16 December 2010

Automating Desktop Installation - Pt 2. Postghost folder

Assuming the preghost routine has gone to plan you should now have a text file called Macs.txt which contains the hostnames and MAC addresses for all your lab machines. This is your lookup table. What you want to do now is create a folder somewhere on your machine to be cloned. I call this folder postghost as it contains any scripts I want to be run after the drive cloning process.

Within this folder I have a folder for each fix which is done after ghosting. For now just create two new folders called:

Hostname
Joindom

As you can guess these are for scripts to rename the PC and join it to the domain. This raises an issue of security since you need to have the local administrator account password stored on the drive if you want this to be fully automatic. Likewise if you want to automate joining a domain you need to store a password with a domain administrator account (yes that should sound alarm bells).

The way around this problem is to use a combination of encryption and permissions. Right-click on your postghost folder and go to the security permissions tab. You can remove all users from the list leaving only administrator able to read & execute. No writing is necessary and you will still need to log-in using the local administrator account to run the script.

At this point I will dish out some credit to a guy named Mike Lin. He has an excellent utility on his website called startup-cpl which adds a nice control panel applet to your system. One of the nice features of this utility is that it lets you add entries to the task schedulers run-once list just by dragging and dropping them onto the applet. In effect this means that once you have created the postghost script, you can set it to automatically run once when the local admin first logs in after cloning (so you will log in, the machine will rename and join the domain and then automatically reboot itself - how much work does that save you?)

Before we get to this stage though, we need to encrypt those privileged account passwords and drop them into our new folders. The script to do that is here:

Dim sbox(255)
Dim key(255)
Dim fso
Dim tst
Dim Oput

strAdmPwd = (inputbox("Enter local admin password:","Admin Password"))
strUsrPwd = (inputbox("Enter your network admin a/c password:","User Password"))
plaintxt = "YouAreNotATerminatorRobot" 'text to use as common key - change this for extra security

Set fso = createObject("Scripting.FileSystemObject")
Set Oput = fso.OpenTextFile("lcl.txt", 2, true) 'mode2=write (append=8) - output file
Oput.Writeline EnDeCrypt(plaintxt, strAdmPwd)
Set Oput = fso.OpenTextFile("net.txt", 2, true) 'mode2=write (append=8) - output file
Oput.Writeline EnDeCrypt(plaintxt, strUsrPwd)
wscript.echo "Created encrypted password Files"

This code is not quite complete though as it uses Mike Shaffers RC4 encryption routine which is copyrighted so not reproduced here. All you need to do is find this routine and add the code for the two functions which are:

Sub RC4Initialize(strPwd) &
Function EnDeCrypt(plaintxt, psw)

Add these sections from Mikes code to the end of the script and then run it. Also don't forget to change the plaintxt variable. You can change it to anything you like but the same value needs to be entered into the decoding routine later on. The RC4 encryption algorithm is used for WEP, WPA and SSL encryption amongst others. It may not be the most secure system available but if you are concerned about it's effectiveness my advice is to re-write the code with a more secure algorithm. The two routines mentioned above perform the encryption and decryption so only they would need to be substituted.

Once run you should have two files called lcl.txt and net.txt which hold your local and network admin passwords. Copy lcl.txt into the postghost\hostname folder and then copy net.txt into postghost\Joindom. If you open these files with a text editor they should appear to be a garbled sequence of obscure characters. I always do this just to be certain that my passwords have not been stored as plain text (which would be bad if the local admin account was compromised).

That's it for today. Next we look at the actual renaming script