Security issues with unattended installation (Windows Deployment Services)

-

if type of problem has been posted, sorry, searched hours not find anything

system: windows server 2008r2

i have been plying around unattended installation (fresh bare metal). under normal circumstances systems should boot hard disk.  in case of install changes systems should use pxe install boot program , corresponding files. therefore choose to:

  1. all systems boot pxe first, second local hard drive
  2. the default boot program fro both x86 , amd64 abortpxe.com
  3. if wand system install use 'wdsutil /verbose /set-device /device:test02 /bootprogram:boot\x64\pxeboot.n12 /wdsclientunattend:wdsclientunattend\try_1.xml' set specific boot program
    'wdsutil /get-alldevices' shows correct setting
  4. the server configured 'wdsutil /set-server /resetbootprogram:yes'

the wdsclientunattend file contains credential user "deploy". security reasons want have user limited rights. here catch - if user administrator pxe server reset /bootprogram: value "". if "deploy" not member of administrators setting /bootprogram:boot\x64\pxeboot.n12 remain , system go next boot/install cycle.

could point me right direction to

  1. what minimal permission need give user "deploy"
  2. how can give permission user (i'm pretty bad active directory, please detailed)
  3. also nice pointer how can minimize rights of user "deploy" further - instance not want able login account; reseting pxe , file access user needs allowed

thanks help

my final solution - done on command line

 

# pre create computer account
wdsutil /add-device /device:test03 /id:00-15-17-4f-53-d2

# set deployment options
wdsutil /verbose /set-device /device:test03 /bootprogram:boot\x64\pxeboot.n12 /wdsclientunattend:wdsclientunattend\try_1.xml

# check options
wdsutil /get-device /device:test03

# set permissions on computer account (necessary domain join)
dsacls "cn=test03,cn=computers,dc=mshpc,dc=crtdc,dc=local" /i:t /g mshpc\deploy:ca;"reset password";
dsacls "cn=test03,cn=computers,dc=mshpc,dc=crtdc,dc=local" /i:t /g mshpc\deploy:rpwp;"account restrictions";
dsacls "cn=test03,cn=computers,dc=mshpc,dc=crtdc,dc=local" /i:t /g mshpc\deploy:rpwp;"netbootmachinefilepath";

#install

#after join successfull remove special rights
dsacls "cn=test03,cn=computers,dc=mshpc,dc=crtdc,dc=local" /r mshpc\deploy

 

regards

michael

 

note: reasons had copied wrong commands. /i:s "subobjects" - command used during testing on "cn=computers,dc=mshpc,dc=crtdc,dc=local" object. sorry confusion



Windows Server  >  Management



Comments

Post a Comment

Popular posts from this blog

Edit Group Policy

-
i have pc has power settings pushed out default domain policy in ad environment. of course on local machine "some settings managed system adminstrator". the machine temporarily no longer in contact domain controller (it's been physically moved , not on same network now) can't updated gpo settings. i believe if edit local group policy won't make difference because of group policy processing , precedence. since it's temporary away ad network, still want use settings of ad user. is there somewhere in registry stored can edit power plan manually until can sync domain? (i need prevent sleeping while plugged in - it's set 1 hour) thanks! allen crist i found site: http://gpsearch.azurewebsites.net/#7916 i able add policy to hkey_local_machine\software\policies\microsoft\power using specs found on site. looks solved issue. i'll report if didn't. thanks! allen crist ...
Read more

Hyper-V VM not reaching OS 'Logon' screen

-
i trying migrate vm vmware hyper-v. so far have done following (seemingly successfully): prepare vmware vm conversion hyper-v format (vhd) within vmware workstation 8.0 environment following steps guide: http://social.technet.microsoft.com/forums/en/winserverhyperv/thread/ef8c12f7-c45d-442e-9a30-c43cd87df3b3   (i.e. remove vm tools, add new ide hard disk…) use vmdk2vhd application convert individual vmdk files vhd ones create new vm in hyper-v exporting in 3 newly converted vhd files at point have checked settings , powered on vm in hyper-v find although windows begins load expected manages reach screen prior login screen saying either of following messages: “windows starting up…” “the active directory rebuilding indices… please wait” to knowledge, albeit limited in area, vm should present me login screen since appears in vmware. if start vm in safe mode can login not desired affect. below details of vm: operating system: windows server 2003 (enterprise edit...
Read more

DNS question...

-
i new setting dns server....my domain name expl. "domain.com"....i set "a" record in forward lookup for  www.domain.com itself...."server's local ip"....i've added no other zones , i seem able resolve names except own....www.domain.com.....also, do i put my isp's dns ip's....for external dns's server can't resolve?....forwarding or in nic setup?......i want setup in my dns server don't have include them on client side..... thanks mark     not put isp dsn server address in settings on nic dc or clients. should point local dns server on dc. set dns forward public dns, such isp. bill Windows Server  >  Network Infrastructure Servers
Read more