RIS/WDS – post installation script

2009/10/22 Michael Leave a comment

In the last weeks I did a lot in order to optimize our workstation deployment process. Well, we have been using RIS/WDS for a long time now, but we always had to do several things manually after the rollout, e. g. moving the computer object in another OU, changing the computer description to the “owner” of the PC and so on. I knew that most of this is scriptable, but never found the time to get my hands on it.
At first I had the problem that the autologon of the local administrator after applying the riprep image never worked, because the local admin account had been disabled in the installation I captured (with the local admin disabled, the autologon setting which is configured in the .sif file won’t work and so I can forget the GuiRunOnce section :( ). I thought that I can fix that by editing the according riprep.sif file but it didn’t work at all (keyword: DisableAdminAccountOnDomainJoin). I finally fixed that by putting

net user Administrator /active

in the Cmdlines.txt (indeed this is quick and dirty but it works for the moment and I have to make a new image next month anyway).
So, the base for my postinstallation script was developed and I began with the script. It should do the following:

- setting the computer description (or comment) under Control Panel – System
- ask the admin for the NETBIOS name and change it
- set the description of the computer object in AD
- move the computer object in the correct OU

After reading the first point you’ll probably ask “Why the hell don’t you set the correct computer name at the time you install it?”. It’s simple: Our computernames are in the form pc-xxx-##. The xxx is the short form of the department where the computer belongs to and ## is a number.  While the installation of the computer the admin maybe doesn’t know for which department the computer will be, so WDS just chooses a more random name (pc1, pc2, pc3, …).

The computer description is stored unter HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\srvcomment. I do that in the script by importing a key (overwriting the old):

set /p description=Description of the computer:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver _
   \parameters /v srvcomment /d "%description%" /f

Well, this is simple. I’ve found a hint here.

Let’s continue with changing the Netbios name of the computer. As you probably know this can be done with netdom.exe, which is part of the Windows XP support tools. I have already written about it in another post. For a description how to use it I suggest you read this article. Instead of simply changing the computer name I want to check first if a computer account with the same name already exists in the directory.  For this I use the dsquery command. At that point I came across my first “problem”. First of all this command (and also the other ds* commands like dsadd etc.) isn’t available under Windows XP and this command doesn’t support a parameter to pass a username and a password (in order to run the command as an user who has the permission to change AD objects) unlike Netdom, which has the /userd and /passwordd parameters. I realized that it could be done by running dsquery remote with psexec:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator _
    -p password cmd.exe /c dsquery computer -name %newname% ^| dsget computer

The variable newname is filled by another set /p-line in my script, which asks the admin for the new name. Please notice that you have to escape the pipe by adding a ^ in front of it!

In the case that dsquery finds a computerobject with this name the errorlevel is 0, otherwise… well, I guess you know how to script that ;)
When an object with this name has been found, I want to offer the option to delete the old computerobject. Deleting is done with piping the output of dsquery to dsrm:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator _
    -p password cmd.exe /c dsquery computer -name %newname% ^| dsrm -noprompt

Remember that it takes some seconds until the changes take effect and the object is deleted in AD, so better add a little sleep (for example:  ping localhost -n 30 >NUL or something) after that line. At last the actual renaming is done with:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator _
   -p password  cmd.exe /c start/wait \\server\util\netdom.exe _
   renamecomputer %oldname% /newname:%newname% _
   /userd:companydomain.de\Administrator /passwordd:password /force

Of course it is necessary to reboot the computer after renaming it, but we don’t do it yet. Before we care about the other two points.

The description of the computerobject in the directory can be modified with dsmod. This is simple too, we take the value of %description% and use it:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator _
    -p password cmd.exe /c dsquery computer -name %computername% ^| dsmod _
    computer -desc "%description%"

For moving the computerobject to another OU I wrote a batch, moveou.bat with the content below:

@echo off
REM Move computerobjects to according organisational units
for /f "Tokens=*" %%s in ('dsquery computer "OU=Departments,DC=companydomain,DC=de" _
  -scope onelevel -name pc-dep1*') do (DSMOVE %%s -newparent "OU=Department1, _
  OU=Departments,DC=companydomain,DC=de")
for /f "Tokens=*" %%s in ('dsquery computer "OU=Departments,DC=companydomain,DC=de" _
  -scope onelevel -name pc-dep2*') do (DSMOVE %%s -newparent "OU=Department2, _
  OU=Departments,DC=companydomain,DC=de")
for /f "Tokens=*" %%s in ('dsquery computer "OU=Departments,DC=companydomain,DC=de" _
  -scope onelevel -name pc-dep3*') do (DSMOVE %%s -newparent "OU=Department3, _
  OU=Departments,DC=companydomain,DC=de")

You have to use ‘for’, because piping more than one result from dsquery to dsmove doesn’t work (usually there should be just one object to move, but who knows). By the way, the OU “Departments” is the OU where RIS/WDS creates the computerobject while installation.

I put the batchfile on the same network share as my other utils. In the mainscript I added a line

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator _
  -p password cmd.exe /c start/wait \\server\scripts\moveou.bat

So we are finally done with the script. The last thing we have to do is rebooting the computer by

shutdown -r -t 0

Of course you can put a lot more things in the script, e. g. software installations using msiexec etc.
Thank you for reading this post and sorry for my bad English and the many line wraps ;)

Categories: Client Management, Deployment, Scripting, Windows Tags: , , , ,

Some scripts

2009/10/06 Michael Leave a comment

In case someone finds it interesting…

(I recommend downloading the scripts, because some lines have been cut and therefore simple copy’n'paste won’t work)

Run cctk and set BIOS options for Dell workstations (download)

@echo off

REM Check if wmic is available on this system
WMIC.EXE /? >NUL 2>&1
IF %ERRORLEVEL% == 1 (
 echo ERROR: WMIC.EXE not found.
 echo.
 GOTO EXIT
)

REM Check for Dell workstation
wmic bios get manufacturer /format:list | find /I "Dell" > NUL
if %ERRORLEVEL% == 1 (
 echo ERROR: No Dell workstation!
 echo.
 GOTO EXIT
)

REM Check architecture
if /I "%PROCESSOR_ARCHITECTURE%" == "x86" GOTO X86
if /I "%PROCESSOR_ARCHITECTURE%" == "amd64" GOTO AMD64

:X86
cd %PROGRAMFILES%\Dell\CCTK\X86
REM Check if cctk for X86 is installed
IF %ERRORLEVEL% == 1 (
 echo ERROR: CCTK not installed.
 echo.
 GOTO EXIT
)
REM Run cctk and set options
cctk.exe --wakeonlan=enable > NUL
cctk.exe --lowpowers5=disable > NUL
GOTO EXIT

:AMD64
cd %PROGRAMFILES%\Dell\CCTK\X86_64
REM Check if cctk for AMD64 is installed
IF %ERRORLEVEL% == 1 (
 echo ERROR: CCTK not installed.
 echo.
 GOTO EXIT
)
REM Run cctk and set options
cctk.exe --wakeonlan=enable > NUL
cctk.exe --lowpowers5=disable > NUL
GOTO EXIT

:EXIT
REM Finished!
exit

Load predefined Outlook profile for any new user (download)

@echo off
REM Check for Windows XP
ver | find "XP" > nul
if %ERRORLEVEL% == 1 goto exit
reg load hklm\temp "%systemdrive%\documents and settings\ _
   default user\ntuser.dat" > nul
reg add hklm\temp\Software\Microsoft\Office\10.0\Outlook\Setup _
   /v ImportPRF /d \server\share\Outlook.prf > nul
reg unload hklm\temp > nul
:exit
exit
Categories: Client Management, Scripting, Windows Tags: , ,

Windows 7

2009/08/18 Michael Leave a comment

I like it ;) (except the start menu, but who cares, I use my own symbol bar)

Categories: Software, Windows Tags:

WOL and Dell Optiplex 740

2009/08/13 Michael 7 comments

This is kinda “WTF?”. I wanted to use Wake-On-LAN (WOL) with our Dell Optiplex 740 workstations. By default, WOL wasn’t enabled in BIOS, so I set the two relevant options by disabling the low power mode and enabling the wake-up option of the NIC. After some testing with Dameware’s WOL function (which didn’t work) and some other tools (wol, winwol, wolcmd also didn’t work) I finally woke up my testclient successful out of hibernate with Magic Packet Sender. Also WOL worked out of standby mode. But only with Magic Packet Sender, although I configured other tools to use port 9 UDP too (can anyone explain me that?). At last I tried to wakeup the PC from poweroff. I got frustrated – it didn’t work. Hibernate and standby was never a problem, poweroff = no reaction. I called the Dell business support, but unfortunately they also had no clue. After some googleing I found this forum link, where other users report similar problems with other workstation models. Up to now Dell did not respond to their posts…

UPDATE

Okay, the Dell support guy I talked to has also no solution. In the meantime I discovered that all our Dell workstations (also the Precision T3400 and older Optiplex) don’t wake up from poweroff. Seems that I’ve to investigate… I will post updates here.

Categories: Client Management Tags: , , ,

Dell Client Configuration Toolkit

2009/08/12 Michael Leave a comment

Managing Dell workstations with the Dell Client Configuration Toolkit is great ;) Just install it on your workstations or boot from a WinPE disk including it and you are able to modify your BIOS settings using really simple commands. For example to enable Wake-On-LAN:

cctk.exe –wakeonlan=enable

That’s it.

Categories: Client Management Tags: , , ,

WTF? Vista Printer Sharing

2009/08/11 Michael Leave a comment

Okay, perhaps I’m stupid or something, but what I have to do in order to turn on printer sharing on Vista without clicking on “enable” in the Network and Sharing Center and without using group policies? I want a registry key. Where is it? Didn’t find anything … :S

Categories: Windows Tags:

Acronis Rescue Media Builder and WDS

2009/07/24 Michael Leave a comment

Yesterday I tried to create a boot image with Rescue Media Builder (part of Acronis True Image Echo Workstation) on our WDS-Server for desaster recovery purposes. Unfortunately this didn’t work. I got this significant error:

rescue_media_builder

After checking permissions on the WDS-Server and doing some more testing I searched on Google for this error. I came across this Acronis KB article, saying that WDS has to be in Legacy Mode for Media Builder to work. So I switched with WDSUTIL /Uninitialize-server in Legacy mode and tried again. I received the same error…
Finally I got in touch with the Acronis support. Below a part of the chat transcript. (I’m M, the support employee is S. Sorry, just in German.)

[11:37:20] M: Hallo. Ich habe folgendes Problem mit dem Media Builder:
[11:37:56] M: Waehle ich als Ziel unseren WDS-Server (befindet sich im Legacy-Modus), erhalte ich die Fehlermeldung “Erstellung des Mediums fehlgeschlagen”
[11:38:05] M: Fehlercode 0×0.
[11:38:16] M: Hierzu finde ich nichts in den Supportforen.
[11:38:54] S: Ich beantworte Ihre Fragen gerne.
[11:39:10] S: Leider unterstützt Acronis aktuell nur RIS. Der Nachfolger WDS wird aktuell noch nicht unterstützt
[11:40:04] M: Das steht hier aber anders: http://kb.acronis.com/content/1753
[11:41:22] S: Einen Moment bitte
[11:46:07] S: Nein, die Entwicklung hat noch nicht geantwortet. Soweit wir informiert waren, wurde WDS bisher auch im Legacy Mode nicht unterstützt.

Okay… this is strange. WDS currently not supported? Then why the article in the knowledgebase? Well, one of both statements has to be wrong. The support guy promised me that Acronis development will contact me with detailed information (and perhaps a new build of Rescue Media Builder, officially (?) supporting WDS as target :S)

I’ll update this post as soon as I know something new ;)

(Btw. yes I know, there are cool free alternatives like DriveImage XML with Bart PE support… ;)

UPDATE

A support technician contacted me yesterday and told me to install the Acronis PXE-Server included in Acronis SnapDeploy and set it as target for media builder. I didn’t try this, but I guess I then have to stop the Acronis PXE service each time I want to use WDS :S

UPDATE 2

Acronis support sucks. After dozens of mails without any solution for the problem, I ran across the news that a new product (“Backup & Recovery”) replaced TrueImage. Luckily we were able to upgrade our license and with B&R’s media builder you can also access WDS-servers…

Categories: Software, Windows Tags: , , ,

Adding disclaimer information to outgoing e-mails

2009/07/23 Michael Leave a comment

If you are using MS Exchange (2000/2003/2007) I can recommend “OLXDisclaimer Agent” (link) for adding disclaimer information (and much more, e.g. attachments) to outgoing mails. It is a small program, easy to setup, highly configurable and reasonably priced (595 € per server, unlimited users/mailboxes).

Categories: Exchange Tags:

German error messages – pt. 1

2009/07/22 Michael Leave a comment
Categories: Windows Tags: ,

Thinstall – free virtual Citrix ICA client

2009/07/22 Michael Leave a comment

Check here and here.

Categories: Software, Terminalserver/Citrix, Windows Tags: , , , ,