PowerShell – Basic Form

email me

Snapshot

The form…with dropdown selection, buttons, a label, an icon, and transparency.

 
Code

Clear-Host

# Using
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
[void][System.Windows.Forms.Application]::EnableVisualStyles()

# Create Form
$Form = New-Object system.Windows.Forms.Form 
$Form.Size = New-Object System.Drawing.Size(400,300) 
#$Form.Width = 400 
#$Form.Height = 300 
$Form.MaximizeBox = $false 
$Form.StartPosition = "CenterScreen" 
$Form.FormBorderStyle = 'Fixed3D' 
$Form.Text = "My Application" 

$Form.AutoSizeMode = "GrowAndShrink"    # or GrowOnly
$Form.MinimizeBox = $False
$Form.MaximizeBox = $False
$Form.WindowState = "Normal"            # Maximized, Minimized, Normal
$Form.SizeGripStyle = "Hide"            # Auto, Hide, Show
$Form.ShowInTaskbar = $True
$Form.Opacity = 0.7                     # 1.0 is fully opaque; 0.0 is invisible
$Form.StartPosition = "CenterScreen"    # CenterScreen, Manual, WindowsDefaultLocation, WindowsDefaultBounds, CenterParent


# Icon
$Icon = New-Object system.drawing.icon ("C:\Program Files (x86)\Microsoft Office\Office15\Groove\ToolIcons\COMPUTER.ICO")
$Form.Icon = $Icon

# Label
$Label = New-Object System.Windows.Forms.Label
$Label.Text = "This form is very simple."
$Label.AutoSize = $True
$Label.Location = New-Object System.Drawing.Size(120,50) 
$Font = New-Object System.Drawing.Font("Calibri",10,[System.Drawing.FontStyle]::Regular) 
$Form.Font = $Font
$Form.Controls.Add($Label)


# Drop Down Selection

# Create datatable to bind a combobox
$datatable = New-Object system.Data.DataTable

# Define Columns
$col1 = New-Object system.Data.DataColumn "Value",([string])
$col2 = New-Object system.Data.DataColumn "Text",([string])


# Add columns to Datatable
$datatable.columns.add($col1)
$datatable.columns.add($col2)
		
# 1 Create Row
$datarow1 = $datatable.NewRow()

# Enter data in row
$datarow1.Value = "Value 1"
$datarow1.Text = "Text 1"

# Add row to datatable
$datatable.Rows.Add($datarow1)


# 2 Create Row
$datarow2 = $datatable.NewRow()

#Enter data in the row
$datarow2.Value = "Value 2"
$datarow2.Text = "Text 2"

# Add the row to the datatable
$datatable.Rows.Add($datarow2)


# 3 Create Row
$datarow3 = $datatable.NewRow()

# Enter Data in row
$datarow3.Value = "Value 3"
$datarow3.Text = "Text 3"

# Add Row to datatable
$datatable.Rows.Add($datarow3)

# Create combobox
$combobox = New-Object System.Windows.Forms.ComboBox		
$combobox.Add_SelectedIndexChanged({
		#output the selected value and text
		write-host $combobox.SelectedItem["Value"] $combobox.SelectedItem["Text"]
})

# Clear Combo before bind
$combobox.Items.Clear()

# Bind Combobox to datatable
$combobox.ValueMember = "Value"
$combobox.DisplayMember = "Text"
$combobox.Datasource = $datatable

# Add Combobox to form
$form.Controls.Add($combobox)	


# Button 1
$Okbutton1 = New-Object System.Windows.Forms.Button 
$Okbutton1.Location = New-Object System.Drawing.Size(80,80)
$Okbutton1.Size = New-Object System.Drawing.Size(100,30)
$Okbutton1.Text = "OK1"
$Okbutton1.Add_Click({$Form.Close()
# do this with button
Write-Host "OK Button 1"}) 
$Form.Controls.Add($Okbutton1)

# Button 2
$Okbutton2 = New-Object System.Windows.Forms.Button 
$Okbutton2.Location = New-Object System.Drawing.Size(200,80)
$Okbutton2.Size = New-Object System.Drawing.Size(100,30)
$Okbutton2.Text = "OK2"
$Okbutton2.Add_Click({$Form.Close() 
# do this with button
Write-Host "OK Button 2"}) 
$Form.Controls.Add($Okbutton2)

# Show form
[void]$form.showdialog()

SCCM – Stamp Registry in Task Sequence

email me

To stamp the registry in a Task Sequence, create two Run Commands in the Post Setup group (I add these as the final steps):

To set the field where Model is normally at

#1
cmd /c reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation” /v Model /t REG_SZ /d “ABC WIN10 1.0” /f /reg:64

#2
cmd /c reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation” /v BuildDate /t REG_SZ /d “%DATE% %TIME%” /f /reg:64

 

You may also use this to set Computer Description

cmd /c reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters” /v svrcomment /t REG_SZ /d “ABC WIN10 1.0” /f 

SCCM – Activate Office 2016 in Task Sequence

email me

To activate Office 2016 in a Task Sequence, create two Run Commands in the Post Setup group:

 

32 Bit

#1
cmd /c cscript.exe “C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs” /inpkey:SSSSS-DDDDD-WWWWW-TTTTT-GGGGG

#2
cmd /c cscript.exe “C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs” /act

 

64 Bit

#1
cmd /c cscript.exe “C:\Program Files\Microsoft Office\Office16\ospp.vbs” /inpkey:SSSSS-DDDDD-WWWWW-TTTTT-GGGGG

#2
cmd /c cscript.exe “C:\Program Files\Microsoft Office\Office16\ospp.vbs” /act

 

* Note, this is for Office 32 bit.

SCCM – Task Sequence Variables

email me

Task Sequence Built-in Variable List

The following list describes the built-in variables that are available in Configuration Manager:

Built-in Variable Name Description
_SMSTSAdvertID Stores the current running task sequence deployment unique ID. It uses the same format as a Configuration Manager software distribution deployment ID. If the task sequence is running from stand-alone media, this variable is undefined.

Example:

ABC20001

_TSAppInstallStatus For System Center 2012 R2 Configuration Manager and later:

The task sequence sets the _TSAppInstallStatus variable with the installation status for the application during the Install Application task sequence step. The task sequence sets the variable with one of the following values:

  1. Undefined: Set when the Install Application task sequence step has not been run.
  2. Error: Set when at least one application failed because of an error during the Install Application task sequence step.
  3. Warning: Set when no errors occur during the Install Application task sequence step, but one or more applications, or a required dependency, did not install because a requirement was not met.
  4. Success: Set when there are no errors or warning detected during the Install Application task sequence step.
_SMSTSBootImageID Stores the Configuration Manager boot image package ID if a boot image package is associated with the current running task sequence. The variable will not be set if no Configuration Manager boot image package is associated.

Example:

ABC00001

_SMSTSBootUEFI For System Center 2012 Configuration Manager SP1 and later:

The task sequence sets the SMSTSBootUEFI variable when it detects a computer that is in UEFI mode.

_SMSTSClientGUID Stores the value of Configuration Manager client GUID. This variable is not set if the task sequence is running from stand-alone media.

Example:

0a1a9a4b-fc56-44f6-b7cd-c3f8ee37c04c

_SMSTSCurrentActionName Specifies the name of the currently running task sequence step. This variable is set before the task sequence manager runs each individual step.

Example:

run command line

_SMSTSDownloadOnDemand Set to true if the current task sequence is running in download-on-demand mode, which means the task sequence manager downloads content locally only when it must access the content.
_SMSTSInWinPE This variable is set to true when the current task sequence step is running in the Windows PE environment, and it is set to false if not. You can test this task sequence variable to determine the current operating system environment.
_SMSTSLastActionRetCode Stores the return code that was returned by the last action that was run. This variable can be used as a condition to determine if the next step is run.

Example:

0

_SMSTSLastActionSucceeded The variable is set to true if the last action succeeded and to false if the last action failed. If the last action was skipped because the step was disabled or the associated condition evaluated to false, this variable is not reset, which means it still holds the value for the previous action.
_SMSTSLaunchMode Specifies the task sequence launch method. The task sequence can have the following values:

  • SMS – specifies that the task sequence is started by using the Configuration Manager client.
  • UFD – specifies that the task sequence is started by using USB media and that the USB media was created in Windows XP/2003.
  • UFD+FORMAT – specifies that the task sequence is started by using USB media and that the USB media was created in Windows Vista or later.
  • CD – specifies that the task sequence is started by using a CD.
  • DVD – specifies that the task sequence is started by using a DVD.
  • PXE – specifies that the task sequence is started from PXE.
  • HD – specifies that the task sequence was started from a hard disk (prestaged media only).
_SMSTSLogPath Stores the full path of the log directory. This can be used to determine where actions are logged. This value is not set when a hard drive is not available.
_SMSTSMachineName Stores and specifies the computer name. Stores the name of the computer that the task sequence will use to log all status messages. To change the computer name in the new operating system, use the OSDComputerName variable.

Example:

ABC

_SMSTSMDataPath Specifies the path defined by the SMSTSLocalDataDrive variable. When you define SMSTSLocalDataDrive before the task sequence starts, such as by setting a collection variable, Configuration Manager then defines the _SMSTSMDataPath variable once the Task Sequence starts.
_SMSTSMediaType Specifies the type of media that is used to initiate the installation. Examples of types of media are Boot Media, Full Media, PXE, and Prestaged Media.
_SMSTSMP Stores the name or IP address of a Configuration Manager management point.
_SMSTSMPPort Stores the management point port number of a Configuration Manager management point.

Example:

80

_SMSTSOrgName Stores the branding title name that is displayed in a task sequence progress user interface dialog box.

Example:

XYZ Organization

_SMSTSPackageID Stores the current running task sequence ID. This ID uses the same format as a Configuration Manager software package ID.

Example:

HJT00001

_SMSTSPackageName Stores the current running task sequence name specified by the Configuration Manager administrator when the task sequence is created.

Example:

Deploy Windows 7 task sequence

_SMSTSRunFromDP Set to true if the current task sequence is running in run-from-distribution-point mode, which means the task sequence manager obtains required package shares from distribution point.
_SMSTSSiteCode Stores the site code of the Configuration Manager site.

Example:

ABC

_SMSTSType Specifies the type of the current running task sequence. It can have the following values:

1 – indicates a generic task sequence.

2 – indicates an operating system deployment task sequence.

_SMSTSTimezone The _SMSTSTimezone variable stores the time zone information in the following format (without spaces):

Bias, StandardBias, DaylightBias, StandardDate.wYear, wMonth, wDayOfWeek, wDay, wHour, wMinute, wSecond, wMilliseconds, DaylightDate.wYear, wMonth, wDayOfWeek, wDay, wHour, wMinute, wSecond, wMilliseconds, StandardName, DaylightName

Example:

For the Eastern Time U.S. and Canada, the value would be 300,0,-60,0,11,0,1,2,0,0,0,0,3,0,2,2,0,0,0,Eastern Standard Time,Eastern Daylight Time

_SMSTSUseCRL Specifies whether the task sequence uses the certificate revocation list when it uses a Secure Socket Layer (SSL) certificate to communicate with the management point.
_SMSTSUserStarted Specifies whether a task sequence is started by a user. This variable is set only if the task sequence is started from the Software Center. For example, if _SMSTSLaunchMode is set to SMS. The variable can have the following values:

  • true – specifies that the task sequence is manually started by a user from the Software Center.
  • false – specifies that the task sequence is initiated automatically by the Configuration Manager scheduler.
_SMSTSUseSSL Specifies whether the task sequence uses SSL to communicate with the Configuration Manager management point. If your site is running in native mode, the value is set to true.
_SMSTSWTG For System Center 2012 Configuration Manager SP1 and later:

Specifies if the computer is running as a Windows To Go device.

SMSTSAssignmentsDownloadInterval For System Center 2012 Configuration Manager SP1 and later:

Use this variable to specify the number of seconds to wait before the client will attempt to download the policy since the last attempt (which returned no policies). By default, the client will wait 0 seconds before retrying.

You can set this variable by using a prestart command from media or PXE.

SMSTSAssignmentsDownloadRetry For System Center 2012 Configuration Manager SP1 and later:

Use this variable to specify the number of times a client will attempt to download the policy after no policies are found on the first attempt. By default, the client will retry 0 times.

You can set this variable by using a prestart command from media or PXE.

SMSTSAssignUsersMode Specifies how a task sequence associates users with the destination computer. Set the variable to one of the following values.

  • Auto: The task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer.
  • Pending: The task sequence creates a relationship between the specified users and the destination computer, but waits for approval from the administrative user before the relationship is set.
  • Disabled: The task sequence does not associate users with the destination computer when it deploys the operating system.
SMSTSDownloadProgram For System Center 2012 Configuration Manager SP1 and later:

Use this variable to specify an Alternate Content Provider, a downloader program that is used to download content instead of the default Configuration Manager downloader, for the task sequence. As part of the content download process, the task sequence checks the variable for a specified downloader program. If specified, the task sequence runs the program to perform the download.

SMSTSDownloadRetryCount For System Center 2012 R2 Configuration Manager and later:

Use this variable to specify the number of times that Configuration Manager attempts to download content from a distribution point. By default, the client will retry 2 times.

SMSTSDownloadRetryDelay For System Center 2012 R2 Configuration Manager and later:

Use this variable to specify the number of seconds that Configuration Manager waits before it retries to download content from a distribution point. By default, the client will wait 15 seconds before retrying.

SMSTSErrorDialogTimeout When an error occurs in a task sequence, a dialog box is displayed that is automatically dismissed after a number of seconds specified by this variable. By default, the dialog box is automatically dismissed after 900 seconds (15 minutes)..
TSErrorOnWarning For System Center 2012 R2 Configuration Manager and later:

Use this variable to specify whether the task sequence engine considers a detected warning as an error during the Application Installation task sequence step. The task sequence sets the _TSAppInstallStatus variable to Warning when one or more applications, or a required dependency, did not install because a requirement was not met. When you set the TSErrorOnWarning variable to True and the _TSAppInstallStatus variable is set to Warning, it is treated as an error. A value of False is the default behavior.

SMSTSLanguageFolder For System Center 2012 Configuration Manager SP1 and later:

Use this variable to change the display language of a language neutral boot image.

SMSTSLocalDataDrive Specifies where temporary files are stored on the destination computer while the task sequence is running.

This variable must be set before the task sequence starts, such as by setting a collection variable. Once the task sequence starts, Configuration Manager defines the _SMSTSMDataPath variable once the Task Sequence starts.

SMSTSMPListRequestTimeout For System Center 2012 R2 Configuration Manager and later:

Use this variable to specify how many milliseconds a task sequence waits before it retries to install an application after it fails to retrieve the management point list from location services. By default, the task sequence waits 60,000 milliseconds (60 seconds) before it retries the step, and retries up to three times. This variable is applicable only to the Install Application task sequence step.

SMSTSPersistContent For System Center 2012 Configuration Manager SP1 and later:

Use this variable to temporarily persist content in the task sequence cache.

SMSTSPostAction For System Center 2012 Configuration Manager SP1 and later:

Specifies a command that is run after the task sequence completes. For example, you can use this variable to specify a script that enables write filters on embedded devices after the task sequence deploys an operating system to the device.

SMSTSPreferredAdvertID Forces a specific targeted deployment on the destination computer to be run. This can be set through a prestart command from media or PXE. If this variable is set, the task sequence overrides any required deployments.
OSDPreserveDriveLetter For System Center 2012 Configuration Manager SP1 and later:

This variable determines whether or not the task sequence uses the drive letter captured in the operating system image WIM file when applying that image to a destination computer. In Configuration Manager with no service pack, the drive letter captured in the WIM file is used when applying the operating system image WIM file. In Configuration Manager SP1, you can set the value for this variable to False to use the location that you specify for the Destination setting in the Apply Operating System task sequence step. For more information about the Apply Operating System task sequence step, see the Apply Operating System Image section in the Task Sequence Steps in Configuration Manager topic.

SMSTSRebootDelay Specifies how many seconds to wait before the computer restarts. The task sequence manager will display a notification dialog before reboot if this variable is not set to 0.

Examples:

0

30

SMSTSRebootMessage Specifies the message to display in the shutdown dialog box when a restart is requested. If this variable is not set, a default message will appear.

Example:

This computer is being restarted by the task sequence manager.

SMSTSRebootRequested Indicates that a restart is requested after the current task sequence step is completed. If a restart is required, just set this variable to true, and the task sequence manager will restart the computer after this task sequence step. The task sequence step must set this task sequence variable if it requires the restart to complete the task sequence step. After the computer is restarted, the task sequence will continue to run from the next task sequence step.
SMSTSRetryRequested Requests a retry after the current task sequence step is completed. If this task sequence variable is set, the SMSTSRebootRequested must also be set to true. After the computer is restarted, the task sequence manager will rerun the same task sequence step.
SMSTSUDAUsers Specifies the primary user of the destination computer. Specify the users by using the following format. Separate multiple users by using a comma (,).

Example:

domain\user1, domain\user2, domain\user3

For more information about associating users with the destination computer, see How to Associate Users with a Destination Computer.

SCCM – PowerShell, VBScript – Name Computer in Task Sequence

email me

This is how you automate the process of naming computers during OSD.

PowerShell Method

First, create an application package, but choose Do not create a program, instead of Standard for the program type.


OSDComputerName.ps1

$SerialNumber = (Get-WmiObject -Class Win32_BIOS | Select-Object SerialNumber).SerialNumber
$OSDComputerName = "ABC-" + $SerialNumber
$TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
#$TSEnv.Value("$env:computername") = "$OSDComputerName"
$TSEnv.Value("OSDComputerName") = "$OSDComputerName"

#Rename-Computer -ComputerName "$env:computername" -NewName "$OSDComputerName"
#Rename-Computer -ComputerName "OSDComputerName" -NewName "$OSDComputerName"

 

Next, in the Task Sequence, create three Run Commands:

#1
powershell.exe -noprofile -command “Set-ExecutionPolicy Bypass LocalMachine” -force

#2
powershell.exe -noprofile -file OSDComputerName.ps1
* make sure you link an empty package (an application package with no program) to the OSDComputername.ps1

#3
powershell.exe -noprofile -command “Set-ExecutionPolicy RemoteSigned LocalMachine” -force

* Note, this method does require that PowerShell be enabled in the boot.wim

 

VBScript Method

Make an item in Post Setup pointing to this script. Add a SCCM Restart.

on error resume next

Dim computername

strComputer = "."

Set objWMIservice = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

set colitems = objWMIservice.ExecQuery("Select * from Win32_BIOS",,48)

For each objitem in colitems
'Wscript.echo "Dell Service Tag: " & objitem.serialnumber
computername = objitem.serialnumber

Next

'returns machine model number only
'PRIMARY MODEL DETECTION
Set objWMI = GetObject("winmgmts:")
Set colSettings = objWMI.ExecQuery("Select * from Win32_ComputerSystem")

For Each objComputer in colSettings
LaptopModel = Trim(objComputer.Model)
Next

Select Case LaptopModel

Case "HP EliteBook 840 G3"
strModel = "8403"

Case "HP EliteBook 840 G2"
strModel = "8402"

Case "HP EliteBook 840 G1"
strModel = "8401"

Case "HP EliteBook Folio 9480m"
strModel = "9480"

Case "HP EliteBook Folio 9470m"
strModel = "9470"

Case "HP EliteBook Folio 9460m"
strModel = "9460"

Case "HP EliteBook 8470p"
strModel = "8470"

Case "HP EliteBook 8460p"
strModel = "8460"

Case "HP EliteBook 8450p"
strModel = "8450"

Case "HP EliteBook 8440p"
strModel = "8440"

Case "HP EliteBook 6930p"
strModel = "6930"

Case "HP EliteBook 2530p"
strModel = "2530"

Case "HP EliteBook 2540p"
strModel = "2540"

Case "HP Compaq dc7900 Small Form Factor"
strModel = "7900"

Case "HP Compaq 8000 Elite SFF PC"
strModel = "8000"

Case "HP Compaq 8200 Elite SFF PC"
strModel = "8200"

Case "OptiPlex 755"
strModel = "755"

Case "OptiPlex 745"
strModel = "745"

Case "Latitude D630"
strModel = "630"

Case "Latitude D620"
strModel = "620"

Case "Latitude D430"
strModel = "430"

End Select

'SECONDARY MODEL DETECTION
'used for models not explicitly defined
if strModel = "" then
'msgbox "no model was detected"
myLength = Len(LaptopModel)

For i = 1 To myLength
If Asc(Mid(LaptopModel, i, 1)) <> 32 Then
If Asc(Mid(LaptopModel, i, 1)) >= 48 And Asc(Mid(LaptopModel, i, 1)) <= 57 Then
myNumber = myNumber & Mid(LaptopModel, i, 1)
End If
Else
'msgbox("no numeric")
End If
Next
'msgbox(myNumber)
strModel = myNumber
end if

'testing only
'msgbox strModel

'renames machine with model number - service tag
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputers = objWMIService.ExecQuery ("Select * from Win32_ComputerSystem")

For Each objComputer in colComputers

err = objComputer.Rename(strModel & "-" & computername)

Next

WScript.Quit(0)

 

 

Notes

Command Line

netdom renamecomputer member /newname:member1.contoso.com /userd:administrator

 

PowerShell

Rename-Computer -ComputerName “$env:computername” -NewName “NewComputerName”

Rename-Computer -ComputerName “OSDComputerName” -NewName “NewComputerName”


Remotely Rename

$TargetComp=Read-Host -Prompt “Enter the Name of the Computer you want to change the name of “
$Credential=Get-Credential
$computerName = GWMI Win32_ComputerSystem -computername $TargetComp -Authentication 6
Write-host “Current Computer Name is ” $computerName
$name = Read-Host -Prompt “Please Enter the ComputerName you want to use.”
Write-host “New Computer Name ” $Name
$Go=Read-Host -prompt “Proceed with computer name change? (Y / N)”
If(($Go-eq”Y”)-or($Go-eq”y”))
{
$computername.Rename($name,$credential.GetNetworkCredential().Password,$credential.Username)
}
$Reboot=Read-host -Prompt “Do you want to restart the computer? (Y / N)”
If(($Reboot-eq”Y”)-or($Reboot-eq”y”))
{
restart-computer -computername $TargetComp
}

Citrix Receiver – Disable Add Account Pop up

email me

Screenshot

 

Single User

REG ADD “HKCU\Software\Citrix\Receiver” /f /v “HideAddAccountOnRestart” /t REG_DWORD /d “1”

 
For your image

1. Load the Default profile registry hive.

a. Open regedit.

b. Select HKEY_USERS, then click File > Load Hive

c. In the File name type: C:\Users\Default\ntuser.dat and click Open.

d. Type DefaultUser as the Key Name and click OK.

2. Navigate to HKEY_USERS > DefaultUser > Software > Citrix > Receiver

3. Create a new DWORD (32-bit) Value and name it HideAddAccountOnRestart.

4. Set the value data to 1.

5. Unload the Default User hive by selecting DefaultUser, the click File > Unload Hive.

 

Notes

REG ADD “HKLM\Software\Policies\Citrix” /f /v “EnableX1FTU” /t REG_DWORD /d “0”

https://support.citrix.com/article/CTX135438.?_ga=2.137409657.835403622.1516202909-1506665665.1515700878

 

Java Client – Disable Auto Updates

email me

Tested under Windows 7 & 10

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “SunJavaUpdateSched” /f /reg:64

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f /reg:64

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableJavaUpdate /t REG_DWORD /d 0 /f /reg:64

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v NotifyDownload /t REG_DWORD /d 0 /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “SunJavaUpdateSched” /f /reg:32

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f /reg:32

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableJavaUpdate /t REG_DWORD /d 0 /f /reg:32

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v NotifyDownload /t REG_DWORD /d 0 /f /reg:32

Office 2016 – Disable the First things first Window

email me

When launching one of the Office apps on first login, the user will receive a First things first window. To disable this window, apply the reg keys below.

Screenshot

 

Single User Method

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Common\General]
“OptInDisable”=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Registration]
“AcceptAllEulas”=dword:00000001

* Note, you may need RW permissions to the Microsoft key…if you do, add Authenticated Users with RW permissions.

 

Default User Profile Method

REG LOAD HKLM\DEFAULT C:\Users\Default\ntuser.dat

REG ADD “HKLM\DEFAULT\SOFTWARE\Policies\Microsoft\Office\16.0\Common\General” /v “OptInDisable” /t REG_DWORD /d 1 /f /REG:64

REG ADD “HKLM\DEFAULT\SOFTWARE\Policies\Microsoft\Office\16.0\Registration” /v “AcceptAllEulas” /t REG_DWORD /d 1 /f /REG:64

REG UNLOAD HKLM\DEFAULT

 

Or, if you’re really crafty, launch this as admin when the user logs in

on error resume next

Set objShell = CreateObject("Wscript.Shell")

Const HKEY_LOCAL_MACHINE = &H80000002

Const OverwriteExisting = TRUE

'SETS CURRENT DIRECTORY TO VARIABLE
strCurrentDirectory = objShell.CurrentDirectory

'SETS COMPUTER NAME
strComputer = "."

'SET UP WMI
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

'SET UP REGISTRY
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList"

objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys

For Each objSubkey In arrSubkeys

on error resume next

strValueName = "ProfileImagePath"

strSubPath = strKeyPath & "\" & objSubkey

objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue

Const POPUP_TITLE = "User To SID Conversion"

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set objAccount = objWMIService.Get("Win32_SID.SID='" & objSubkey & "'")

strUser = objAccount.AccountName

'strDomain = objAccount.ReferencedDomainName'returns referenced domain

'PROFILE NAME & SID
objSubkey = trim(objSubkey)'trims whitespace

strUser = trim(strUser)'trims whitespace

'LOGIC TO DETERMINE IF REGISTRY ACCOUNT IS TO BE ACCESSED
if strUser = "SYSTEM" then strUser = ""
if strUser = "LOCAL SERVICE" then strUser = ""
if strUser = "NETWORK SERVICE" then strUser = ""
'if strUser = "Administrator" then strUser = ""
if strUser = "Default" then strUser = ""

if strUser <> "" then

on error resume next

'APPLY REG KEYS

objShell.Run "%comspec% /c reg.exe add "&chr(34)&"HKEY_USERS\" & objSubkey & "\SOFTWARE\Policies\Microsoft\Office\16.0\Common\General"&chr(34)&" /t REG_DWORD /v ""OptInDisable"" /d 1 /f",0,true

objShell.Run "%comspec% /c reg.exe add "&chr(34)&"HKEY_USERS\" & objSubkey & "\SOFTWARE\Policies\Microsoft\Office\16.0\Registration"&chr(34)&" /t REG_DWORD /v ""AcceptAllEulas"" /d 1 /f",0,true

Wscript.Sleep 1000

end if

Next

 

Notes

PowerShell – Change Registry Permissions

SCCM – Imaging, Join Domain Fails in Task Sequence

email me

If you have computers that aren’t joining the domain during the task sequence, and you receive the following errors in the C:\Windows\debug\NetSetup.log file, the cause is most likely the rights on the service account used on the Join Domain/Apply Network Settings item in the task sequence.

NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-031A11CC, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

NetpModifyComputerObjectInDs: ldap_modify_s failed: 0x32 0x5

NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5

NetpProvisionComputerAccount: LDAP creation failed: 0x5 

 

To fix this, you need to modify the service account delegation rights. In ADUC:

  1. Identify the security principal that you want to delegate permissions for.
  2. Identify the container or OU where you want to allow users to manipulate computer objects.
  3. Right click the container or OU and choose Delegate Control.
  4. The Delegation of Control Wizard opens, click Next.
  5. The Users or Groups window opens:
    Select the security principal you want to grant permissions to, and then click Next again.
  6. The Tasks to Delegate window opens:
    Select Create a custom task to delegate and click Next.
  7. The Active Directory Object Type window opens:
    Select Only the following objects in the folder and then select Computer objects. At the bottom of the window, select Create selected objects in this folder and Delete selected objects in this folder, and click Next.
  8. The Permissions window opens
    Select General and Property-specific options, and then select these permissions:
    – Read All Properties
    – Write All Properties

    – Reset Password
    – Read and write Account Restrictions
    – Validated write to DNS host name
    – Validated write to service principal name
  9. The Completing the Delegation of Control Wizard window will open showing you a summary of the actions. Click Finish.

Test your imaging process now.

 

Notes

https://social.technet.microsoft.com/Forums/ie/en-US/c0a41fec-4390-4b74-89eb-9299691a3e33/allow-user-to-bind-and-filter-ldap-and-change-password?forum=winserversecurity

https://social.technet.microsoft.com/Forums/ie/en-US/c0a41fec-4390-4b74-89eb-9299691a3e33/allow-user-to-bind-and-filter-ldap-and-change-password?forum=winserversecurity

 

Windows – UserAccountControl Attribute

email me

UserAccountControl Attribute/Flag Values

Searching Active Directory attributes using DSQUERY commands or scripts is not difficult. You can acquire the values directly from the attribute. However, searching the statuses for enabled, disabled, PasswordExpired, etc., can be challenging because these properties and values are not stored in their own attributes. These account properties are controlled by an attribute called userAccountControl.

UserAccountControl is a 4 bytes (32-bit) integer that represents a bitwise enumeration of various flags—these flags control the behavior of objects. The attributeID (ruleOD) of this object is 1.2.840.113556.1.4.8. The attributeID is a unique X.500 Object Identifier(OID) for identifying an attribute.

 

How do I search userAccountControl values in Active Directory?

It is like searching any other attribute in Active Directory. However, you need to represent the userAccountControl values in numeric. The syntax of the LDAP matching rule is

attributename:ruleOID:=value

…where attributename is the LDAP DisplayName -in this case it is userAccountControl, ruleOID is the attributeID for the matching rule control – in this case it is 1.2.840.113556.1.4.80X, and value is the decimal value you want to use for search.

The following DSQUERY command returns all disabled user accounts in Active Directory.

dsquery * -limit 0 –filter “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))” –attr name

userAccountControl =2 means the user account is disabled (ADS_UF_ACCOUNTDISABLE)

and the following DSQUERY command returns all users with the ‘Password Never Expires’ settings enabled.

dsquery * -limit 0 –filter “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))” –attr name

userAccountControl =65536 means the user account has ‘Password Never Expires’ flag enabled (ADS_UF_DONT_EXPIRE_PASSWD)


———————————–

Note

The UserAccountControl =XXXXX portion will be what you look up in the attribute table (see below).

———————————–

 

Where did the 1.2.840.113556.1.4.803 attributeID (ruleOID) come from?

The value of attributeID (ruleOID) can be either bitwise AND (1.2.840.113556.1.4.803) or bitwise OR (1.2.840.113556.1.4.804)

1.2.840.113556.1.4.803 – This is the bitwise AND operator (LDAP_MATCHING_RULE_BIT_AND). The rule is true only if all bits from the property match the value.

1.2.840.113556.1.4.804 – This is the bitwise OR operator (LDAP_MATCHING_RULE_BIT_OR). The rule is true if any bits from the property match the value.

 

Attribute Table

A comprehensive list of UserAccountrControl attribute/flag values

Property Flag Value In Hexadecimal Value In Decimal Not Officially Documented
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE 0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
Disabled Account 0x0202 514 x
Enabled, Password Not Required 0x0220 544 x
Disabled, Password Not Required 0x0222 546 x
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
Enabled, Password Doesn’t Expire 0x10200 66048 x
Disabled, Password Doesn’t Expire 0x10202 66050 x
Disabled, Password Doesn’t Expire & Not Required 0x10222 66082 x
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
Enabled, Smartcard Required 0x40200 262656 x
Disabled, Smartcard Required 0x40202 262658 x
Disabled, Smartcard Required, Password Not Required 0x40222 262690 x
Disabled, Smartcard Required, Password Doesn’t Expire 0x50202 328194 x
Disabled, Smartcard Required, Password Doesn’t Expire & Not Required 0x50222 328226 x
TRUSTED_FOR_DELEGATION 0x80000 524288
Domain controller 0x82000 532480
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216
PARTIAL_SECRETS_ACCOUNT 0x04000000 67108864

 

Notes

Property flag descriptions

  • SCRIPT – The logon script will be run.
  • ACCOUNTDISABLE – The user account is disabled.
  • HOMEDIR_REQUIRED – The home folder is required.
  • PASSWD_NOTREQD – No password is required.
  • PASSWD_CANT_CHANGE – The user cannot change the password. This is a permission on the user’s object. For information about how to programmatically set this permission, visit the following Web site:
  • ENCRYPTED_TEXT_PASSWORD_ALLOWED – The user can send an encrypted password.
  • TEMP_DUPLICATE_ACCOUNT – This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
  • NORMAL_ACCOUNT – This is a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT – This is a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT – This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT – This is a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD – Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT – This is an MNS logon account.
  • SMARTCARD_REQUIRED – When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION – When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED – When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY – (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH – (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED – (Windows 2000/Windows Server 2003) The user’s password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION – (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client’s identity and authenticate as that user to other remote servers on the network.
  • PARTIAL_SECRETS_ACCOUNT – (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

UserAccountControl values

These are the default UserAccountControl values for the certain objects:

  • Typical user : 0x200 (512)
  • Domain controller : 0x82000 (532480)
  • Workstation/server: 0x1000 (4096)

To set or erase bits in the userAccountControl attribute

Const ADS_UF_ACCOUNT_DISABLE = 2
Const ADS_UF_HOMEDIR_REQUIRED = 8
Const ADS_UF_LOCKOUT = 16
Const ADS_UF_PASSWD_NOTREQD = 32
Const ADS_UF_PASSWD_CANT_CHANGE = 64
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128
Const ADS_UF_NORMAL_ACCOUNT = 512
Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096
Const ADS_UF_SERVER_TRUST_ACCOUNT = 8192
Const ADS_UF_DONT_EXPIRE_PASSWD = 65536
Const ADS_UF_MNS_LOGON_ACCOUNT = 131072
Const ADS_UF_SMARTCARD_REQUIRED = 262144
Const ADS_UF_TRUSTED_FOR_DELEGATION = 524288
Const ADS_UF_NOT_DELEGATED = 1048576
Const ADS_UF_USE_DES_KEY_ONLY = 2097152
Const ADS_UF_DONT_REQUIRE_PREAUTH = 4194304
Const ADS_UF_PASSWORD_EXPIRED = 8388608
Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216
Const ADS_UF_NO_AUTH_DATA_REQUIRED = 33554432
Const ADS_UF_PARTIAL_SECRETS_ACCOUNT = 67108864

Set obj = GetObject("LDAP://cn=site,ou=user,dc=contoso,dc=com")

'The user is disabled (set flag bit):
obj.userAccountControl = obj.userAccountControl or ADS_UF_ACCOUNT_DISABLE
obj.SetInfo

'The user is enabled (remove flag bit):
obj.userAccountControl = obj.userAccountControl xor ADS_UF_ACCOUNT_DISABLE
obj.SetInfo

 

Reference

User-Account-Control attribute

How to use the UserAccountControl flags to manipulate user account properties

http://support.microsoft.com/kb/305144