Friday, November 13, 2009

Deploying Windows 7 to a domain

Been a while but thought i would add this to my blog.

Preparing Windows 7 to be imaged out the our vanilla domain. For imaging we are currently using Free Open Ghost which is proving to be a very nice imaging suit, but the AD integration has never worked for us so we have always relied on sysprep which under XP was very simple, and would present us with a nice easy setup screen to change workstation name and then add the machine to the domain. With Win 7 sysprep can do the same process but only seems to be able to add the workstation to the domain with a nearly random machine name which is not very helpful so we have come up with a more creative way which seems to work.

Step 1:
Install Windows 7, install drivers, updates and all packages that are required in the image.
Packages we put in as default: Flash, Shockwave, reader, java, realplayer, office, quicktime, photoshop(site licence), openoffice, and VLC.
Disable the UAC in the user control panel.
Step 2:
Create our setup folder structure.
On a networkshare or memory stick create a folder called "c_drive".
Under "c_dirve" create folders "ProgramData" and "Windows".
Under "c_drive\ProgramData" create "Microsoft".
Under "c_drive\ProgramData\Microsoft" create "Windows".
Under "c_drive\ProgramData\Microsoft\Windows" create "Start Menu".
Under "C_drive\ProgramData\Microsoft\Windows\Start Menu" create "Programs".
Under "C_drive\ProgramData\Microsoft\Windows\Start Menu\Programs" create "Startup".
Under "C_drive\Windows" create "System32".
Under "C_drive\Windows\System32" create "Sysprep".

Now we have our folder structure we start to populate it with the files required.

Step 3:
Prepare a unattend.xml.
This file is used by sysprep to minimize the amount of information that needs to be setup after imaging, such as region, timezone, agrement.

To create this file we have used a free microsoft product called "Microsoft Windows AIK" installed on our Win 7 machine.

Insert a windows 7 DVD then run "Windows System Image Manager".

In the "Windows Image" right click and select new image, browse to DVD:\sources and select "install_Windows7 PROFESSIONAL.clg".
In the "Answer File" section right click and create a new answer file.

In the "Windows Image" section under the components find x86_Microsoft-Windows-Inernational-Core(version)_neutral and right click add to oobeSystem.
Under the components find x86_Microsoft-Windows-Shell-Setup_(version)_neutral and right click add to oobeSystem.

Back into the "Answer File" location expand components - oobeSystem, and select x86_Microsoft-Windows-International-Core.

Set everything under the settings on the right to "en-UK".

Select x86_Microsoft-Windows-Shell-Setup in the Answer file. expand to AutoLogon and set Enabled to true, LogonCount to 1, and username to administrator.

expand password and set value to the local administrators password.

Below AutoLogon select OOBE and set HideEULAPage to true, HideWirelessSetup to true, NetworkLocation to Work, and ProtectYourPC to 1.

Below OOBE select UserAccounts and Set the AdministratorsPassword to the same as above.

We now need to create a local user to stop the menu showing during setup, this user will not be required for any other purpose so the password can be set to a long complicated password which we will never need to use.

Right click on LocalAccounts and insert new local account, give the new account a description, display name, group = administrators, any name you like that does not already exists on the machine. Expand the local account and select password and set it to a long random string of chars/numbers/upper and lower-case characters.

Click File - Save Answer File as.... and save it in the previously created folder structure as: C_drive\Windows\System32\Sysprep\unattend.xml

Step 4:
Crate a new file in our file structure C_drive\Windows\System32\Sysprep\addtdom.ps1

Edit the file and add the following on one line changing the domain name to your domain name, and add2dom to the account you use to add machines to the domain, and password to the password of that account.

$credential = New-Object System.Management.Automation.PsCredential("DomainName\add2dom", (ConvertTo-SecureString "password" -AsPlainText -Force))

Then add the line replacing DomainName.local to your domain name:

Add-Computer -DomainName "DomainName.local" -Credential $credential

Save and exit.

Step 5:
Crate a new file in our file structure C_drive\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\runonce.bat

Edit the file and add the following lines:
powershell Set-ExecutionPolicy unrestricted
powershell c:\windows\system32\sysprep\addtdom.ps1
shutdown -r -t 30
del "c:\setup.bat"
del "c:\Windows\System32\sysprep\unattend.xml"
del "c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\runonce.bat"

Save and exit the file.

Step 6:
Create a new file in our file structure c_drive\setup.bat
and add the line:
c:\windows\system32\sysprep\sysprep.exe /oobe /shutdown /unattend:c:\windows\system32\sysprep\unattend.xml

Save and exit.

Step 7:
You now have all the necessary files in place and are ready for gathering the image.
Copy the contents of you created file structure onto the root of c:\ then run c:\setup.bat

Your machine will now sysprep then shutdown, Now is the time to gather the image.

When your workstation next boots all it will prompt you for is a machine name then it will add itself to the domain reset a few times then be ready to use.


Just to remind you I mainly only write this for my own memory but welcome any use and comments.

Friday, March 06, 2009

DanceEjay For Schools Network Edition

Ok, Done this before but since the update to server 2008 my old way failed, so i have deleted the blog and started again.

1) Run a wininstall scan on clean workstation.
2) Perform Full install of Dance EJ, and allow it to run.
3) Run after scan from wininstall.

Right got the MSI to install it now, but still fully aware that is i deploy this MSI and get a user to run it without 'Admin rights', they will recieve a Currupt instalation message.

After running the good old classic tool filemon (updated a lot since i last used it), Noticed the only error seemed to be when a program called reg_start tried to created a TMP file in the windows directory.

I have now enabled write access to the top level windows directory, (no sub directorys) and tested the software again, and it worked.

4) Moved built MSI to Applications share on server.
5) Created a New GPO in Active Directory called 'Software-EjayFS-Music'.
6) In the GPO under 'Computer Configuration - Policies - Software Settings - Software installation' selected 'New Package' and selected the MSI using the full unc path (eg \\server-name\application-share\music\ejay\ejay.msi).
7) In the Same GPO under 'Computer Configuration - Policies - Windows Settings - Security Settings - File System' right click and add file. select the 'c:\windows' directory click 'ok'.
8) Give users 'Write' access, (should now have read and execute, list folder contents, read, and write). Click OK
9) Next make sure 'Configure this file or folder then' is selected and 'Propagate inheritable permissions to all subfolders and files' is selected then click 'ok'.
10) Now simply close the gpo and deploy it to your test workstation and hopefully all should work.

A word of causion THIS PROCCESS DOES GIVE STANDARD USERS WRITE ACCESS TO THE ROOT OF C:\WINDOWS, This is not something i want to give users but until a better solution comes about it is all i have got.