[Discontinued] AutoRIS V2.10

[Resonate]

You da man!

Any idea also how to rename Administrator to Admin lol ?

[RogueSpear]

Yea I do that in VBscript. But that's going to have to wait til tonight or tommorow. Just leaving work and going straight to a client site. Oh happy Monday.. lol

[RogueSpear]

Ok here's a VBscript that does what you want a little bit more:

Option Explicit
On Error Resume Next
Dim ws, fs, wn, objReg, strComputer, strPath, objComp
Set ws = WScript.CreateObject("WScript.Shell")
Set fs = CreateObject("Scripting.FileSystemObject")
Set wn = WScript.CreateObject("WScript.Network")
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv")
strComputer = wn.ComputerName
strPath = ("WinNT://" & strComputer)
Set objComp = GetObject(strPath)

'** Subroutine; Process the built-in Administrator account
Sub ProcessAdmin
	Dim objUser1, objUser2, objGroup1, objGroup2, flag
	Set objUser1=objComp.GetObject("user","Administrator")
	Set objGroup1=objComp.GetObject("group","Debugger Users")
	Set objGroup2=objComp.GetObject("group","Guests")
	objGroup1.Remove objUser1.AdsPath
	objGroup2.Add objUser1.AdsPath
	objUser1.SetPassword "password1"
	Set objUser2=objComp.MoveHere(objUser1.ADsPath,"Jerry")
	objUser2.Description=""
	objUser2.SetInfo
	If objUser2.AccountDisabled="False" Then flag=objUser2.Get("UserFlags")+2
	objUser2.Put "UserFlags", flag
	objUser2.SetInfo
End Sub

'** Subroutine; Process the built-in Guest account
Sub ProcessGuest
	Dim objUser1, objUser2
	Set objUser1=objComp.GetObject("user","Guest")
	objUser1.SetPassword "password2"
	Set objUser2=objComp.MoveHere(objUser1.AdsPath,"Kramer")
	objUser2.Description=""
	objUser2.SetInfo
End Sub

'** Subroutine; Create and configure a fake Administrator account
Sub FakeAdmin
	Dim objUser, objGroup, flag
	Set objUser=objComp.Create("user", "Administrator")
	Set objGroup=objComp.GetObject("group","Guests")
	objUser.SetPassword "password4"
	objUser.Description="Built-in account for administering the computer/domain"
	objUser.FullName=""
	objUser.SetInfo
	objGroup.Add objUser.AdsPath
	If objUser.AccountDisabled="False" Then flag=objUser.Get("UserFlags")+2
	objUser.Put "UserFlags", flag
	objUser.SetInfo
End Sub

'** Subroutine; Copy current settings to the Default User profile
Sub CopyDefUser
	Dim sysdrv, duProfile
	sysdrv = ws.ExpandEnvironmentStrings ("%SYSTEMDRIVE%")
	duProfile = fs.GetFile(sysdrv & "\Documents and Settings\Default User\NTUSER.DAT")
	If fs.FileExists(duProfile) Then fs.DeleteFile(duProfile),True
	ws.Run("reg save HKCU " & """" & duProfile & """"),0,True
	Set duProfile = fs.GetFile(sysdrv & "\Documents and Settings\Default User\NTUSER.DAT")
	duProfile.Attributes = duProfile.Attributes + 2
End Sub

'** Run Tasks
ProcessAdmin
ProcessGuest
FakeAdmin
CopyDefUser
objComp.Delete "user", "ASPNET"
objComp.Delete "user", "HelpAssistant"
objComp.Delete "user", "SUPPORT_388945a0"

The subroutine "ProcessAdmin" renames the builtin Administrator account to Jerry, adds it to the Guests group, strips away the description, and disables it completely. This is pretty much SOP with XP's builtin Administrator account. If you want an Admin level user named Admin, you should create a whole new account instead of using the builtin one.

The subroutine "ProcessGuest" renames the builtin Guest account to Kramer (yes, I like Seinfeld) and strips away the description.

FakeAdmin simply creates an account named Administrator, gives it the default description of the builtin Administrator account, adds it to the Guests group, and makes it disabled. You could say that this account is a "decoy".

CopyDefUser simply exports the HKCU of the currently logged in user and copies it over to the Default User profile. This is assuming the script is run later in your RunOnceEx scheme and all of your registry tweaks and software installs have been completed.

Finally, all of the useless but potentially exploitable service accounts are deleted. I know this is a bit more than you were looking for, but perhaps it will give you some good example material to work with.

ConfigAccounts.7z

[Resonate]

OK thanks

what would I use if I simply wanted to rename the built in Admin account to Admin?

[tarquel]

@RogueSpear:

Hi. Lovely looking script you have here - alas, cant quite get it to work.

been having a few problems with the part when it comes to restarting the BINL service - "Remote Installation" [bINLSVC] on 2003 - it just throws up a vb error. When i run it again shortly, I'll update the post.

Also had a bit of trouble in that if i try to run AutoRIS with the following options:

IntegrateNIC=No
DelDefSIF=Yes
RunRVM=No
RunNlite=Yes
RunBTS=No
Optimize=No
OEM=No

when it starts to send the image back, i get a vb error regarding missing file

"Line 276 Ch 2" as I recall.

I'm wondering whats causing the latter.

The XP source is a slipstreamed SP2 with hotfixes and updates - made using XPCREATE and works perfectly if run locally on a machine from the CD.

Fully automated but it doesnt contain anything else except the updates [dotnet, etc] and hotfixes in the process, and a winnt.sif file.

I'm sort of running out of time at the moment so sorry if this post appears to be a bit rushed hehe

Trying to remove the images off the server but cant seem to get rid of them - I've stopped the 3 RIS services hoping this might help but they dont wanna go

Guess this stuff isnt as easy as i first thought hehe.

Cheers

Nath

[RogueSpear]

As far as XPCreate goes, I can't really help you there. I've never used the program, so I really don't know what all it does to a source. Regarding the error on line 276 - all that line does is call filecase.exe to convert all filenames to uppercase. Is filecase.exe in the AutoRIS directory or somewhere in your path?

The error message will certainly help for the BINL service error. There was one other person who reported the same issue and that was on 2003 SBS. Currently I don't have access to a 2003 server to nuts around on. At some point I'll get a 2003 environment set up in VMware and conduct some thorough testing.

The only thing I can tell you to check on for the BINL error is to make sure that the credentials you are using to run AutoRIS with has the proper rights to restart the BINL service on the RIS server. It seems to be a common practice for people to use non domain admin account on their local workstation, but the account will have admin privileges on the local machine. This is not good enough since the admin rights will not extend to the RIS server.

[tarquel]

Hey - thanks for the quick response

As far as XPCreate goes, I can't really help you there.

No problem and I understand. Its not that I've got anything against RyanVM's work - far from it - its just that I prefer to know exactly what is going into a slipstreamed XP CD etc etc. Nothing against him at all *bows*

Regarding the error on line 276 - all that line does is call filecase.exe to convert all filenames to uppercase. Is filecase.exe in the AutoRIS directory or somewhere in your path?

Just noticed that the file appears to get deleted during the process somewhere - it isnt me deleting it hehe Possibly the BTS RUN_me.bat file maybe, as I dont recall it happening when I didnt use it - but i cant be exact [mainly because I've tried SO many things during the past two days - and still getting nowhere fast *sighs*]

The error message will certainly help for the BINL service error.

Righty-o. I'm creating a new RIS image on the server using the initial unattended CD i made early this week [the one that I tested on a client by installing using the CD and it works] so once this has finished copying the files, I'll be able to start afresh.

The only thing I can tell you to check on for the BINL error is to make sure that the credentials you are using to run AutoRIS with has the proper rights to restart the BINL service on the RIS server.

The domain 'Administrator' account should work it shouldn't it? Currently, I wouldnt use anything less - mainly because I want to get the darned thing to work first lol

Guess its not helping that these new HP DX5150 SFF's use broadcom lan cards - should be ok just to integrate the ones you have in AutoRIS right? I dont want to use BTS this time around - great tool but get BSOD during XP installing from the CD made using BTS [and nlite].

With nlite, I'm actually removing less than your list so I doubt its anything wrong there.

Any more thoughts would be very very welcome

Cheers

Nath.

[RogueSpear]

You know what, I think BTS run_me.cmd may in fact be deleting filecase.exe as a part of it's cleanup process. If you copy filecase.exe over to system32 or somewhere in the path, that should clear up that issue.

Now another thing you may have noticed is that the first time you run AutoRIS against a particular RIS image is that it creates a backup of the image on the RIS server for future use. Look for the directory i386-Original. I did this so that you wouldn't have to be continually making a new RIS image from the CD.

Again, I'm not quite sure how XPcreate works, so perhaps that could be a difference here, but the RIS image you make from the source CD should be a SP2 integrated image with nothing else at all. That's the point of having RVM integration built into AutoRIS. If you're making any modifications to the original image, then I can't predict what will happen as AutoRIS was designed to start out with an SP2 image that is untouched in any other way.

I'm not going to try and sell you on Ryan's update pack, but if you check out his web site, read the FAQs, etc., you'll find that there isn't any voodoo involved. It's actually quite straight forward what's going on and IMHO it's without question the best way to get your source up to date. I understand your hesistance in that you want to know exactly what's going on. That's my problem with nLite; I don't know every little thing that's going on. But nonetheless, I use it anyway to remove a few minor components in the interest of better workstation security and also I find it an easy way to implement some registry tweaks.

[tarquel]

Just gonna post the "Restarting the BINL service on <snip>" vb script: C:\dist\Tools\AutoRIS\AutoRIS V1.52.vbs

Line: 290

Char: 2

Error: Permission denied: 'GetObject'

Code: 800A0046

Source: Microsoft VBScript runtime error

[ OK ]

--------------------------------------------------------------

Not sure what it means by permission - as I am the administrator lol

Incidentally, I'm creating this from a XP SP2 client - which I would have thought would be fine i.e. you dont have to do all this [AutoRIS] on the actual server do you?

Cheers and hope that helps.

Nath.

[RogueSpear]

The fellow who was using 2003 SBS reported the same problem. I'm guessing there's some sort of additional security measure on 2003 that was never implemented on 2000. I'll implement an option in the .ini file to not restart the BINL service in the next release. Maybe put in yet another popup that instructs the user to restart it themselves then click OK.

EDIT: for the time being you could just comment out the line so there is no attempt to restart the service.

Edited February 23, 2006 by RogueSpear

[tarquel]

You know what, I think BTS run_me.cmd may in fact be deleting filecase.exe as a part of it's cleanup process. If you copy filecase.exe over to system32 or somewhere in the path, that should clear up that issue.

Thats what I'm a thinking - might be something to suggest to BTS perhaps - instead of having to have to put the file in the path etc

Now another thing you may have noticed is that the first time you run AutoRIS against a particular RIS image is that it creates a backup of the image on the RIS server for future use. Look for the directory i386-Original. I did this so that you wouldn't have to be continually making a new RIS image from the CD.

Yep - I understood that previously - I just made a new RIS image because I thought it might help to nlite & BTS the RIS image first etc

But alas when making that new image, it doesnt put the $OEM$ folder along side the i386 folder, not add the changes in the winnt.sif file to the new ris-created one in templates [i discovered hehe]

A fair point regarding using RyanVM's stuff - but i didnt mean that it would have any "voodoo" lol - I just thought that the packs were designed for home UA CD's, not domain-filled XP suites that you wouldnt want to have to redeploy all over again if there was some error in the RVM pack or something I think the lad is a genius - puts me to shame and I've been in this job for 8 years [with no training or hardly any resources may I add hehe].

It might be best practice should this not work out, for me to advise people to use RyanVM's packs when using RIS builds, and XPCREATE for UA CD's

At least, thats what I'm gonna try in a minute should this not work.

My only thought is at the moment - has the AutoRIS script added the NIC adaptor drivers and will they work for me? hehe Also, should I only restart the BINL service on the server or is there more things to do afterwards?

Cheers

Nath

EDIT: for the time being you could just comment out the line so there is no attempt to restart the service.

Like this?

'	For Each objService in colServiceList
'		errReturn = objService.StopService()
'	Next
'	WScript.Sleep(30000)
'	For each objService in colServiceList
'		errReturn = objService.StartService()
'	Next

I see that it does some more processes afterwards. Unfortunately I dont really know vb - only the basics of very basic syntaxes [i'm a batch file man myself lol] so I'm slightly unsure how to just execute the rest of the script without doing all that again [its getting close to finishing work time and I need this to be working tomorrow lol ...But thats my prob tho - not yours hehe ]

Nath

[RogueSpear]

IntegrateNIC=No
DelDefSIF=Yes
RunRVM=No
RunNlite=Yes
RunBTS=No
Optimize=No
OEM=No

But alas when making that new image, it doesnt put the $OEM$ folder along side the i386 folder, not add the changes in the winnt.sif file to the new ris-created one in templates [i discovered hehe]

As per your AutoRIS.ini settings above, you have OEM set to No. You need to set it to Yes in order for the $OEM$ folder to be copied over. RIS does not use a WINNT.SIF file per se. It uses anyfilename.sif files. You can have a half dozen of them if you like, they just need to be placed in the \Templates subdirectory of your RIS image.

A fair point regarding using RyanVM's stuff - but i didnt mean that it would have any "voodoo" lol - I just thought that the packs were designed for home UA CD's, not domain-filled XP suites that you wouldnt want to have to redeploy all over again if there was some error in the RVM pack or something I think the lad is a genius - puts me to shame and I've been in this job for 8 years [with no training or hardly any resources may I add hehe].

I included support for RVM in AutoRIS because indeed it makes deployment of domain member workstations much easier, faster, and secure. At this point, with version 2.0.3, there is one known issue and that has to deal with msi.dll or something like that. Essentially if you run an install routine that is Microsoft Intaller based, the dialog boxes disappear after you set it off an running. This has no effect on GPO application deployments and it seems to be a problem on Microsoft's end rather than Ryan's. But if the issue is a serious one for you, Ryan released an Addon that will revert the file to an older one which does not exhibit the problem.

My only thought is at the moment - has the AutoRIS script added the NIC adaptor drivers and will they work for me? hehe Also, should I only restart the BINL service on the server or is there more things to do afterwards?

If you have AutoRIS launch VMware or VirtualPC, you'll need to restart the BINL service on the RIS server prior to performing a RIS boot with either of those products. In the end, you will need to restart the service on the server no matter what, before you can sucessfully deploy workstations. And yes, the drivers I provide should work just fine.

Like this?

'	For Each objService in colServiceList
'		errReturn = objService.StopService()
'	Next
'	WScript.Sleep(30000)
'	For each objService in colServiceList
'		errReturn = objService.StartService()
'	Next

Precisely

I see that it does some more processes afterwards.

That code is the compression of .inf and .pnf files. It will only run if you have Optimize=Yes in the AutoRIS.ini file.

[tarquel]

no time for a full reply - i've technically finished work as it is hehe

IntegrateNIC=No
DelDefSIF=Yes
RunRVM=No
RunNlite=Yes
RunBTS=No
Optimize=No
OEM=No

But alas when making that new image, it doesnt put the $OEM$ folder along side the i386 folder, not add the changes in the winnt.sif file to the new ris-created one in templates [i discovered hehe]

As per your AutoRIS.ini settings above, you have OEM set to No. You need to set it to Yes in order for the $OEM$ folder to be copied over. RIS does not use a WINNT.SIF file per se. It uses anyfilename.sif files. You can have a half dozen of them if you like, they just need to be placed in the \Templates subdirectory of your RIS image.

hehe I was refering to the $OEM$ folder that I had on the XP CD - not the $OEM$ folder in AutoRIS

I take it that the RIS server/setup itself doesnt care whats inside the winnt.sif file in the i386 folder on the base XP CD a person uses to create the base image? [nothing to do with AutoRIS but i'm just curious lol]

g2g [thanks for all the help so far]

Nath

[RogueSpear]

Yes, RIS does not look for WINNT.SIF in i386. It looks for .SIF files inside of \Templates. Now I can't stress this enough: use a virgin, untampered with, unmodified XP SP2 CD to make the initial image. When RIS sucks all the files off of your CD and contructs the initial image, it doesn't give a hoot what you've got inside of $OEM$. If you were to use a CD that had hotfixes integrated via RVM or some other process, it will most likely copy those down, but like I stated previously I can't predict what all will happen. As best as I can tell, RIS has a static list of files it copies down from the CD, some of them RIS will uncompress or "decab".

If you mess with the initial source I think you're only asking for trouble. This is really the point of AutoRIS. To take that initial pristine image, back it up first, then mess around with it. If you make a mistake just run AutoRIS again. You won't have to be bothered with the "insert the CD then make image" phase of things. I've had the same image on my server pretty much since SP2 was released. I just have AutoRIS copy it down and mess with the copy, not the original.

[tarquel]

I see....

The only reason that I was wondering whether it was ok to use the base image from a already slipstreamed PC, was basically, to cut out the local slipstreaming everytime I run AutoRIS [and used RyanVM] as initially, I just want to get it all sorted and these new pc's installed. Then I can start a new image from a XP SP2 vanila CD, and let RVM, nlite and BTS do its stuff

Thats what I was thinking before it worked in the end - that maybe it would be best if I slipstream SP2 onto a XP Gold VOL CD possibly then, and use just that as the image. I was informed differently - or got a bit confused [which is most likely lol] from other sources methinks.

The funny thing is that it worked last night - installed XP lovely - alas, no LAN driver installed in windows, but at least it worked and went through the textmode part at the begining - it was a start hehe

On a side note, is the nlite [RIS.ini] file meant to run autoamated, because the example one doesnt hehe or is it me?

[i'm not usually this thick by the way, its just RIS is new to me and combine that with the stress-factor of getting new computers setup with everything installed in a matter of two days, its making my mind go all over the place lol]

Nath.

Edited February 24, 2006 by tarquel