Deploying a WSUS environment with GPO

WSUS or Windows Server Update Services is used on a local network to approve or reject Windows updates and security fixes. The benefits of this system of delivering updates is that it allows you as much or as little control over updates as you want. It’s all about choice. So if you do not want the Windows 10 OS update rolling out to your Windows 7 desktops, you have the ability to prevent that.   

For Server 2012 R2 it’s quite easy to install WSUS. Start up the Server Manager, click Add roles and features, and under Server Roles and Windows Server Update Services select WID Database and WSUS Services. Install the WSUS server role.setup1

setup2

Once installed,start up WSUS and you should be greeted by the WSUS Server Configuration Wizard. If that is not the case you can start it manually from the WSUS Options.

There are a few things you should note before you start.setup3

Join the improvement program if you wish. I generally opt out.

Choose the upstream server. If this is your only WSUS server on the network you will synchronize your updates from Microsoft. Otherwise you can opt for another WSUS server on your network.

Set a proxy server if you need to.

Then you will connect to the upstream server by clicking Start Connecting button. This process can take a while and it can actually fail on your first try. Be patient, grab a coffee or something.setup4

Choose the language that you want all your updates in.

Choose which OS or Microsoft Software you want to receive updates for.

Pick which types of updates you want. Generally I pick critical, definition, and security updates.setup7

Configure the Sync Schedule. This sets the time at which WSUS checks for new updates and pulls them down from Microsoft. I generally set this for after business hours.setup8

You can now start the initial sync of Windows Updates for the products you selected, go ahead and grab a long lunch, this can take a while.

Now you can set a couple of other options in the WSUS application. I like to set the Automatic Approvals. This way I’m not approving hundreds of updates every week. I set the Critical and Security updates for WIndows 7 desktops to automatically approve. You can also set it up for a specific group of computers. You can set this group up either manually or via Group Policy. I will cover the group policy method later in the post.setup9

Next go to Computers in WSUS options and select Use Group Policy or registry settings on computers. This option allows you to use group policy to set the computer group membership. This is the preferred method. Close it, the next time the sync runs it should pull all the updates down. Please note that generally during initial setup, when I ran the manual sync it would more often than not fail. I had to wait for WSUS to pull the updates automatically on it’s scheduled evening run.

Now you will have to create two Group Policy Objects. One of the GPOs will be used to set the local update server and other Windows Update options. The other GPO will be used to log users off prior to the updates being applied on the computers. The reason I do this is that the computer will not restart after the updates are pushed if there are any users logged into the computer. The restart is a necessary part of the update.

Here are the things you want to consider when creating these GPOs; when will you be applying these updates, what time of day, which day of the week? These are all questions you should be asking yourself. For instance on my network I schedule my updates for every Wednesday at 10 PM or 22:00. On that same Wednesday evening at 9:30 PM all users are logged off every machine on the network. You don’t want to interfere with your employees but you also don’t want the computer to break from a bad patch or update on a Friday morning. You want to avoid spending the entire Friday and parts of the weekend fixing broken software.

Let’s create the Windows Update policy first:

Open up the Policy Manager either on the server or via Remote Administration Tools.

Create a new policy and name it something like WSUS_Desktops. This will be the desktop update policy and will reside in the OU where all the Network computers are.

Link the new policy to the appropriate OU, it is a good practice to test a policy prior to rolling it out, so maybe first link the GPU to a test OU, or set Item Level Targeting for the time being. This is how I do it on my network.

In the New GPO navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows Update.GPO1

Open up Windows Update to view the policies in there.GPO2

I only care about 5 of those policies. You can get away with using as few as 2 to push Windows Updates via WSUS using a GPO.

Configure Automatic Updates, this policy setting sets up how the updates are downloaded and how they are scheduled to install. I use option 4 – Auto download and schedule the install. I schedule the install time for every Wednesday at 22:00 or 10pm. Enable it and set the options accordingly for your environment.

Specify intranet Microsoft update service location, this policy setting points the computers to the server where you installed the WSUS application. Please input the http address of the WSUS server and port, for example http://server-name:8530. You don’t need to use a FQDN. If you need to find the port number for your WSUS instance remote into the server where WSUS resides, open IIS Manager, and select Sites, in the right pane you will see all the running websites and which port they are on.GPO3

Enable the policy and input the address in the two fields under the options pane, same address for both the intranet update service and the statistics server.

Automatic Updates detection frequency, this sets the interval at which the desktop computers check back with the WSUS server to see if there are any new windows updates. Default is 22 hours, this setting is optional.

Turn off the upgrade to the latest version of Windows through Windows Update, this will prevent the dreaded Windows 10 update from appearing on your Windows desktop. This is optional but a wise choice if you choose to enable it.

Enable client-side targeting, this policy setting has only one purpose, it is to set the target group in WSUS. Whatever you the group name, this is what the computers that apply this group policy will be sorted under in WSUS. Do not forget to change the Automatic Approvals in WSUS to this group and make sure all the auto approvals are pointing to the right computer group name. The policy will not auto generate the group in WUSUS, you need to manually create it. Once you create it the computers will be auto added to the group.

One thing to consider is that you might want to change the Security Filtering for the GPO. I changed mine to Domain Computers and removed Authenticated Users, since this policy only targets the machines and not the users this made sense. Once the policy is in place for few minutes, you can run the gpupdate command in command line on your test desktop to attempt and update the group policies on said computer.

Then you can check to see which update server the computer is pointing to by running the following command with elevated privileges on the test desktop…

REG QUERY “HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate”

This will show you the WUServer property, which is the Windows Update server address.

If this value or property is not present then then the group policy has not been applied yet, you might need to reboot. Alternatively you can try to manually register the computer with the server using the following command, wuauclt /detectnow.

Once you have that working, now you can create a group policy to log users off before the updates roll out each week. This is necessary as the computers might not reboot if users are still logged on to the desktops during the update process. Users need to log off so that the policy can reboot the PCs and roll out subsequent Windows Updates.

Create a new policy and name it something along the lines of Users Log Off. Link this GPO to the appropriate OU, one where all the network users reside. Again you might want to test the policy first before deploying it to everyone in your Domain. Open the GPO to User Configuration, Preferences, Control Panel Settings, Scheduled Tasks.

Create a new task and call it something along the lines of “Log Off Notify”. This task will notify users 15 minutes prior to logging them off to have them save their work as not to lose it. The task should look similar to the following.

Note the Action for this task is Display a message the message reads “You will be logged off in 15 minutes. Please save and close all your work if you do not wish to lose it.“

In the same Group Policy create another task and call it something along the lines of “Windows Log Off”. This task will log the users off their computers prior to the Windows Updates being applied. It should look like the following.

Note that the Action for this task is Start a program and you are running a force log off command using cmd.exe and switches.

That is it! Run some tests on your test computer to see if the Tasks are being pushed to your workstation. Test the tasks, make sure they work. 

Advertisements

Windows 10 Remote Server Administration Tools finally available.

Despite Windows 10 being more like Windows 8 than Windows 7 and a security nightmare, you might be using it at work and there is also a chance you might want to administer your Active Directory. I prefer this method it is easier to work with than having to RDP to the Domain Controller. Microshaft finally decided to release the RSAT tool kit for Windows 10, and you can grab it here: https://www.microsoft.com/en-us/download/details.aspx?id=45520

Install it on your machine and give it a reboot. Once you reboot your computer head over to Control Panel > Programs and Features > Turn Windows features on or off.

Under Remote Server Administration Tools and Role Administration Tools select the features you might want.adds

Note that the Group Policy Administration Tools feature sits under Remote Server Administration Tools > Feature Administration Tools.GPO

There you go, finally you can manage your domain from the comfort of your desktop. Also to note that these features were all installed by default when I installed Windows 10 RSAT, this might be due to the fact that I upgraded from Windows 7 and it had RSAT installed but when I upgraded Windows 10 did not have an equivalent feature set. I’m thinking there might have been a setting left over from the previous OS version, that’s all. If not be sure to chime in.

All these features can be accessed from the Administrative Tools section in the Control Panel.AdminTools

Noe you have to find a way to enjoy the shitty OS.

AD Security Filtering and Item Level Targeting, apply specific policies to specific resources.

Let’s talk Active Directory again, AD for short. In my opinion is an IT administrators best friend. It has the potential to eliminate the need for log on scripts, it can simplify software deployments to multiple computers, improve security, and eliminate malware. If you’re an IT admin in a small shop or new to the Admin game and haven’t really employed AD on your network beside the default domain policy, I suggest you have a look into it.

What does Security Filtering and Item Level Targeting do exactly? Well they allow you to apply Group Policies to individual users, computers or groups.

FilteringSecurity Filtering is a basic way of filtering out to which group the policy is applied to. For instance, when one creates a new Group Policy Object in Active Directory, by default the GPO applies to Authenticated Users. So any user that logs on to the domain or rather is authenticated by the domain, and exists in the OU where the GPO resides, will have said policy applied when they log in. Now, let’s say you want to limit this to a specific set of users. Perhaps someone in the Accounting department, they might have a specific drive or access to a drive that you want them to have mapped when they log on. This is easy to accomplish with Security Filtering. Please be aware that Security Filtering is not the only way to restrict or grant access to specific network resources, not at all. There are several ways to approach this, some more complicated than others, this is merely just one of those ways.

The benefit of Security Filtering is that you will omit any users, security groups, or computers that are not in this list. It also gives you a somewhat greater control, such as allowing you to set the read write permissions on each group in the policy. Security Filtering is a top level filter, during log on AD will check to see if you are part of said resource and if you are not no further checks will be performed against this policy. The draw back is that no further checks will be performed against this policy, so for for instance if you have a policy that maps various network drives to people in different departments and the drives differ per department you’d have to create new policies for each department. Note: Some people prefer to have separate policies per department, and organize theirs just like this. This method works well for large organizations that need to visually separate policies.

Insert Item level Targeting, it is a nested form of filtering within a specific Active Directory policy. This is where you can have your entire filtering done inside the policy. Perfect for your smaller offices or filtering resources per department. On my network I use Item Level targeting to target specific groups which users are members of to map special drives on their computers. ItemLevel

I don’t have that many users that I support and this is a viable solution to me. For larger scale organizations and to be more transparent with your policies use Security Filtering.

There are many ways to filter groups, users, and computer these are just a couple that are useful.

Side Note: You can also use WMI filters to filter group policies based on specific hardware resources. WMI filters need to be created in the Group Policy Management editor. WMI filters can be created and applied a GPO based on computer attributes, such as the OS, free space, brand, or model. This is perfect if you want to deploy drivers and software to specific machines on your network or range of machines without wanting to add them to a specific group.

Use GPO to set user as a local administrator on a single computer.

This is a revision of a previous post I did. In this version there are fewer steps that need to be performed in the policy. The key here is Item Level targeting, it allows you to apply policies to specific targets in your Active Directory. In this case the target would be a specific computer.

Open up your group policy managment console. Via the run command if you’re on the server, gpmc.msc. I run my policy manager from a Win 7 desktop on the domain, for this you need to install and setup the Remote Server Administration Tools, and run them with Domain Admin credentials. Once you have this open navigate down through your forest and domain to the right organizational unit (ou) where your new admin policy will sit. Generally you want to apply this in the computer OU, as the policy will be affecting desktops on your domain.

Right click on the OU and select “Create a GPO in this domain, and Link it here…“. Give the new Group Policy Object a new name and click OK. Now right click the new GPO and select “Edit…“, this will bring up the GPO editor.

GPEDIT

Since this policy applies to a specific computer we will select the Computer Configuration, Preferences, Control Panel Settings, and Local Users and Groups. On the right pane of this option right click and select New, Local Group. In the properties of this for Action: select Update. Group name: will be Administrators (built-in), this is the local Administrators group on all PCs. Rename to: renames the Administrators group on the target PC. Description: is just a description you might want to put in here “Administrators for computer X”. Next click Add under the Members: pane. This will bring up the Local Group Member prompt. In the Name: field type in %DomainName%\userid , where the userid is a specific logon ID and in my case tuser or my domain Test User account. %DomainName% is a variable and in this case it is the domain that the GPO resides in. If you want to see all the available variables hit F3 in the Name: field.

Click OK on the Local Group Member prompt.

AdminAdd

Now click the Common tab in the New Local Group Properties window. Here is where we target which computer that this policy will be applied to. On the Common tab check off Item-level targeting and click the Targeting… button.

common

In the target editor on the top left select New Item and Computer Name. the NetBIOS computer name is should appear. In the pane below click the “” button, here is where you select the computer this policy will apply to. Type in a computer name and click Check Names, it should underline the computer name if found correctly.

computername

 

cpname

Click OK, OK, and OK. Congratulations you have successfully assigned a user to the local administrator group on a single computer on the domain.

GPOM

You can also rename this to reflect more closely what the Action does. Highlight it and press F2, then rename.

GPOM2

 

Go ahead, close the Group Policy Management Editor, you’re done.

NOTE: If you want to add a single user on the network as an Administrator on all the network computers your best bet for Item Level targeting is to create a Security Group and make all Domain computers members of this group. One you’ve done that use Item Level targeting and target this said group.

Creating a Windows disk Image for deployment.

This information can both apply to home and business users. I want to create detailed instructions so that the most basic of users can create and deploy the image. For home users you can create a recovery image in case something goes wrong with your PC. For business users this can speed up deployment time to multiple PC on your network. Either way you can have your desktop recovered in a matter of minutes with a full suite of software, updates, and preferences. You can design the image to be very broad covering a wide range of hardware or very specific and target a specific set of hardware. The choice is yours. Specific set of hardware would be more geared for the home user. I will cover Windows 7 deployment. From here on in all references made to windows assume we are talking about windows 7.

Registry-files

The following software and hardware is necessary to create a custom image. A Windows machine with 100GB of free space, a 4GB flash drive, Windows OS disc, Windows AIK, Oracle VM VirtualBoxDISM GUI, Virtual Clone Drive, latest driver pack from DriverPack.net, hardware drivers for your specific hardware, and another flash drive or usb hard drive size will depend on your image size. You could use CDs or DVDs for booting the software but as of Windows 7 I find that flash drives are more reliable than optical media and less prone to installation errors. Having said this you will need to create a CD or DVD WinPE image so you can image the Virtual Box Operating System, as Virtual Box does not allow booting from flash drive. But we’ll get to that later.

The windows machine will be used to create the initial image for the deployment and install the supporting applications like AIK, VirtualBox, DISM GUI, Clone Drive, and slip stream all the necessary drivers for your hardware. The driver pack will be used for the WinPE image that will be created with Windows AIK. This will ensure that WinPE is compatible with most hardware out there. WinPE is used to image the actual hardware and stands for Windows Preinstallation Environment, it is small and used as a forefront for deploying the wim images. We will be creating a x86 version of WinPE as I found that the x64 version has problems with detecting some of the hardware, this also means that when downloading the mass storage drivers and network drivers from DirverPack.net download the x86 versions. Your actual OS image architecture will depend on your installation disc for your hardware.

Windows AIK is a 1.7GB download so get ready for a long wait if your internet connection is a little slower. Once you have everything downloaded you can proceed and install Virtual Clone Drive (VCD). VCD is used to mount iso files, it creates a virtual CD/DVD drive and allows you to install the iso without having to burn in onto a CD/DVD. Mount the Windows AIK to VCD, it’s easy right click the iso and select Mount (Virtual CloneDrive …). In my case VCD assigned itself to drive letter E.

mount

Open up the drive and run StartCD.exe (if autorun doesn’t kick in), then proceed with the Windows AIK Setup. Agree to the license terms, select your installation location, and let it install. It is recommended to have an up to date .NET framework installed. Once AIK install you can unmount the image. Start the Windows AIK Deployment Tools Command Prompt as Administrator.

AIK

WinPE Creation

Here we’ll begin to create the WinPE disc for image capture and creation. More info on creating the WinPE environment. In the command prompt type in the following command:

copype.cmd x86 c:\winpe

Where x86 is the architecture of WinPE and c:\winpe is the detination where it will be copied to. Then you run a command to copy and rename the winpe.wim file.

copy c:\winpe\winpe.wim c:\winpe\ISO\sources\boot.wim

Then you need to add imagex.exe to the WinPE image, this executable is responsible for capturing and deploying wim windows images.

copy “C:\Program Files\Windows AIK\Tools\x86\imagex.exe” c:\weinpe\ISO\

Note the quotes around the source path. These are necessary due to the space in the directory structure. Next you will need to create a bootable flash drive. Open up a new command window as administrator.

cmd

In the new command window open up Disk Partition manager by typing…

diskpart

Insert your flash drive in to a USB port. In the next few steps we will format the flash drive and make it bootable. Then copy the contents of WinPE to the flash drive.

diskpart

list disk

This command lists all the disks attached to the computer.

select disk 6

This selects the 6th disk which in this case is the flash drive

create partition primary or create part primary

Creates a primary partion.

select partition 1 or select part 1

Selects the partition you just created.

active 

This marks the partition with focus as active. This informs the basic input/output system (BIOS) or Extensible Firmware Interface (EFI) that the partition or volume is a valid system partition or system volume.

format quick fs=fat32

Quick formats the flash drive partion as fat32 file system.

assign letter= f

This command is not really necessary and you can skip it, but you’ll need to unplug and plug the flash drive back into the computer. Alternatively you can use it to assign a drive letter to the flash drive so it appears in Windows.

exit

Exits the disk partition manager. You can also use the above steps to create bootable flash drives in Windows at any point and time.

Before we copy the contents of the WinPE iso directory to the flash drive we need to slip stream the mass storage and network drivers in to the WinPE wim. Remember to pick the appropriate architecture and operating system driver pack from DriverPacks.net. The file we need to tackle is located in C:\winpe\ISO\sources it is the boot.wim file we copied earlier. Create a temporary (C:\Temp) directory. We will mount the wim file with DISM GUI there, the application mounts the contents to a directory where you can make changes and then later commit them to the wim image file. Without DISM GUI we would be doing this via command line, you can thank Mike Celone for this neat little app. One thing to note about Driver Packs, they can only be downloaded via Bit Torrent, you can use the Opera browser if you would like as it has a built in Bit Torrent client.

Launch the application with elevated permissions, as administrator. Choose the wim file located in the sources folder, and select the mount location. Once you selected the file and mount location click Mount WIM. DISM is Running… may take a few minutes it all depends on the size of the wim file. DISM Output should come back wiht “The operation completed successfully.”

dismgui

Click the “Driver Management” tab. Make sure the Force Unsigned and Recursive options are checked. Then proceed to click Add Drivers. DISM is Running. Please wait.. again depending on how many drivers there are this might take a few minutes, be patient. If you have specific hardware drivers you want to use add them here as well. Remember we’re using x86 version of WinPE so you will need to use the 32 bit drivers.

dismdriver

Once this is done click on the “Mount Control” tab and click Dismount WIM. It will ask you if you want to commit chages, click Yes. Again we play the waiting game as DISM GUI does it’s thing. Once complete you can close DISM GUI, now we need to copy the contents of the ISO folder to the flash drive. Go back to the command line window either will do. And type in the following.

xcopy C:\winpe\iso\*.* /e F:\

Where f: is the drive letter of the flash drive. Once this process completes we’re done creating the universal WinPE image. You can eject and pull the flash drive from the computer and test it by booting it in another computer. If you followed the instructions you should be good to go. While we’re here we should probably also make an iso image of the WinPE boot disk, this will be later used to capture and deploy the Windows OS image in Virtual Box. A Virtual Box instance can not be booted from a flash drive, so the iso will need to be burned to a CD or mounted in VCD and then booted in the VM. I prefer the latter. In order to create the iso in the Deployment Tools Command Prompt type in the following.

oscdimg -n -bC:\winpe\Etfsboot.com C:\winpe\ISO C:\winpe\winpe.iso

oscdimg

Oscdimg is a command-line tool for creating an image file (.iso) of a customized 32-bit or 64-bit version of Windows PE. -n option enables long file names, and the -b option specifies the location of the El Torito boot sector file. Do not use any spaces. CD-ROMs usually have their own structure of boot sectors, for IBM PC compatible systems this is subject to El Torito specifications. Here is the oscdimg Technet article if you’d like more info in it.

Windows OS image creation

Install Virtual Box on your computer. Create a Windows 7 32bit or 64bit VM, depending on your media and your OS architecture.

newvm

Go to New,  type in a name for your Virtual Machine or VM, click Next. Allocate memory to the VM, you want minimum of 512MB. I would recommend at least 2GB or 2048MB, but this all depends on the capability and resources of your host machine. My desktop has 16GB of RAM so freeing up 2GB for the VM is a non issue. But it’s all hardware dependant. I’d say if you have at least 4GB or RAM give the VM 2 of that. If you this, do not run too many applications on your host machine while running the VM. Click Next after you allocated RAM to the VM. Select Create a virtual hard drive now, click Create. For Hard drive file type, I selected VMDK. The reason I selected this is because this is the same extension as used by VM Ware, so potentially I could copy this machine to a VM server if I wanted to. Click Next after you selected the Hard Drive file type, select Dynamically allocated and click Next. If you select Fixed Size it take a while to create the Virtual Disk, this is why I selected Dynamic.For File location and size, I selected the default of 25GB, to save your VDMK in a specific location click the folder icon on the right. Click Create.

vmfilelocation

Your VM is now created, all you need to do now is install the Operating System.

Insert the Operating System disc into your CD rom drive or mount the iso in CloneDrive. To select the Virtual CloneDrive(VCD) highlight the VM in Virtual Box and click settings, Storage, and add an IDE controller, click Leave Empty. Highlight the Empty controller, and under the Attributes click the disc icon and select the drive letter that corresponds to the Virtual Disc. In my case it’s E.

VCD&VM

Click OK. and Start the VM. Click the VM window and start pressing F12 so you can choose the device from which to boot from. Select c for CD-ROM. Boot into the installation menu and start installing Windows in your VM. Install the operating system, all the windows updates and any other applications you would like this image to have. When creating a user during this installation, create a generic user such as User, Admin, or PC. Once you sysprep the OS you will not be able to create that specific User ID again. So if in the final deployed image you want to a User ID named Admin do not use that during the initial VM OS installation.

As a system admin I install all my software over the network using PDQ Deploy, and use Group Policy to push any other mandatory software, drive mappings, pirnters, etc. So installing software on the OS would be more geared towards a home user, or a small business. I mostly use the image to deploy windows with current updates and such.

Either way this Windows installation, and updates will probably take a while.

windowsupdates

Once you see the above and you’ve installed all the applications you desire it’s time to take a snapshot of your image. The snapshot allows you to revert the VM to a previous state. We want to do this right before running sysprep, as sysprep can only be run a limited amount of times on an operating system. To do this, in your Oracle VM VirtualBox Manager on the top right click Snapshots, this will open the snapshots pane, then click the camera button and it will take a snapshot of the operating system state. I do several snapshots just in case I screw something up during installation. I take one right after the Windws updates, a bare OS install, and one prior to running sysprep with all the custom software installed. To restore a snapshot the VM needs to be shut down.

snapshot2

A restore is handy when you want to go back and update your image. Every quarter (3 months) I go back to the image and add new updates and software revisions if necessary. This is part of my Disaster Recovery plan. This prevents me from running the lengthy process of Windows updates each time, and with multiple snapshots, I have varying restore points.

The next step is to run sysprep. Sysprep is a system preperation tool which strips the operating system of hardware specific drivers preventing compatibility issues when installing the OS on different hardware. If you’ve ever setup a desktop computer from Dell this is almost exactly what it does. Don’t worry after we create the image we will slip stream the appropriate hardware drivers into it with DISM GUI. Sysprep is located in C:\Windows\System32\sysprep\sysprep.exe. Double click on the executable file. Select Enter System Out-of-Box Experience (OOBE), check Generalize, and select Shutdown.sysprep

Click OK, this will run a cleanup and generalize phase and then shutdown your VM.

Capturing the Windows Image

Once the VM is shut down mount the winpe.iso we created earlier in Virtual CloneDrive. Also make sure that the VCD is available to the Virtual Machine, you can double check by highlighting the VM, clicking Settings and selecting Storage. Under Controller: IDE you should see Host Drive ‘E:’, where E: should reflect the drive letter corresponding to your computers VCD drive letter.

Now this is important, next you want to boot that VM you just sysprepped and shutdown. However you want to boot it to the mounted WinPE iso, CD-Rom in the VM. One thing to consider is that you will need to save the Windows image somewhere, and it can not be in the VM, so you have options you can either save it to your host machine bu mounting a shared folder in the VM in WinPE via the net use command, or attach a usb drive to the VM via Settings, USB, and clicking the add USB Device icon.vmUSBdrive

Start and focus on the VM window, keep pressing F12 while booting to bring up the boot menu. Select option c0 which is cd-rom to boot the mounted WinPE image. winpe

The above image is an indication that WinPE is loading. Once booted you’ll be greeted with a dos command prompt window, generally X:\windows\system32>. Next you’ll need to figure out which drive is where and what drive letters are assigned to them. Usually I just go through the alphabet with the command a:, b:, c:…. etc. In my instance the USB did not come up in the VM, typical, it rarely works. So we have to do this the hard way, mount a network drive in WinPE(VM) and send the image to the Host PC. This is why we slip streamed LAN and Storage drivers into the WinPE image earlier. I had 3 drives I found c:, d:, e:, and x:. C is system reserved, D is the Sysprepped OS, E is the WinPE cd-rom, and X: is the drive assigned to the current WinPE instance. Note these drives and what is on them.

First let’s make sure the VM has an IP, run the command ipconfig to confirm that it does. If you get a IPv4 address that doesn’t start with 0.x.x.x or 169.x.x.x you’re good to go. If you don’t get an IP you need to find the right LAN drivers and slip stream them into the WinPE wim, and recreate the iso. ip

Next ping your host computer IP make sure the VM can talk to the computer it is running on. Run ipconfig on your host computer to get it’s IP address and then ping that ip from your VM, for example my host pc IP was 10.50.70.104, so in the VM i ran the command

ping 10.50.70.104

and the pings were succesful. This means the two machines can talk to each other. ping

Next create a folder called IMAGE on the VM host machine in the root of c:, C:\IMAGE. Right click the folder, select properties, select the Sharing tab, and click Share. In the File Sharing window you will need type in Everyone and click Add or press enter. Under Permission Level give Everyone Read/Write permissions and click Share. If you are not able to share the folder you will need to enable File and Printer sharing in windows go here to see how it’s done. Remember, sharing is caring.sharing

Now we will mount this shared folder in the VM that is running WinPE using the net use command. Context is as follows ‘net use <drive letter> \\server\share’, in my case I used the command

net use z: \\10.50.70.104\image

With this command I mounted the shared folder image on machine with IP 10.50.70.104, to a Z drive in WinPE. In my case I was also prompted for a user name and password, the reason for this is because I’m on a domain, and my domain security settings require a valid domain user. The user id was preceeded by the domain, domain\userid, and a second prompt prompted me for a password.netuse

Time to capture the Windows image. If you’re not already switch to the X drive by typing in x:. I used the following command to capture the windows image

e:\imagex.exe /capture d:\ z:\laptopIMG.wim “Laptop Image” 

This will start the image capture process.capture

e:\imagex.exe is the location of the imagex program on the cd rom. This program is used for capturing and deploying images.

/capture a command line switch that tells imagex to capture an image.

d:\ this is the swtich for the source of the image. The drive which had the sysprepped windows 7 OS.

z:\laptopIMG.wim switch for the destination and name of the image file. Z: network drive we mounted earlier which points to the VM host machine.

“Laptop Image” a label switch given to the image file that will be created.capturing

That’s pretty much most of the hard work. You’re almost done. All that is left is to wait for the image to finish being captured. Once the image is captured open up up DISM GUI and mount the wim file, same as before, this time we will add the hardware specific drivers though, LAN, Sound, Mouse, Keyboard, Chipset… etc. Grab the hardware drivers from the manufacturers website. Use the instructions above. If you have various hardware setups on your network or at home grab all the drivers necessary and slip stream them all into the wim file. One thing to note is that slip streaming Video drivers will not work. I’m ok with that as they change so often it is a non issue with me. You could always place an executable in a folder of the Windows 7 image. Unmount and commit the Windows image changes in DISM GUI. Your image is complete, all that is left to do is deploy it to a machine.

Windows Image deployment

To deploy the image plug in the WinPE flash drive and the USB drive that has the windows wim file on it, into a computer. Change the boot priority on the PC so it boots from the WinPE flash drive. Once in WinPE you need to locate all the drives and distinguish them, write down which is which. Then we need to enter disk partiton manager again, we will erase the primary drive in the machine, and leave the flash drive and USB drive alone. Enter the following commands in the command prompt:

diskpart – enters partition manager

list disk – lists all the disks connected to the machine

select disk 0 – selects the primary disk

clean – wipes the information on the disk

create partition primary size=300 – creates a partition size of 300MB

select partition 1 – selects the partition you just created

format quick fs=ntfs label=”System” – quick format an NTFS drive with label “System”

assign letter=S – assign drive letter S to the System partition that was just formatted

active – sets the partition as a valid system partition

create partition primary – creates another primary partition on the drive

select partition 2 – selects the 2nd partiton

format quick fs=ntfs label=”Windows” – quick formats the 2nd partiton with NTFS file systerm and the Windows label

assign letter=C – assigns drive letter C to the 2nd partion

exit – exits the diskpart utility

Now let’s image the freshly formatted drive with your Windows image. Assuming that the WinPE flash drive is on drive F: and the USB drive with the Windows image on drive G:, run the following command.

f:\imagex.exe /apply g:\laptopIMG.wim 1 C:

f:\imagex.exe – is the image management application located on the WinPE flash drive

/apply – is the switch to tell the application to apply a wim image

g:\laptopIMG.wim – is the location of the image file in the USB drive

1 – is the index of the wim, a wim can house different version of itself

C: – is the destination that the image is to be applied to

Update: Forgot to mention an important step in deploying the image. Prior to restarting the computer after imaging, the bcd boot command needs to be ran. BCDboot is used to initialize the Boot Configuration Data (BCD) store and copy boot environment files to the system partition. For example, at a command prompt, type the following.

C:\windows\system32\bcdboot C:\windows       (for a x86 OS)

C:\windows\SysWOW64\bcdboot C:\windows       (for a x64 OS)For the 64 bit version of bcdboot the command has to be run from the SysWOW64 directory otherwise it will not work.

Wait for it to finish, power down the computer, and remove the flash and USB drive. Then boot up the computer and go through the setup process such as creating a User, setting the time zone, adding to the domain… etc.

Enjoy.

Happy Christmas and a Merry New Year.

Information Technology, it ain’t easy, but it sure is rewarding.

Let’s face it, Information Technology is all about disassembling information and interpreting it into real world solutions and sometimes problems. It is a job in which you are constantly evolving your knowledge and problem solving is your number one asset, well, that and support contracts.

354101

This week I learned a valuable lesson, LTO tapes are only good for 50 uses and that’s best case scenario and in optimal conditions. They also should be stored on their side, not laying flat, and should not be transported in a backpack, hand bag, purse, or European carry all, vibrations damage these things. A bad tape will break your LTO5 drive. In the last 2 weeks both my Tape Library drives died due to bad tapes. When I tried to look for some detailed information about the life expectancy of an LTO tape I found some arbitrary metrics about how many times a tape can be loaded but that’s about it. Speaking to the Dell representative he shone some light on this matter and I was able to get some concrete information as per above. He also told me that I can open up the drive and remove the bad tape without voiding my warranty. I liked that it meant I get to tinker with a new piece of hardware . Brought me back to my youth when my brother handed me his broken walkman, “If you can fix it, it’s yours”. At 9 years old armed with a screw driver and determination I tinkered with that thing for hours. I had to remember where each screw went and what part it belonged to. I never fixed that walkman, but I did identify the problem. I got a lot of joy from taking electronics apart at a young age, even the ones that weren’t broken.

Here is what the LTO5 Half Height tape drive looks like from the inside.

Either way the whole ordeal wasn’t a very pleasant experience. Two weeks without any backups is quite stressful. During this time I really wanted to drive the tape library out to the field and go office space on its ass. I joke about it now but it’s funny how when things break it’s never anything simple. #itguyproblems

Use GPO to add a single admin user to only one computer on the domain.

UPDATE: This post has some great ideas, however if you’d like an easier way to accomplish this with Item-level targeting navigate to this new post.

This post I’m going to detour from the usual Home Theatre write up. I still have more Home Theatre to go through, however I though I would give this topic a little attention. So recently I embarked on locking down my companies computer systems and what better way to do it with than Group Policy. Well I ran into a little problem when I tried to assign a single user as a local administrator on a single domain computer, it seemed impossible to accomplish with Restricted Groups as they encompass the entire OU no one single computer.

I searched the dark recesses of the internet and I thought I had found a link on social.technet, but as it turned out this did not allow me to do all the work remotely and I had to add additional groups to the computers. Then further looking over what Alan Burchill wrote I concluded that with his implication of the policy local administrators would be able to add other network users as local administrators, this did not work for me. I want to rule with an Iron Fist!!!

Either way what Allan had set out for me in black and white was a very good start and it really helped . Some of the comments in the post also shone some light on the behaviour of the Policy. You can find Allan’s blog post in regards to this here: http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/.

What’s nice about this method is that it will also clean up your policy each time it gets updated or anyone logs on to the computers in the OU. So if anyone adds another admin user to the group they will be removed. Also if you have some old administrators on PCs that were added manually in the past and have since left this will remove them.

Well let’s get on with it then, shall we.

My environment consists of Server 2008 R2 and Windows 7 machines.

I run my policy editor on my local machine, however I recommend you run it off your server since you can run gpupdate /force from there as it propagates faster this way.

1. Start the policy editor  on your server by going to Start > Run > gpmc.msc

Create a new policy under the OU in which you have your domain computers.

12. Edit the policy and navigate to Local Users and Groups, Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.

3. Right click in the right pane of the window and select New > Local Group, you will be prompted with a New Local Group Policy window.

4. The Action heading should be set to Update,  from the Group name drop down list select “Administrators (built-in)”, check off  “Delete all member users” and “Delete all member groups”. Only use these options on the first Order policy as these are the options used to clear any previously assigned users and groups to the Local Administrators group.

25. Next we will add a single member to this new Local Admin policy. Click Add and you will be prompted with Local Group Member window, in the Name: section type in “BuiltIn\Administrator” this adds the Administrator account present on all machines to the Administrators group. For Action: select Add to this group.

6. Your Local Group Properties window should look like the following image. If yours looks the same go ahead and click OK.

3

7. This will take you back to the Group Policy Management Editor and you will have one policy with Order 1. The order is the order in which these policies get applied in. Since we’ll be adding more policies you may want to rename this policy in the Editor to something more descriptive like “Built in Local Admin”, highlight the policy and press F2 to do so.

4

In Allan’s blog he groups  the assignment of the Built in Admin account and Domain Administrators group in one Local Group. What I have found to be the case is that if you have more than one member that is to be added to the Local Group and one of these members does not exists or the spelling is incorrect the Local Group policy will stop processing as soon as it encounters and error and refrain from processing any further Member assignments. As a good practice try and assign one member per Order.

8. Let’s create a new policy. This time we will add the Domain Admins group as Administrators to all the OU computers. Follow steps 3 & 4 again, with one exception, do not check off  “Delete all member users” and “Delete all member groups” leave these unchecked otherwise when this policy is processed it will remove the previous members from policy Order 1  (Built in Local Admin).

9. When adding the member as in step 5, click in the Name: field and hit F3. You will be prompted with a Select a Variable window, select “DomainName” and make sure Resolve Variable is checked off then proceed and click Select. This will populate the Name field in the Group Member window add “\Domain Admins” to this so you have “%DomainName%\Domain Admins” in the Name field and click OK.

5

Your new policy should look something like the following image. You may not have a Domain Admins group on your domain, and if that is the case substitute the name of the group to the one that matches up with your domain administrators group. Now you should have two groups, go ahead and rename the second one as well. I renamed mine to Domain Admins.

6

10. In my 3rd order policy, since by default all local Administrator accounts are disabled, I ended up adding a local user account named “User” to all computers in the OU. Right click and select New User. It’s very similar to creating a new user on the domain.

7

11. In my 4th order policy I assign the User account to the Administrators (built-in) group. The only difference between this step and step 9 is instead of using the %DomainName% variable I’m using the %ComputerName% variable. Also to note you don’t need to hit F3 to select the variable you can type the information in manually ie. “%ComputerName%\User”. It should look like the following image. Click ok and rename the policy.

8

12. Now this is where the magic happens and we create an individualized local admin policy for a single computer. Before we create the policy we need to rename the Administrator group on each computer to something unique, after pondering this for a while I came up with the following solution. Create a new Local Group policy. Action: Update, Group Name: Administrators (built-in), Rename to: %ComputerName%.ADMIN. Do not Add any members leave this portion blank and click OK. Rename the policy if you would like.

9

The key here is the %ComputerName%.ADMIN, each computer will rename the Administrators group locally to something unique to that computer in this case it will use it’s name. For example a computer named DMCL-00203 will rename the local admin group to DMCL-00203.ADMIN. As seen below.

13

Once you have this in place you are able to add individual local administrators by creating new Local Group policies with higher orders than the policy which renames the local admin group.

13. To add a local administrator to computer DMCL-00203 create a new Local Group policy, Action: Update, Group name: DMCL-00203.ADMIN add a member using %DomainName%\UserId, UserID being a valid domain account.

11

You can add more member accounts to this policy just know that if it errors out or the account is invalid there is a possibility that the policy will not be applied to the computer. That is it, now you should have 6 policies in place depending on how many computers need local admin users. The order of the policies are important, for example you can not assign a local user to the admin group in order 6 if the user account gets created in order 7. Keep this in mind when designing your policy.

12

IMPORTANT UPDATE: So it seems the Active Directory likes to show all the computer admin groups created with in the policy on one single computer (see below). However that does not mean that the users in these groups have admin access to all computers on the network, having tested this they only have access to the computer they are assigned to. This is purely aesthetic.

adminoooIn order to avoid this purely asthetic replication to other computers except the target machine use “Item-Level Targeting”, it is available under the common tab. So at the end of step 13. click the common tab, and check item level targeting and click the Targeting button. Then in the Targeting Editor select New Item and Computer Name, then Type in the computer name or look it up in the Domain using the … button.

14 15