I setup virtual servers with Windows Server 2008/2012. I want to automate the password setting process for the windows guest.
My script would run like:
bash setupwindows.sh <kvmid> <password>
Then setupwindows.sh would mount the LVM, place the powershell script into the autostart directory and start the server.
I can change the password over windows cmd with
net user Administrator password
My question is: in which directory at the windows guest i need to place the powershell script to get it started on boot, without an user to be logged in?
I think the problem here is that you're approaching this with a linux/Bash style approach, which can lead you around in circles big time when trying this in Windows, as the two platforms have inherent differences.
If you want to set your password at build time, and your machine is on a domain, then use Group Policy to set the default Admin Password using the setting found under Computer Configuration -> Expand Preferences -> Control Panel -> Local Users and Groups -> New - Local User -> Select Update as the action -> type Administrator into the User name text box.
If you're not on a domain, then the best tool to use is the Windows System Image Manager, which comes as part of the Windows Automated Install Kit. You use this to open up a Windows Install Image (.wim) and select the accompanying unattend.xml which is used to automate the Windows Install.
The value you want to change using SIM will be found under : Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword
Here you can set the default admin password to whatever you wish.
You could do this with a script, using the net use syntax, but the problem there is triggering the script to run. In my opinion, these two methods here represent the best approach to solving this problem.
Related
We are building system controlled by computer running windows 10 ltsc 2021. It is kind of a kiosk system. There is an account, lets call it user1 with local admin rights that will autologon with no password. It also requires quite a few user account customizations.
In the previous version of windows 10 ltsc, i used a baseline windows installation, created the account to be used in kiosk mode and performed all customizations. I used sysprep with unattended file that had CopyProfile set to TRUE, then boot WinPE and use dism to capture image for distribution to new systems.
It worked well until the file associations were reset after imaging, I could work around this issue by deleting certain registry elements before running sysprep (it could be also done offline on captured image).
Then we started building systems based on win 10 ltsc 2021. Immediately started to have different issue. After applying image, all items in Windows security area were not clickable. I could not click for example on Virus and threat protection to setup some virus scans. Recreating user account would fix that (have to create secondary account, delete user1 and create new user1). However the recreated user account would not have all customizations we need.
I started experimenting with CopyProfile set to false. I go to audit mode right before creating user in original windows installation. I install updates, some extra apps we need and also make some non user account specific customizations. The idea is to create final kiosk user account by unattended file passed to sysprep. And here is where I have number of challenges. I create user account user1 in oobeSystem pass. I setup autologon. So far this will work. On first boot it will autologon and go thru the whole first user creation experience. What I need it to do is to have customized user account settings.
Is there a way to provide that via some unattended process? I also need to run one time powershell script on first boot, that performs additional system setups and customizations. Quick test to create FirstLogonCommand in oobeSystem with that should create new folder and simple text file shows that it fails to run. Maybe it runs the command before the user account/session is fully functional, I do not know. The goal is to be able to run specialized powershell script once in context of the user1 account.
Any thoughts?
There's currently a bug with sysprep and Windows 10 LTSC 2021.
After running sysprep, Windows security breaks for all existing users at the time sysprep was run. It works correctly for new users, including the one created on the OOEB account screen. Only the UI becomes inaccessible for existing users, while features seem to work correctly.
To fix it, you can run the following command in PowerShell as admin:
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage
-DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
It might show some errors, but it will work. This resets the security app which will fix the UI not showing.
Unfortunately, I don't know how to stop this from happening in the first place.
Using PSEXEC and to run a VBS as LocalSystem account, to let the script run with admin rights.
VB script called prompts and GUIs are not visible if a person is connected to the computer via RDP.
You can see the script or GUI as a running process in task manager, but it is not visible.
Windows Security setting preventing this? Limitation of RDP?
Your script is running in an invisible desktop so you cannot run a denial of service attack on the interactive user of the physical computer.
This is normal.
State what your goal is rather than why your solution to an unknown problem doesn't work.
It doesn't matter your intentions.
This question is better suited to https://serverfault.com as you are trying to administer a network by programming rather than how it's designed to be administered.
Normally one uses logon scripts or group policy to set the RunOnce key.
I'm trying to automate a task using powershell and I need the computer to restart multiple times. I'm doing this by scheduling a job that runs at startup that executes different scripts, and after that I use Restart-Computer to reboot the pc.
My problem is that I want it to be completely autonomous, but right now I need to input username and password at startup to access my profile. I know that if there is a single user on the machine and if it doesn't have a password it gets logged in automatically, but there are two users on the machine. Is there a way to automatically login after a reboot to a pre-selected windows account with powershell? Thanks
EDIT: I also have to execute programs that have a GUI, so I need authentication anyways.
I'm working on a monitoring app that is running on a vm and I want my colleagues to be able to use it without connecting on the vm. It works fine but I have one problem.
One of my goals is to start/stop services using a batch file or a cmd file (using Class Runtime in my back). The problem is that I need the administrator privileges to do that. All the methods I found (as Runas or some batch files) only works if the user is on the vm and enter the password or click on the "do you want to run this application as administrator" pop up. I would like to not use the task scheduler to always start cmd as an admin. I already know you can use softwares as "Sanur" but I prefer not to.
The only way to make it works is to start the app as an admin and it works fine (I'm using the "net start/stop" command). But I would like to let everyone start this app (in case I'm not here).
It's not a problem to write the login/password in the file.
Is there a way to do so?
The vm runs on Windows 7.
Thank you in advance.
You don't need to be Administrator to start and stop a service, you just need the privilege. With Windows 7 Professional you can do this through the built-in group policy editor.
With Windows 7 Home, there is not policy editor.
I use a tool called SetACL to do this, e.g:
setacl -on "service-name" -ot srv -actn ace -ace "n:betrand;p:start_stop"
Where "service-name" is the name of the service, and betrand is the user which you want to allow to start and stop the service.
A complete list of options is available on the website:
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/
Another option is the SubInACL tool directly from Microsoft.
I have a network file share with a number of shortcuts in it, each of which runs one of several applications which load data into them from that particular file share. The network file share & applications are located on a system running Server 2003, and all permissions on that file share have been unchanged.
The applications run fine when executed from a system running Windows XP. One system was just changed to Windows 7. In running the applications on Windows 7, the user was (then) a local administrator on that Windows 7 system. Initially, they each functioned properly, and I was able to print from one particular application. However, when the user is now no longer a local administrator on that system, the application will not print, saying it requires local admin permissions to do so. You can get around it by right-clicking and running with elevated permissions on the shortcut - the application will print & function fine.
However, remembering to right-click & run with elevated privileges is not easily remembered, especially when you've navigated down several levels in the application only to find you're unable to print from within the application.
The shortcuts are located either by using UNC names or by mapped drives (depending on the user). In my test, I'm using the UNC name -
\\servername\datafolder\content\myshortcut.lnk
If I go to Properties on the shortcut, the Compatibility Mode is greyed out and cannot be changed. However, if I go to the Troubleshoot Compatibility & accept the recommended settings - the application executes fine. However, when it tries to save the changes the Troubleshooter recommends, it says that the application is incompatible. (FWIW, the Fix Application sets CompatMode = #WINXPSP2 and UserVerifySolution = Verify_YES).
Short of:
Remembering to run the shortcut with elevated permissions, OR
Making the user an admin on the local system
is there a way to apply changes in compatibility mode across a number of shortcuts on a network share without making more of a mess, or opening these shortcuts with elevated privileges?
Thanks,
SC