I don't exactly remember what I wrote when I replied to this elsewhere, so forgive me if I already told you this: Try setting a compliant password in the image, and then putting Whatever has to go in the AdminPassword key to prompt the user. If this doesn't work, I would suggest engineering an inhouse password set tool, and runonce'ing it on HKLM. Make it fullscreen, always on top, the whole deal, have y something about how the university is into secure computing and they only sell secure computers at the annual bake sale and yak yak yak. The ADSI API should throw some ugly COMException if the user's input is nonconformant, but, otherwise you could implement your own version of the password policy with regular expressions. --Brian
-----Original Message-----
From: Hunter, Laura E. [mailto:[EMAIL PROTECTED]
Sent: Thu 6/10/2004 2:52 PM
To: [EMAIL PROTECTED]
Cc:
Subject: [ActiveDir] OT: Sysprep and workstation images
(Man, Tony's gonna get really mad at me for being so continuously
off-topic. :-) But this is my "List full of really smart people", so I
keep coming to you guys for non-AD-specific stuff that I can't figure
out.)
Scenario:
I work for a major university, and each fall we offer Back-to-School
sales of pre-configured hardware for our incoming students. For the
truckload sale each year, a CFI image is offered to the university
community on both laptops and desktops that are sold at the annual back
to school sale. The images are developed for recent Dell and IBM product
lines, and are based on the vendor's OEM image of Windows XP, with
university-specific applications pre-installed and patched with the
latest security updates.
This year, there is a strong push in the university IT community to have
an additional layer of security-related configuration. We would like to
see our
hard drive images include secure Administrator password policies
implemented and enforced, while still offering the end-user a simple,
user-friendly "out
of the box" experience during mini-Setup through a re-sealing process
using Sysprep. A late-in-the-game attempt last year to combine such
policies with
the Sysprep process produced a less than viable, not user-friendly
experience, which was ultimately scrapped. Consequently, last year's
back-to-school images were built with only optional Administrator
passwords. (Unfortunately, our back-to-school Sysprep image needs to be
ready before
XPSP2 will be released to market.)
The key question here is:
Is it possible to create an image that mandates an Administrator
password and employs MS's strong password rules? Further, is it
possible to have
these settings maintained after running Sysprep to ensure that anyone
buying a machine with that image would have the same "mini-Setup"
experience as a
person buying an OEM (non-University-imaged) machine, with the one key
difference being that the imaged machine required a strong Admin
password
during setup?
One solution that was suggested (*waves to Brian Desmond*) was the one
that should be the most obvious: set a password policy in the Local
Security Policy that will get burned in and persist syspreps. This
works to a point; for accounts other than the actual Administrator
account, you can force this using the Local Password Policy. However,
for the Administrator account itself, the person setting up the machine
has the option of cancelling out and never obeying the "order" to create
a new, strong password.
Am I missing something blindingly obvious?
*********************************************
Laura E. Hunter
MCT, MCSE: Security, MVP - Windows Networking
Senior IT Specialist
University of Pennsylvania
********************************************
This email message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not
the intended recipient, please contact the sender by reply email,
destroy all copies of the original message, and repent! Repent!
Any views expressed in this email message, well-informed and
intellectually unassailable as they may be, are those of the individual
sender except where the sender specifically states them to be the views
of Student Financial Services.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
