Prompt for Password, UDA and Computer Name in a tasksequence.

October 9, 2013 11 comments

Hello. Long time since i wrote something, will try and post more frequently.

So i´ve been using a HTA app to prompt for a password at the beginning of each task sequence. Why you ask? let´s say you have task sequences for Client OS and some for Server OS, you might not want anyone to deploy those but if you set a PXE password you would need to distribute that password to everyone that needs to deploy Client.

There is a great post on all this written by Niall Brady over at Windows-Noob and most of this is taken from there. http://www.windows-noob.com/forums/index.php?/topic/2336-password-protect-a-task-sequence/page-2 i found the HTA there and have modified it to include prompts for Primary User and Computer name Below is the HTA im not the greatest wizard with Graphics but you get the Picture.

Prompt

There are also a prompt for Primary user and one for computer name you can download the HTA from

you can download a sample of the task sequence here and just copy it to your own.

 

To display a HTA in WinPE you need to have MDT integrated to you SCCM enviroment. i added the files to a folder called WNB and copied that to the script folder inside the MDT toolpackage source. but you can create your own package and reference that when you call the script. just make sure you load the MDT toolpackage Before the passwordprompt. Before you implement it you need to edit Password.hta with your favorite text editor The three prompts set 3 variables. ALLOWOSDBUILD wich is set YES if you input the right password, if you dont then the task sequence will fail and shutdown the computer, to change the password edit line 98, default password is password SMSTSUdaUsers wich is the built in UDA Variable that sets primary user, if you only have 1 domain change the domain\ on line 113 then you only need to input the username without domain\ first. if you have multiple domains just remove domain\ OSDComputerName wich is the built in variable that sets computer name wont go into more details on this pretty obvious. There is a check on line 104 to 109 that the username and compuername is between 5 and 10/15 characters long and the computername is changed to uppercase characters on line 114

Categories: SCCM

Regional Settings depending on first 3 letter in computername in a task sequence.

January 31, 2013 Leave a comment

Hello.

So i wanted to set regional settings depending on the first 3 letter in the computer name when i deploy it, the best way i found was to use a XML and set it with the control.exe command for example control.exe intl.cpl,, /f:”%temp%\Denmark.xml”

This way i can set keyboard layout, location and format.

this is what the task sequence looks like.

Image

And under Options of each group i have a WMI query to check the first 3 letter in the name

SELECT * FROM Win32_ComputerSystem WHERE Name Like “XXX%”

i Created 2 files, one XML file containing the country codes and one cmd file that copies the file locally and then executes it, for some reason just a “Run Command” step did not work.

the cmd is very simple, it copies the xml file from the DP to the temp folder. and then runs the control.exe command notice the dp0 has no \ as it is already included in the variable.

copy %~dp0Sweden.xml %temp%\Sweden.xml
control.exe intl.cpl,, /f:”%temp%\Sweden.xml”

This is what the step looks like

Capture

The XML file was a little bit trickier as it contains different country codes, the GeoID, sv-SE, and an ID, and you can ofcourse add multiple “InputLanguageID” if you want more keyboard layouts.

<gs:GlobalizationServices xmlns:gs=”urn:longhornGlobalizationUnattend”>
<!– user list –>
<gs:UserList>
<gs:User UserID=”Current” CopySettingsToDefaultUserAcct=”true” CopySettingsToSystemAcct=”true”/>
</gs:UserList>
<!– GeoID –>
<gs:LocationPreferences>
<gs:GeoID Value=”221″/>
</gs:LocationPreferences>
<!– UI Language Prefernces –>
<gs:MUILanguagePreferences>
<gs:MUILanguage Value=”sv-SE”/>
<gs:MUIFallback Value=”en-GB”/>
</gs:MUILanguagePreferences>
<!– system locale –>
<gs:SystemLocale Name=”SV-SE”/>
<!– input preferences –>
<gs:InputPreferences>
<gs:InputLanguageID Action=”add” ID=”041d:0000041d”/>
<gs:InputLanguageID Action=”remove” ID=”0409:00000409″/>
</gs:InputPreferences>
<!– user locale –>
<gs:UserLocale>
<gs:Locale Name=”sv-SE” SetAsCurrent=”true” ResetAllSettings=”true”>
</gs:Locale>
</gs:UserLocale>
</gs:GlobalizationServices>

GeoID you can find here but you need to use a HEX to Decimal converter to get what you want.

http://msdn.microsoft.com/en-us/library/windows/desktop/dd374073(v=vs.85).aspx

And here are the Locale ID:s

http://msdn.microsoft.com/en-us/goglobal/bb895996.aspx

here is a little more info on how to write the XML file

http://msdn.microsoft.com/en-us/goglobal/bb964650

 

When you have created all the XML files and CMD files but them in your source folder and create a package from it. you dont need to create a program.

5

As a last step in the regional settings group i have a rule that sais if the first 3 letters are NOT any of for example XXX, CCC, FFF it will set Swedish

Image

Categories: Uncategorized Tags:

Unlock Active Directory Account Task in SCSM

December 13, 2012 3 comments

Hi.

Sorry for the lack of update but it’s been a busy time.

I thought I would share my unlock user task in SCSM, one of the most common incidents we have is locked AD accounts so I’ve created a task that unlocks the affected users AD account with PowerShell.

For this to work you need to have Active Directory User and Computer snappin installed.

Go to Library > Tasks > Create Task

Give the Task a name and a description. Select incident as the target class and if you want create a new Management Pack

Task name

On the next screen select where you want this task to be shown. Im only going to select “Incident Support Groups Folder Tasks

Category

On the next screen is where you input the script that unlockes the user account.

In the command windows input

c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

And in the Parameters input

-command Import-Module ActiveDirectory; Unlock-ADAccount –Identity User account; write account User accountunlocked.

The red marked text is where you need to insert the affected users username so click Insert Property and select Affected User and User Name do this for both and make sure you type the ; after the first User account

 affecteduser

Select “Log in action log when this task is run” if you want

It should then look something like this

Command

Press Next and then Create

You are now finished and you should see the task when you select an incident.

UnlockTask

I have also attached a finished MP with the task and a Icon for it that you can goahead and import. rename it .mpb

Unlock User Account Task

In the next post I will show you how we can unlock the affected user account and close the incident using orchestrator.

Categories: SCSM

Application Dependencies in SCCM 2012

May 4, 2012 18 comments

A new feature in CM 2012 is the ability to set dependencies on applications. This is something that I have been waiting for and it works really well.

For example this is my deployment for AX 2012 Client.

In this scenario I needed to create 4 different dependencies that would all be installed, this is done by pressing “Add” and then adding a dependency, if you add 2 dependencies under the same group it will be “this OR that” but if you add them in different groups it will be “this AND that”.

You can for example have one group and add different versions of Visual C++ Redistributable if the application does not require the latest version it will check if any of those versions are installed, if any of those versions are installed it will skip it.

If you add 2 dependencies under the same group you can also set priority, if none of the dependencies are installed the application with the highest priority is the first one to be installed, the best way here is to only check “Auto Install” on the application you want to install if the device is not satisfying.

A dependency doesn’t have to be something that the application you are installing requires it can be anything.

I created a bunch of applications in a folder I call “Pre Reqs\Microsoft” with the most common pre requisites like SQL Native Client etc etc, stuff that I can use over and over again.

When you deploy an application that have dependencies linked to it the SCCM Client will check what decencies is already installed, if none are installed it will automatically download them and install.

This also works when doing it via task sequence.

If you check Software Center you will see the number of components it downloads if you have 4 dependencies and 1 is installed it will say downloading 4 components (3 dependencies and the program itself)

One thing to keep in mind is that if a dependency fails to install the whole deployment fails. You can see what dependency failed under deployment monitoring. I had one case where my C++ 2010 was an older version and the deployment failed because a newer version was already installed on the computer.

Categories: SCCM Tags:

SCCM 2012 Content Distribution Settings

April 5, 2012 Leave a comment

Hello.

Im rolling out SCCM 2012 atm in our production enviroment and its going great! Migration jobs are running very smoothly, some hickups but that was expected.

I ran into a problem where my Task Sequences would not run and all the applications i tried to would not install in the client. In SCCM 2007 there where some problems (atleast in my setup) with this in the past, those errors where almost always permission related either with Network access account, IIS settings (Webdav…), or in some cases firewall settings. so naturally that was what i checked first but everything seemed fine. All the packages where green in status and where distributed to the right DP.

BUT! the settings for almost all my packages where “Manually copy the content in this package to the distribution point”
After i changed this to “Automatically…” and updated the DP everything started to run!

Categories: SCCM Tags:

Automating user creation with Ochestrator and Service Manager 2012 Part 2

April 2, 2012 Leave a comment

Hello everyone.

This is part 2 of the automated user creation using Orchestrator and Service Manager 2012.
In the previous post we created our runbook to create the user, and in this post we will import that runbook to Service Manager and using it on our service portal.

Fire up Service Manager Console and first navigate to Administration > Connectors, select your Orchestrator connector and press “Synchronize now” if you haven’t set one up yet do it now.
Now goto Library > Runbooks Here you should see the runbook we created in Runbook Designer. If you don’t make sure you checked it in after you finished.
Select it and press “Create Runbook Automation Activity Template

Input a name for the Template and a description and press OK

This will open up a new window with the actual template. Again input some information about the runbook and check “Is Ready For Automation” very important if we don’t check this we need to start it manually.

Ok now we have our new Runbook Activity, now we  need a Service Request to run it in, so again navigate to Library and right click “Templates” and click “Create Template”

Input a name and description for the Template press Browse and pick “Service Request” then press OK

This opens up a new window with the service request.
Input what information you want then select “Activities

This is where we create the activity flow, so first press the + and select “Default Review Activity” This activity “needs” to be present, in my case just because I don’t want my users to be able to create users without me approving it first. And in most other cases because it needs to be mapped to a cost.

So go ahead and input Title and Description (we could have created another string in the runbook for example “Reason for request” and mapped that to the description of the review activity)

There are many ways to setup the vote, in this case as I am the only one that will approve I put myself as the reviewer. If you for example have 10 people that you want to be able to approve the request you can simply put them all as reviewers and set the “Approval Condition” to percentage and set it to 10%. You can also set that someone like the manager has Veto or that he must vote for the activity to be approved.

Now press OK and your back to the service request. Again press the + and this time select the Runbook template we created earlier. As we already filled out this just click OK again

You activity stage should now look like this, and we are done with the Service Request Template so just press OK

Navigate to “Library > Service Catalog” right click “Request Offerings” and click “Create Request Offering

Input Title and Description of the request, select an image if you have one and select the service request template we created earlier and press Next.

On the next screen we need to map create the user prompts. These will look the same as the “User Info” step from the runbook. Press the + and create 8 prompts and name them Firtname, Lastname, Manager, Title, Department, Phone number, Company, Type.

Select Company and press “Prompt Type” click “Simple List” and do the same for “Type” if you want select Phone and change Response Type to Optional, in many cases he won’t get a phone number until he starts, now press Next

Now we need to configure the prompts first thing is to make sure that the format of Firstname and Lastname is correct so press Firstname and click “Configure” here we can pick some premade regular expressions or we can make our own which is what we will do so click “.Net Regular Expression” And type in this ^[A-Z]{1}[A-Za-z\-]+ now the first letter has to be capital and the rest lowercase, now do the same for Lastname.

We also need to configure Company and Type with a list to choose from, so click Company > Configure

Depending on what Company’s you have in the script from Part 1 you need to input them here. If you didn’t change them yet just type Test1, Test2 and Test3, select Test1 and click “Set as default” Do the same with type and input “PC” and “TS

On the next screen we need to map all the prompts to something in either the Runbook Activity the Review activity or the Service Request. We will map everything to the Runbook Activity. This is where we could also have mapped a field for “reason for request” if you did that in the runbook.

Select the “Create New User Runbook”  and map each string to the right property in the runbook, they might not end up in the right order so make sure you select the right one. Press Next

On the next screen we can specify a knowledge article for the request with relevant information or guides.

The next screen is to publish the Request Offering as this is a lab we will publish it right away.

Now click Next and then Create

Ok now we are done with the Request Offering. Now all we need to do is to publish it to the portal.

If you haven’t published any offerings yet you probably only have the default Service Offering categories so navigate to Library > Lists and double click “Service Offering Category”.

Here you can add new Categories to the self-service portal just press “Add Item” and change the name to something like “Access and Security”

Now we have a Service Offering category so we need to add a Service Offering to that category. Navigate to Library > Service Offerings, Right click and select “Create Service Offering

Give it a name like Account Management, select the “Access and Security” category we just created. You can also select a icon if you have one. Fill in the rest and press Next

Here you can fill out SLA and Cost information, as this is a lab I won’t do this right now. Next screen is for related services, same here just press next and next again on Knowledge Articles.

On  the next screen press add and select the Request Offering we created earlier and press OK.

Make sure you select “Publish” on the next screen and finish the wizard.

If you now start your favorite web browser and navigate to your self-service portal https://”Server”:444/SMPortal you will see the Category and Service Offering we created. Press Account Management and you will also see the “New User Request”

And voila here is the request and as you can see the custom tooltip / regex  we creates works like a charm.

Now fill in the rest and submit the request.

When you are done go to My Activities, select the review activity select a reviewer and press Approve enter a comment and press Save.

The review activity is now approved and it will move onto the Runbook Activity.

If you check Runbook Designer you can see the runbook is running. When it’s done the service request will automatically change status to Complete and you will have a new User. Also check you inbox to see the mail with the user info.

There you have it, i hope you have some use for this, if not everything maybe some part of it. I will keep updating as i setup my lab.

Im reallt exited about Orchestrator and ive only just begun to scratch the surface of what this awsome complement to the System Center family can do!!

Categories: SCORCH, SCSM Tags:

Automating user creation with Ochestrator and Service Manager 2012 Part 1

March 30, 2012 2 comments

Hello again.

Creating new users is boring, what if the end-user could input all the info for you and all you need to do is to approve the request? This is all possible with Orchestrator and Service Manager and in the next couple of posts i will show you how i did it for our environment, This is just one way of doing it, Orchestrator provides an almost infinite way of creating automated tasks.

This is how the runbook looks

Start Runbook designer and create a new runbook. add a “Initialize Data” step under Runbook Control and name it User Info.
Add 8 strings and name them Firstname, Lastname, Title, Department, Manager, Phone, Company,  and Type.

Next drag and drop a “Run .Net Script” right-click it and change the name to something like “Generate Password”.
Click Details and change the type to Powershell and copy and paste this scripts. The script basically generates a password for the new user, this one creates a simple password from “!?”, capital letters, lowercase letters and number with a total of 9 characters

$firs = [Char[]] "!?"
$caps = [char[]] "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
$lows = [char[]] ("ABCDEFGHIJKLMNOPQRSTUVWXYZ".tolower())
$nums = [char[]] [string[]] (0..9)

$one = Get-Random -Minimum 1 -Maximum 2
$first = Get-Random -Minimum 1 -Maximum 5
$second = Get-Random -Minimum 1 -Maximum (6-$first)
$third = 6-$first-$second
$ofs = ""
$GPassword = [string](@($firs | Get-Random -Count $one) + @($caps | Get-Random -Count $first) + @($lows | Get-Random -Count $second) + @($nums | Get-Random -Count $third) | Get-Random -Count 9)

Now click “Published Data and add a variable from the script we just copied in. Notice that the variable is GPassword and not $GPassword.

Now click “Finish” and create a link between “User Info” and “Generate Password

Next drag and drop another “Run .Net Script” and name it CreateUser in the link below is the script i use to create the user.
First i need to explain how we name our OU:s we have about 10 different company’s within the company for example company1 has 2 OU:s on for PC users and one for TS users like company1_CTX and company1_CTX_PC (dont ask) so in the script if you input company = test1 and type = PC the OU will be test1_CTX_PC.
and if type = “anything else than PC” the OU will be test1_CTX as we only have 2 different types of user OU:s.

Writing code is not something i don´t do everyday, this script is taken from PowerGui:s examples and modified by me as best i could im sure there are better ways to do it

CreateUser

For the script to work you need to install the Exchange 2010 console and Quest Activerole AD Management snapin and if you have Lync installed LyncCore.msi all these needs to be installed on the runbook server!!

The first 2 lines of the script is to run Powershell with 64bit as the Run .Net Script  runs powershell with 32bit and as Exchange 2010 only comes with a 64bit Powershell add-on we need to start Powershell with the 64bit version or it wont work.

All the variables in the script needs to be mapped to the strings we input in the first step (User Info) so place the cursor between the quotes, right click and choose “Subscribe > Published Data and pick the correct string from the User Info step.
Scroll down a bit until you find $TempPassword and put the cursor between the quotes and this time choose the Password variable we created earlier, it will now set the password to the random generated password from the step before.

If you have lync and want to enable the user uncomment to 2 lines on row 132 and 133

The variable $Tempuser is a user that i use as a template for security and distribution groups if you just want to test create a user called “template test” and add it to some groups, you can disable this account as its only the to copy the groups.

The last step is to send the user information via email to someone in this case firstline support, this is just for testing and in a production environment you probably want to send the user information back to Service Manager or the person that created the request. this can be done by adding another string in the first step and naming it something like RunbookID then mapping that manually from the Service Manager Automated runbook with the ID of the runbook. you can then send the password back to Service Manager and update for example the description if the Service Request with all the info you need like firstname, lastname and password.

So go ahead and drag out a “Send Email” step and name it “Send UserInfo”. Under Details input the Subject and Recipient(s). In the message is where we input the user information type in the information you want and under it input
Firstname:
Lastname:
Password:
After each right click and subscribe to the data from the previous steps

Under Connect specify the Sender address and the SMTP servername.

Under “Run Behavior” check “Flatten” and pick “Seperate with line breaks”

Run it through the “Runbook Tester” to check if it works.

In the next part we will import the runbook to Service Manager and create a request offering that makes it possible for end-users to input all the information we need via the service manager portal, we than approve the request and Orchestrator does the rest for us.

Categories: SCORCH, SCSM Tags: ,