassword
	Dim strOldComputerName, strNewComputerName, strMacAddress

	strOldComputerName = readRegString("SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName","ComputerName")

	arrCommands = Split(objInstaller.commandLine, " ")

	if UBound(arrCommands) > 1 then
		strNewComputerName = arrCommands(1)
		strMacAddress = arrCommands(2)
	else
		strNewComputerName = strOldComputerName
		strMacAddress = "FFAAFFAAFFAAFFAAFFAA" 'Dummy mac.. shouldn't cause trouble unless there
		'is a computer account in AD called "ITFFAAFFAAFFAAFFAAFFAA"..
	end if

	if UBound(arrCommands) = 4 then
		strUserName = arrCommands(3)
		strUserPassword = arrCommands(4)
	else
		strUserName = "Administrator"
		strUserPassword = ""
	end if

	Dim s
	s = "<tr><td>Computer Name</td>"

	s = s + "<td><input id=""computername"" type=""text"" value=""" & strNewComputerName & """></td></tr>"
	s = s + "<tr><td>Username</td><td><input id=""username"" type=""text"" value=""" & strUserName &  """></td></tr>"
	s = s + "<tr><td>Password</td><td><input id=""password"" type=""password"" value="""&strUserPassword&"""></td></tr>"

	document.write "<table>" 
	document.write s
	document.write "</table>"

	if Len(strUserPassword) > 0 then
		dostuff
	end if
</script>
<input type="button" name="go" value="Install" onclick="dostuff()">
</body>
</html>

Display HTML page with three inputs (computername, username, password), When "Install" is clicked, do the following:

1) Put the username/password into registry for autologon

2) Attempt to "fix" computer accounts in AD (explained below)

3) Attempt to join the domain

4) Attempt to rename the computer account

Now.. 1, 3 and 4 are easy! 2.. not so easy.. The problem is, the script must run under a domain account in order for it to connect to AD, and fix "stuff.."

As the computer is not yet a member of the domain (and this "fixing" needs to happen prior to it joining the domain..), I created a program called "RunasPro",

Which is similar to "RunAs", except you can supply a password as a parameter, and it does not do any authentication (eg. you can run xyz.exe as UNTRUSTEDDOMAIN\UnknownUser happily..)

RunasPro.cpp

#define UNICODE
#define _WIN32_WINNT 0x0500

#include <windows.h>
#include <stdio.h>
#include <userenv.h>

void DisplayError(LPWSTR pszAPI)
{
    LPVOID lpvMessageBuffer;

    FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
        FORMAT_MESSAGE_FROM_SYSTEM,
        NULL, GetLastError(),
        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
        (LPWSTR)&lpvMessageBuffer, 0, NULL);

    //
    //... now display this string
    //
    wprintf(L"ERROR: API        = %s.\n", pszAPI);
    wprintf(L"       error code = %d.\n", GetLastError());
    wprintf(L"       message    = %s.\n", (LPWSTR)lpvMessageBuffer);

    //
    // Free the buffer allocated by the system
    //
    LocalFree(lpvMessageBuffer);

    ExitProcess(GetLastError());
}


int main(int argc, WCHAR *argv[])
{
    HANDLE    hToken;
    PROCESS_INFORMATION pi = {0};
    STARTUPINFO         si = {0};

    WCHAR szUserName[1024];
    WCHAR szPassw0rd[1024];
    WCHAR szCommand[1024];
    WCHAR szWorkingDirectory[1024];

    si.cb = sizeof(STARTUPINFO);

    if (argc != 5)
    {
        printf("Usage: %s [user@domain] [password] [working directory] [cmd] ", (char*)argv[0]);
        printf("\n\n");
        return 1;
    }

    MultiByteToWideChar(CP_ACP,MB_ERR_INVALID_CHARS,(char*)argv[1],-1,szUserName,sizeof(szUserName)/sizeof(szUserName[0]));
    MultiByteToWideChar(CP_ACP,MB_ERR_INVALID_CHARS,(char*)argv[2],-1,szPassw0rd,sizeof(szPassw0rd)/sizeof(szPassw0rd[0]));
    MultiByteToWideChar(CP_ACP,MB_ERR_INVALID_CHARS,(char*)argv[3],-1,szWorkingDirectory,sizeof(szWorkingDirectory)/sizeof(szWorkingDirectory[0]));
    MultiByteToWideChar(CP_ACP,MB_ERR_INVALID_CHARS,(char*)argv[4],-1,szCommand,sizeof(szCommand)/sizeof(szCommand[0]));

    if (!CreateProcessWithLogonW(szUserName, NULL, szPassw0rd,
            LOGON_NETCREDENTIALS_ONLY, NULL, szCommand,
            0, NULL, szWorkingDirectory,
            &si, π))
        DisplayError(L"CreateProcessWithLogonW");

    WaitForSingleObject(pi.hProcess,INFINITE);

    CloseHandle(hToken);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
}

Very straight forward.. the only important part is the CreateProcessWithLogonW part, which, when called with LOGON_NETCREDENTIALS_ONLY, allows running under any account..

<Image Path>\$OEM$\$1\INSTALL\fix_computer_account.vbs

dim strOldComperName, objOldComputer
dim strNewCompterName, objNewComputer
dim strMacAddress, objMacAddress

strOldComputerName = WScript.Arguments(0)
strNewCompterName = WScript.Arguments(1)
strMacAddress = WScript.Arguments(2)

WScript.echo strOldComputerName
WScript.echo strNewCompterName
WScript.echo strMacAddress

strMacAddress = "IT"&Replace(strMacAddress,"-","")



set objOldComputer = FindComputer(strOldComputerName&"$")
set objNewComputer = FindComputer(strNewCompterName&"$")
set objMacAddress = FindComputer(strMacAddress&"$")



if not objOldComputer is nothing then
	if not objNewComputer is nothing then
		if objOldComputer.adsPath <> objNewComputer.adsPath then
			MergeGroupMembership objNewComputer, objOldComputer
			DeleteComputer objNewComputer
		end if
	end if
	if not objMacAddress is nothing then
		if objOldComputer.adsPath <> objMacAddress.adsPath then
			MergeGroupMembership objMacAddress, objOldComputer
			DeleteComputer objMacAddress
		end if
	end if
	ResetPassword objOldComputer
elseif not objNewComputer is nothing then
	if not objMacAddress is nothing then
		if objNewComputer.adsPath <> objMacAddress.adsPath then
			MergeGroupMembership objMacAddress, objNewComputer
			DeleteComputer objMacAddress
		end if
	end if
	set objNewComputer = RenameComputer(objNewComputer, strOldComputerName)
	ResetPassword objNewComputer
elseif not objMacAddress is nothing then
	Set objMacAddress = RenameComputer(objMacAddress, strOldComputerName)
	ResetPassword objMacAddress
end if

Sub MergeGroupMembership(objComputerSource,objComputerDest)
	WScript.Echo "Merging: " & objComputerSource.cn & " -> " & objComputerDest.cn
	On Error Resume Next
	dim arrGroupList : arrGroupList = objComputerSource.GetEx("memberOf")
	For Each strGroupDN in arrGroupList
		Set objGroup = GetObject("LDAP://" & strGroupDN)
		objGroup.add objComputerDest.adsPath
	next
	On Error GoTo 0

end Sub

function FindComputer(strAccountName)

	'Set objRootDSE = GetObject("LDAP://RootDSE")
	'strNC = objRootDSE.Get("defaultNamingContext")
	strNC = "<DomainController>.DOMAIN.COM"

	Set objConn = CreateObject("ADODB.Connection")
	objConn.Provider = "ADSDSOObject"
	objConn.Open "ADs Provider"

	strQuery = "(&(objectClass=computer)(samAccountName="&strAccountName&"))"

	strLdapQuery = "<LDAP://" & strNC & ">;" & strQuery & ";adspath;subtree"

	Set objRS = objConn.Execute(strLdapQuery)

	if Not objRS.EOF then
		  Set objRes = GetObject (objRS.Fields(0).Value)
		  set FindComputer = GetObject(objRes.adspath)
		  exit function
	end if

	set FindComputer = Nothing

end function

Sub ResetPassword(objComputer)
	objComputer.SetPassword objComputer.samAccountName
end sub

Sub DeleteComputer(objComputer)
	objComputer.DeleteObject (0)
End sub

Function RenameComputer(objComputer,strNewName)

	dim strOU :strOU = Mid(objComputer.distinguishedName,InStr(objComputer.distinguishedName,",")+1)
	set objOU = GetObject("LDAP://" & strOU)

	WScript.Echo "Moving " & objComputer.adsPath & " -> " & strNewname &" : " & strOU
	Set RenameComputer = objOU.MoveHere(objComputer.adsPath,"CN="&strNewName)


	RenameComputer.Put "sAMAccountName", strNewName & "$"
	RenameComputer.Put "displayName", strNewName & "$"
	RenameComputer.Put "dNSHostName", strNewName & ".DOMAIN.COM"

	RenameComputer.SetInfo

end Function

OK uhh.. there MAY be three computer accounts associated with this computer (don't ask..), IT<Mac Address>, BOB1/WAREHOUSE1/etc, and IT#### (new naming convention)

Now, each of these computer accounts may have been in security groups etc for GPOs

oldComputerName is the CURRENT computer name (eg. the name the computer will join the domain as)

newComputerName is the name which we will be renamed to..

macAddress is.. obvious..

So.. this script adds the OLD COMPUTER to all groups which macAddress and newComputer belong to, deletes macAddress and newComputer, and resets the password on oldComputer

Or.. similar.. eg. if oldComputer doesn't exist, it will merge new+mac, rename to old, then reset.. etc..

<Image Path>\$OEM$\$1\INSTALLget_model_drivers.vbs

dim strModel
Set objShell = CreateObject("WScript.Shell")
Set objWshScriptExec = objShell.Exec("systeminfo")
Set objStdOut = objWshScriptExec.StdOut

While Not objStdOut.AtEndOfStream
   strLine = objStdOut.ReadLine
   If InStr(strLine,"System Model") Then
       strModel = trim(split(strLine,":")(1))
   End If
Wend

dim objFSO,objFolder
set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")
set objFolder = objFSO.GetFolder("\\<WDS SERVER>\MODEL_SPECIFIC")

strModelDirectory = "FAILSAFE"

for each subfolder in objFolder.subFolders
	dim compareLength
	compareLength = len(strModel)
	if len(subfolder.name) < compareLength then
		compareLength = len(subfolder.name)
	end if
	if left(lcase(subfolder.name),compareLength) = left(lcase(strModel),compareLength) then
		strModelDirectory = subfolder.name
	end if
next

objShell.Run "%COMSPEC% /c echo d | xcopy /E ""\\<WDS SERVER>\MODEL_SPECIFIC\" & strModelDirectory & "\Drivers"" ""%SYSTEMDRIVE%\Drivers""",,true
objShell.Run "%COMSPEC% /c copy /y ""\\<WDS SERVER>\MODEL_SPECIFIC\" & strModelDirectory & "\post_install.bat"" """ & objShell.ExpandEnvironmentStrings("%INSTALLDIR%") & "\driver_post_install.cmd""",,true

OK err.. run systeminfo, read the output and parse the "System Model", then, using that model, look on the WDS folder as follows:

eg. Computer Model: ABC123

Search order:

..\A

..\AB

..\ABC

..etc

In other words, match as close as possible to the model name, this way, computers with different revisions (ABCv1, ABCv2, ABCv3) can be grouped into ABC!

wsus_update.vbs is not included here - it was poached from:

http://www.vbshf.com/?p=13

That's all for now guys - feel free to ask any questions you like!

[Bezalel]

I think some of your procedures are overcomplicated, here are some of the thing I do to solve the same problems.

On my network I created an AD account that can join a computer to the domain but can't do much else. I don't care what model I'm installing to because I have INF files for every device in my organization (some of them were extremely difficult to extract from packaged installers). For user profiles I use roaming profiles. I set the policy for WSUS from cmdlines.txt.

[michael.thomas]

Hi Bezalel,

I would agree that the procedure is more complicated than need be there are a couple of reasons for this though:

1) Credentials are not embedded in the build because we have a policy.. no domain credentials are to be stored in plain text.. anywhere.. (I added provision for the script to have credentials embedded in it however, and this has been used when rebuilding large numbers of machines outside of hours.. kinda bending policy here..)

2) Management doesn't want to fork out for storage for roaming profiles.. (C'mon.. What the hell?!!!)

3) The script is designed to request credentials/computer name by default (machines need to be labeled/tagged at build/rebuild time, so can't really be automated in a sane fashion..)

4) Drivers.. blah.. I had 3 days to knock the whole thing together.. I would have liked to build a database for PCI ID's/drivers.. but 3 days wasn't gonna cut it!

5) WSUS.. it is handled by a GPO, but do you really want to leave it up to users to keep installing updates for the next few days? The script just forces installation of ALL updates on the spot

Aside from that - I think what I've put together _should_ be easier to maintain (eg. adding drivers) for whoever replaces me.. this place is run on a shoe-string, I doubt they will get someone who has the know-how to build up driver inf's for.. interesting hardware.. Whereas this process will allow them to basically extract drivers from *.zip/*.exe etc.. dump them in a folder and give it a whirl.. if something doesn't install on it's own, add the driver installer executable to the respective post_install batch file with a silent switch.. and be done with it..

Oh, on another note - do you get much trouble with multiple drivers for the same PCI ID? or are you fixing inf's by hand on conflict?

Cheers,

Mike

[Bezalel]

Oh, on another note - do you get much trouble with multiple drivers for the same PCI ID? or are you fixing inf's by hand on conflict?

When I have multiple drivers with the same ID I let Windows determine which is the best driver to install. I don't touch the INF's in order not to invalidate the WHQL certificates.