Password in .SIF file

[staun]

During RIS-installation of Windows XP clients we want to use a default password for all computers. Ofcourse this is done like this:

[GuiUnattended]

AdminPassword=mypassword

But its readable for everyone, thats smart enough to locate the file. Tried to use EncryptedPassword-method, but then the password on the client cannot be used?

Any other solution to make sure that no one but the admins to know the administrator password on the client-computer.

Scenario :

Windows 2003 RIS

XP Clients

[cyanide]

windows does not copy winnt.sif file to hdd during/after installation...

it just reads the contents from cd

so if youre worried about someone opening the winnt.sif file from harddisk, dont be...

and if youre worried that someone might open the winnt.sif file from cd and see the password, you cant do anything about that i think...

[staun]

I'm worried about my network-users browses to the RIS-installation path and then open the ristndrd.sif file.

Its not on the local PC, the installation is running from a RIS-server

[InTheWayBoy]

If you use the Setup Manager from Deploy.cab you can set the password AND encrypt it. If you open the *.sif with notepad you'll see a bunch of gibberish, but that's the encryption at work. I've never tested this, only read about it...good luck!

[staun]

Sorry - already tried that. No success

Think I have to live with the risk of a smart user on the network.

[Asin]

In what way did it not work?

[Gee]

In what way did it not work?

<{POST_SNAPBACK}>

I am curious to see why an encrypted password would not work.

But here is another solution.

Leave the password exposed and use your clean up batch file to change the password. Just compile the batch file so it is an .exe file. Harder to read and resets the password

net user administrator {New Password}

just bury the above command in your clean up batch file and compile it.

[InTheWayBoy]

Yeah...as everyone else has said if that's not working then you probably have issues elsewhere. I hear it's best to use the Setup Manager first, then hand edit the rest...don't make the *.sif and then feed it to Setup Manager.

[cyprod]

sorry if this is impossible in an RIS sever, never dealt with them personally, I mostly deal in unix land when dealing with network stuffs, but can't you just simply set permissions so they can't read, write or execute the file?

[InTheWayBoy]

Depends on how he has RIS setup...if he has it so the user can do it, then no...cause the user would need read access to the files. Now if he made it so only a handful of people can use it, then he might be able to deny access to the file for everyone but the RIS users. Again, it's all in how he's running it...but a **** find suggestion none the less!

[Noise]

Don't forget to encrypt your CDKey too. Here's the batch file I made to do mine.

ENC_CDKEY.CMD

@ECHO OFF
TITLE WindowsXP SP2 WINNT.SIF CDKey Encrypt
COLOR 74
MODE CON COLS=60 LINES=30
CLS
ECHO [Last Edited on 03-29-2005]

ECHO   *** Defining Variables
SET WORKDIR=%CD%
SET CDKEY=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
SET DAYS=60
REM MAX DAYS = 60 - MUST HAVE NON 0 VALUE

ECHO.
ECHO       This will refresh the encrypted CDKey on the
ECHO       WINNT.SIF file used in the setup of Windows.
ECHO.
ECHO       Note: This script must be run under WinXP.
ECHO       (press any key to continue)
PAUSE>NUL

ECHO   *** Reality Check
if not exist "%WORKDIR%\WINNT.SIF" goto ERR1
if not exist "%WORKDIR%\CDROOT\I386\WINNT32.EXE" goto ERR2
ECHO   - passed

ECHO   *** Clearing Log File
IF EXIST "%WINDIR%\WINNT32.LOG" DEL "%WINDIR%\WINNT32.LOG"

ECHO   *** Updating ProductKey entry in
ECHO       %WORKDIR%\WINNT.SIF with Volume License Key
ECHO       The encrypted key will be valid for *%DAYS%* days.
"%WORKDIR%\CDROOT\I386\WINNT32.EXE" /ENCRYPT:"%CDKEY%:%DAYS%" /UNATTEND:"%WORKDIR%\WINNT.SIF"
ECHO.
ECHO   *** Complete!
ECHO     The results of this operation shown below:
TYPE "%WINDIR%\WINNT32.LOG"
PAUSE
goto END

:ERR1
ECHO       !!! ERROR !!!
ECHO       %WORKDIR%\WINNT.SIF was not found.
ECHO       Please make sure this file is in the same
ECHO       directory as this script before executing.
PAUSE
goto END

:ERR2
ECHO       !!! ERROR !!!
ECHO       %WORKDIR%\CDROOT\I386\WINNT32.EXE was not found.
ECHO       Please check your directory structure.
PAUSE
goto END

:END
ECHO   *** End of script

[staun]

Correct my users (around 700) can reinstall their computeres themselfes, so they need the read-access. Tested this in the early days of the servers life.

I'm using the Setup Manager, maybe the problem is that it is an "imported" .SIF file, so I'll try make a new one and then the run once solution with a .EXE file that changes the password.

Thanks for your tips - will let you know what works.