Supportishere.com

Jan 18

How to apply Local Group Policy settings silently using the ImportRegPol.exe and Apply_LGPO_Delta.exe utilities.

By Brian GonzalezNo Comments

In many Organizations, the AD support team is separated from the team in charge of Imaging. The AD team naturally is protective with their setup and fight any GPO setting that would result in more responsibility to their staff. So that leaves us in some occasions having to turn to Local Group Policy to apply the settings we want. I’ve recently come across some great tools provided by Microsoft (very quietly) for Government usage. These tools allow you to basically back up your LGPO settings to a txt file and apply them on demand with a script silently.

MS link: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-05-16-48/LGPO_2D00_Utilities.zip
BackUp link: https://panaconsulting.egnyte.com/h-s/20120118/077e07ba18c74413

How to use:

Apply desired settings on a Windows 7 test machine, using the gpedit.msc MMC snap-in.
Run the “ImportRegPol.exe” with the /parseonly and /log to pull settings and save to a specified LOG file.
User settings and machine settings need to be captured separately:

Capture User Example
ImportRegPol.exe /u C:\Windows\System32\GroupPolicy\User\registry.pol /parseonly /log <PathToSettingsFile>.log

Capture Machine Settings Example:
ImportRegPol.exe /m C:\Windows\System32\GroupPolicy\Machine\registry.pol /parseonly /log <PathToSettingsFile>.log
Use the Apply_LGPO_Delta.exe utility to apply the settings silently. On restart the settings will take effect.
Apply_LGPO_Delta.exe <PathToSettingsFile>.log /log <PathToLogFile>.log
This can easily be added to an SCCM or MDT Task Sequence and tied to logic to ensure the correct settings get pushed to the appropriate target systems/users.

Command Line help for LGPO Tools:

Apply_LGPO_Delta.exe inputfile0 [inputfile1 ...] [/log LogFile] [/error ErrorLogFile] [/boot]

inputfileN One or more input files specifying the changes to make. Input files must be security template files, or registry-based policy files using a custom file format described below. Apply_LGPO_Delta automatically determines whether a file is a custom policy file or a security template. Security templates can be created using the “Security Templates” MMC snap-in.

/log LogFile Writes detailed results to a log file. If this option is not specified, output is not logged nor displayed.

/error ErrorLogFile Writes error information to a log file. If this option is not specified, error information is displayed in a message box dialog.

/boot Reboots the computer when done.

ImportRegPol.exe –m|-u path\registry.pol [/parseOnly] [/log LogFile] [/error ErrorLogFile] [/boot]

-m path\registry.pol [for Computer configuration] or

-u path\registry.pol [for User configuration]

Path\registry.pol specifies the absolute or relative path to the input registry policy file (which does not need to be named “registry.pol”).

/parseOnly Reads and validates the input file but does not make changes to local group policy. In conjunction with the /log option, can be used to convert a registry policy file to an input file for Apply_LGPO_Delta.

/log LogFile Writes detailed results to a log file. If this option is not specified, output is not logged nor displayed. The logged results for the registry policy settings can be used as input for Apply_LGPO_Delta.

/error ErrorLogFile Writes error information to a log file. If this option is not specified, error information is displayed in a message box dialog.

/boot Reboots the computer when done.

-Brian G

MDT, SCCM, Scripting, Uncategorized, Windows 7

MDT, SCCM, Scripting, Win7

Dec 29

“SMS Collection Evaluator failed to process Collection Settings changes” error in SCCM 2007

By Brian GonzalezNo Comments

Received the “SMS Collection Evaluator failed to process Collection Settings changes” error in SCCM on the “SMS_COLLECTION_EVALUATOR” Component. The fix was simple and simply overlooked during the SCCM installation:

1. Open the ADSI editor.
2. Browse to the “System Management” container. Should be listed under the “System” container.

3. Right-Click on the “System Management” container and click on the “Properties”.
4. Click on the “Security” tab and review if the “$” user exists. If exists, skip to step 6.
5. Click on Add, then “Object Types” and then check the “Computers”. Next type the Computername of the SCCM server and click on “OK”.

6. Click on “Advanced” and then highlight the “” entry and click on “Edit”.
7. Change the “Apply To” Drop Down to “This object and all descendant objects” and then check the “Allow Full control” permission.

8. Restart the SCCM server.

-Brian G

SCCM, Uncategorized

Collection, SCCM, SCCM2007

Dec 10

How to add an application or script after MDT is complete.

By Brian GonzalezNo Comments

I ran into a need from a customer to run an application installation that resulted in MDT cleanup scripts to fail. In this event, I figured, the best bet is to perform this installation after the MDT CleanUp process is complete.

1. Remove the portions of LTICleanUp.wsf and Litetouch.wsf scripts that remove the “AdminAutoLogon” values:

LTICleanUp.wsf: (starting at Line 124)

oLogging.CreateEntry "Removing AutoAdminLogon registry entries", LogTypeInfo
On Error Resume Next
'Comment Out the following lines:
'oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon", "0", "REG_SZ"
'oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName", "", "REG_SZ"
'oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", "", "REG_SZ"
'oShell.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword"
'oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonCount", &amp;H00000000, "REG_DWORD"
On Error Goto 0

Litetouch.wsf changes: (Starting at line 947)

1
2
3

On Error Resume Next
'oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon", "0", "REG_SZ"
On Error Goto 0

2. Next create an application in MDT which calls a batch file, which stages install files on the local disk and calls the files via the “RunOnce” Registry Value or add a Shortcut to the Startup of the Administrator.

Example silent.bat contents:

1 2	xcopy "%~dp0." "c:\windows\temp\OpenOffice\" /heyi REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v Path /t REG_SZ /d C:\Windows\Temp\OpenOffice\Install.bat

Install.bat contents:

1 2	start /w "" "%~dp0OpenOfficeNinite.exe" cscript "%~dp0DisableAutoLogonEntries.vbs"

DisableAutoLogonEntries.vbs contents:

Set objShell = WScript.CreateObject("WScript.Shell")
objShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon", "0", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName", "", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", "", "REG_SZ"
objShell.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword"
objShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonCount", &H00000000, "REG_DWORD"

/Brian G

Uncategorized

Nov 18

Creating Simple and/or Smart Custom Wizard Panes (Prompts) for MDT using the Wizard Editor.

By Brian GonzalezNo Comments

Using the Wizard Editor is fairly self explanatory for adding simple wizard panes. In 90%+ deployment scenarios, a simple wizard pane including a couple of radio buttons suffice.

Here is a simple “Department Name” Wizard Pane, which include 2 radio buttons; “IT Department” and “Sales”. After the Wizard is answered, a “DepartmentName” variable is created and populated with either “ITDEPT” or “SALES” based on the wizard selection:

<H1>Choose the User Department.</H1>
<table>
 <tr>
   <td><input type=radio name="DepartmentName"
   id="DTRadio1" checked value="SALES" accesskey=s language=vbscript />
   <label class=Larger for=DTRadio1 language=vbscript >
   <u class=larger>S</u>ales Department.</label></td>
 </tr>
 <tr></tr>
 <tr>
   <td><input type=radio name="DepartmentName"
   id="DTRadio2" value="ITDEPT" accesskey=u language=vbscript />
   <label class=Larger for=DTRadio2 language=vbscript >
   <u class=larger>I</u>T Department.</label></td>
 </tr>
</table>

Now lets create a more advanced prompt for that 10% of times when radios are not enough. This prompt will ask for a string named “NewUserName”. It will verify that the string entered is 10 characters in length and only contains letters.

<H1>Please enter the System's New UserName.</H1>
 <span style="width: 95%;">
 <span class="Larger"><u class=larger>U</u>ser Name:</span>
   <input type=text id="NewUserName" name=NewUserName maxlength=10
   size=10 language=vbscript onpropertychange=ValidateNewUserName
   AccessKey=U />
   <p>&nbsp;
     <label class=ErrMsg for=NewUserName>Answer is Required..</label>
     <label class=ErrMsg id=InvalidChar>Letters only!</label>
     <label class=ErrMsg id=TooShort>Answer must be 10 characters!</label>
   </p>
 </span>

Now you must add Functions to the “\Scripts\DeployWiz_Validation.vbs” script to support the Function call (ValidateNewUserName) which performs the string validation.

'''''''''''''''''''''''''''''''''''''
'  Validate NewUserName
'

Function ValidateNewUserName
 
	' Check Warnings
	ParseAllWarningLabels
 
	If Len( NewUserName.value ) < 10 then
		InvalidChar.style.display = "none"
		TooShort.style.display = "inline"
		ValidateNewUserName = false
		ButtonNext.disabled = true
	ElseIf IsValidNewUserName ( NewUserName.Value ) then
		ValidateNewUserName = true
		InvalidChar.style.display = "none"
		TooShort.style.display = "none"
	Else
		InvalidChar.style.display = "inline"
		TooShort.style.display = "none"
		ValidateNewUserName = false
		ButtonNext.disabled = true
	End if
 
End function
 
Function IsValidNewUserName( NewUserName )
 
	const IVNAME_TEST = "[a-z]{10}"
	Dim regEx, match, myMatches
 
	Set regEx = New RegExp
	regEx.Pattern = IVNAME_TEST
	regex.IgnoreCase = true
 
	Set myMatches = regEx.Execute( UCase(NewUserName) )
	If myMatches.Count > 0 Then
		IsValidNewUserName = true
	End If
End function

For building custom RegEx expressions, I suggest using RegExBuddy for Windows users and Kodos for Linux users.

-Brian G

MDT, Scripting, Uncategorized

Nov 17

How to use VBScript in your MDT/SCCM CustomSettings.INI.

By Brian GonzalezNo Comments

The built-in CustomSettings.INI variables are very useful, but in some occassions they are simply not enough. For instance, the “Model” variable contains the FULL model number (ie. CF-19K4RAX2M). What if I want to create a section breakout for all CF-19 laptops? Here is a method I found to perform this task:
1. First you must tell your “ZTIGather..” script to look out for a new variable, which is ShortModel in my example. Add a line to the “<DeploymentShare>\Scripts\ZTIGather.XML” file, which is read by the ZTIGather.wsf prior to combing your CS.INI matching variables.

<property id=”ShortModel” type=”string” overwrite=”true” description=”Short Model Number” />

2. Next add the following lines to your CS.INI:

;Tells ZTIGather to look in the “RunFirst” section first,
; which will populate the ShortModel variable, which in
; turn be replaced when searching for the “ShortModel”
; section.
Priority=RunFirst, ShortModel, Default

[RunFirst]
;Example output will be CF-19 instead of CF-19K4RAX2M
ShortModel=# LEFT( oEnvironment.Item(“Model”),5 ) #

;Now I can add my CF-19 section
[CF-19]

Another very useful easy CS.INI code block I use to add VBScript and more intelligence to my CS.INI. Is a custom Variable, which contains a specialized formatted Date to my liking. I can use this variable wherever I like and whenever I like throughout my ENTIRE Deployment (TS included).
1. Just as I did before I add the variable to my “ZTIGather.XML” file to tell my ZTIGather.wsf to look out for the variable in my CS.INI.

<property id=”SpecialDate” type=”string” overwrite=”true” description=”Special Date Value” />

2. Then I populate it wherever I like in my CS.INI

SpecialDate=#DatePart("M",Now) & DatePart("D",Now) & DatePart("YYYY",Now)#

-Brian G

MDT, SCCM, Scripting, Uncategorized

Support IS => Here <=

How to apply Local Group Policy settings silently using the ImportRegPol.exe and Apply_LGPO_Delta.exe utilities.

“SMS Collection Evaluator failed to process Collection Settings changes” error in SCCM 2007

How to add an application or script after MDT is complete.

Creating Simple and/or Smart Custom Wizard Panes (Prompts) for MDT using the Wizard Editor.

How to use VBScript in your MDT/SCCM CustomSettings.INI.

About Me

Meta

Categories

Past Posts

Tag Cloud