Tuesday, 9 November 2010

Set the default domain in XP

One of the problems with using OSD to deploy XP is that the default logon domain after a build is always the local computer. If you refresh your clients on a regular basis this can confuse your users. This hack will allow you to set the default logon domain to be your Active Directory domain instead.

The key trick with this hack is to import this registry file before you join the domain.

Copy and paste the following code into a text file called setdomain.reg


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="YOURDOMAIN"
"CachePrimaryDomain"="YOURDOMAIN"
"AltDefaultDomainName"="YOURDOMAIN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache]
"YOURDOMAIN"="yourdomain.com"


In a Run Command Line step use the following command-


regedit /s setdomain.reg

Thursday, 14 October 2010

Force BitLocker key backup to Active Directory

If a Windows 7 machine is not in a domain when the drive is encrypted with BitLocker, then the key backup will not automatically occur. I've modified some code from this TechNet article to force this backup to occur for the C: drive. The script could be modified to backup keys from all drives pretty easily, but this had to be rolled out very quickly!

The script:


strDriveLetter = "c:"

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate," _
& "authenticationLevel=pktPrivacy}!\\." _
& "\root\cimv2\security\microsoftvolumeencryption")

If Err.Number <> 0 Then
WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
Wscript.Echo "Ensure that you are running with administrative privileges."
WScript.Quit -1
Else
WScript.Echo "Successfully connected to BitLocker interface."
End If

Set colTargetVolumes = objWMIService.ExecQuery _
("Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'")


If colTargetVolumes.Count = 0 Then
WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on this computer "
WScript.Quit -1

End If

For Each objFoundVolume in colTargetVolumes
set objVolume = objFoundVolume
strEncDriveLetter = objVolume.DriveLetter
WScript.Echo "Encryptable Volume found :" & strEncDriveLetter
intRC = objVolume.GetProtectionStatus(nPStatus)

If nPStatus = 1 Then
WScript.Echo "Drive is encrypted"
Else
WScript.Echo "Drive Not Encrypted"
End If
Next

nKeyProtectorType = 3 'Numerical Password

insKey = objVolume.GetKeyProtectors(nKeyProtectorType,vProtectors)

For each vFoundKeyProtectorID in vProtectors
vKeyProtectorID = vFoundKeyProtectorID
' WScript.Echo "Key Protector: ", vKeyProtectorID
Next

insKey = objVolume.GetKeyProtectorNumericalPassword(vKeyProtectorID,numPWD)

If insKey <> 0 Then

WScript.Echo "Password Get Failed"

WScript.Quit -1

End If

WScript.Echo "Numerical PW: " & numPWD

WScript.Echo "For key Protector: ", vKeyProtectorID

iBackupSuccessful = objVolume.BackupRecoveryInformationToActiveDirectory(vKeyProtectorID)

If iBackupSuccessful <> 0 Then
WScript.Echo "Password Storage to ADS failed."
WScript.Quit -1
Else
WScript.Echo "Successfully stored password in ADS."
End If