meph’s blog

2009/10/22

RIS/WDS – post installation script

Filed under: Client Management, Deployment, Scripting, Windows — Tags: , , , , — Michael @ 14:34

In the last weeks I did a lot in order to optimize our workstation deployment process. Well, we have been using RIS/WDS for a long time now, but we always had to do several things manually after the rollout, e. g. moving the computer object in another OU, changing the computer description to the “owner” of the PC and so on. I knew that most of this is scriptable, but never found the time to get my hands on it.
At first I had the problem that the autologon of the local administrator after applying the riprep image never worked, because the local admin account had been disabled in the installation I captured (with the local admin disabled, the autologon setting which is configured in the .sif file won’t work and so I can forget the GuiRunOnce section :(). I thought that I can fix that by editing the according riprep.sif file but it didn’t work at all (keyword: DisableAdminAccountOnDomainJoin). I finally fixed that by putting

net user Administrator /active

in the Cmdlines.txt (indeed this is quick and dirty but it works for the moment and I have to make a new image next month anyway).
So, the base for my postinstallation script was developed and I began with the script. It should do the following:

– setting the computer description (or comment) under Control Panel – System
– ask the admin for the NETBIOS name and change it
– set the description of the computer object in AD
– move the computer object in the correct OU

After reading the first point you’ll probably ask “Why the hell don’t you set the correct computer name at the time you install it?”. It’s simple: Our computernames are in the form pc-xxx-##. The xxx is the short form of the department where the computer belongs to and ## is a number.  While the installation of the computer the admin maybe doesn’t know for which department the computer will be, so WDS just chooses a more random name (pc1, pc2, pc3, …).

The computer description is stored unter HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\srvcomment. I do that in the script by importing a key (overwriting the old):

set /p description=Description of the computer:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters /v srvcomment /d "%description%" /f

Well, this is simple. I’ve found a hint here.

Let’s continue with changing the Netbios name of the computer. As you probably know this can be done with netdom.exe, which is part of the Windows XP support tools. I have already written about it in another post. For a description how to use it I suggest you read this article. Instead of simply changing the computer name I want to check first if a computer account with the same name already exists in the directory.  For this I use the dsquery command. At that point I came across my first “problem”. First of all this command (and also the other ds* commands like dsadd etc.) isn’t available under Windows XP and this command doesn’t support a parameter to pass a username and a password (in order to run the command as an user who has the permission to change AD objects) unlike Netdom, which has the /userd and /passwordd parameters. I realized that it could be done by running dsquery remote with psexec:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator -p password cmd.exe /c dsquery computer -name %newname% ^| dsget computer

The variable newname is filled by another set /p-line in my script, which asks the admin for the new name. Please notice that you have to escape the pipe by adding a ^ in front of it!

In the case that dsquery finds a computerobject with this name the errorlevel is 0, otherwise… well, I guess you know how to script that 😉
When an object with this name has been found, I want to offer the option to delete the old computerobject. Deleting is done with piping the output of dsquery to dsrm:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator -p password cmd.exe /c dsquery computer -name %newname% ^| dsrm -noprompt

Remember that it takes some seconds until the changes take effect and the object is deleted in AD, so better add a little sleep (for example:  ping localhost -n 30 >NUL or something) after that line. At last the actual renaming is done with:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator -p password  cmd.exe /c start/wait \\server\util\netdom.exe renamecomputer %oldname% /newname:%newname% /userd:companydomain.de\Administrator /passwordd:password /force

Of course it is necessary to reboot the computer after renaming it, but we don’t do it yet. Before we care about the other two points.

The description of the computerobject in the directory can be modified with dsmod. This is simple too, we take the value of %description% and use it:

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator -p password cmd.exe /c dsquery computer -name %computername% ^| dsmod computer -desc "%description%"

For moving the computerobject to another OU I wrote a batch, moveou.bat with the content below:

@echo off
REM Move computerobjects to according organisational units
for /f "Tokens=*" %%s in ('dsquery computer "OU=Departments,DC=companydomain,DC=de" -scope onelevel -name pc-dep1*') do (DSMOVE %%s -newparent "OU=Department1, OU=Departments,DC=companydomain,DC=de")
for /f "Tokens=*" %%s in ('dsquery computer "OU=Departments,DC=companydomain,DC=de" -scope onelevel -name pc-dep2*') do (DSMOVE %%s -newparent "OU=Department2, OU=Departments,DC=companydomain,DC=de")
for /f "Tokens=*" %%s in ('dsquery computer "OU=Departments,DC=companydomain,DC=de" -scope onelevel -name pc-dep3*') do (DSMOVE %%s -newparent "OU=Department3, OU=Departments,DC=companydomain,DC=de")

You have to use ‘for’, because piping more than one result from dsquery to dsmove doesn’t work (usually there should be just one object to move, but who knows). By the way, the OU “Departments” is the OU where RIS/WDS creates the computerobject while installation.

I put the batchfile on the same network share as my other utils. In the mainscript I added a line

\\server\util\psexec.exe -accepteula \\server -u companydomain.de\Administrator -p password cmd.exe /c start/wait \\server\scripts\moveou.bat

So we are finally done with the script. The last thing we have to do is rebooting the computer by

shutdown -r -t 0

Of course you can put a lot more things in the script, e. g. software installations using msiexec etc.
Thank you for reading this post and sorry for my bad English and the many line wraps 😉

2009/03/31

Deploy consistent mail signatures for Outlook

Filed under: Outlook — Tags: , , , — Michael @ 11:33

This is a cool solution. I tried it some days ago and it really makes things easier… All you have to do is:

1. Maintain all required employee information in the user object in Active Directory

2. Create a signature template (Text, RTF and/or HTML)

3. Edit the configuration file for OutlookSignature

4. Put it all together on a central share (e. g. your fileserver)

5. Add a line like “\\server\share\OutlookSignature\OutlookSignature.exe” to your user’s Netlogon-Scripts.

OutlookSignature will read all fields of the AD user object, fill the variables in your template and put the complete signature file in the profile folder of the user.

2009/03/30

How to rename multiple computers in a Windows Domain

Filed under: Windows — Tags: , , , — Michael @ 13:23

The netdom.exe utility is included in the Windows XP Support Tools (Support\Tools folder on the Windows XP CD-ROM). It can be used for e.g. renaming computers in a Windows-domain. I used it in a script some months ago, when our department decided that “more generic” computer names are better than using the primary users last name as computername (:S).

When you have to rename multiple computers via a batch script, it makes sense to have some list with the old and new names. I did this in Excel. The command line I used with netdom in order to rename a computer was:

netdom.exe renamecomputer <OldComputername> /newname:<NewComputername>
/userd:<Domain-Admin> /passwordd:<Password of Domain-Admin>
/usero:<Domain-Admin> /passwordo:<Password of Domain-Admin>
/reboot:<Time before rebooting in seconds>

(For more detailed information about netdom and a description of the parameters I refer to this and this article.)

In the first step I created a column at the beginning of my excel sheet and filled it with “netdom.exe renamecomputer”. The second column consists of the old computername. In the third column I typed “/newname:”, the fourth column is filled with the new computername and so on. So you see that I “built” each line of my rename-script with Excel. At last you just have to save it as CSV, open it with a text editor, replace all separators with spaces and check the basis of the script for errors.

Blog at WordPress.com.