Is this possible? Shockingly in my LA we have 5,000 client PC's all imaged off a few image, that no one ever bothered to sysprep or newsid.
In March we switch to AD and obviously this is a problem. Our able but anti AD / AD project leader says he's scripting the creation of new SIDs on all 5,000 PC's, and it doesn't sweem right to me, having run newsid and seen how it takes at least 3 minutes to execute, obviously needing elevated privileges.
Never tried but it might be possible to do it via PSexec?
Possible yes but not quick/ transparent like i'd presume you'd need.
I'd have though this would work, PSEXEC lets you specify which user account to use. However I'd expect if you change a computers SID you'll then have to rejoin whichever domain it's attached to.Originally Posted by Dom_
You'd be better off running Sysprep with an answer file, so they then automatically re-join the domain.
I think a massive amount of care is needed here!
You can't just run newsid and leave it there; I'm pretty sure that will break the link to AD (the SID for the computer is stored in AD; not sure if that's the only link but it won't be good to have one SID on the machine and another in AD)
You could have a machine startup script which ran newsid and then rejoined the domain using netdom.
Another alternative might be to use sysprep; provided that there are no local accounts on the machines you won't lose anything (domain profiles will be fine, any files created by domain users will also be OK because the ACL will contain a domain SID and that won't change)
What I think you could do is use a machine startup script to generate a sysprep.inf for each machine (it's going to fairly straightforward; the only thing that will be different is the machine name and that's going to be the same as the machine is now). I don't think you even need to run mini-setup - the hardware hasn't changed - you just need the "regenerate security identifier option"
Logic would be something like:
Have I already been sysprepped (check for flag file or registry entry) - yes, quit
Copy sysprep folder from server and edit line with computer name to match "my name"
Run sysprep and force reboot at end
Machine will then restart, sysprep itself and join the domain
Next time the machine starts up on the domain it will find it's already been done and not re-run the process
I'd really, really want to test this carefully :-)
Not sure when the domain was first set up but although MS have always said that you must have unique SIDs in a domain, I think it was only really Active Directory that made it essential (and possibly not even until Server 2003). Certainly, back in the NT days, it didn't seem to matter.
Thankyou for those replies.
The machines aren't on a domain yet.
I agree with you, Steve - this one will take some careful planning and LOADS of testing.
Given that it isn't currently an AD domain (Wow! No AD in 2009!!!) we can ignore existing SID's.
Your suggested structure (copied below) makes a lot of sense, so I thought perhaps we could all collaborate on a solution to overcome this issue.
It'd have to be done in VBScript, thus giving access to all the WMI calls.Have I already been sysprepped (check for flag file or registry entry) - yes, quit
Copy sysprep folder from server and edit line with computer name to match "my name"
Run sysprep and force reboot at end
Machine will then restart, sysprep itself and join the domain
Next time the machine starts up on the domain it will find it's already been done and not re-run the process
Who's up for it?
If the machines aren't on the domain, then Sysprep is definitely what you need. Simply extract the files from the Windows CD from the \Support\Tools\Deploy.cab file to C:\Sysprep
Within C:\Sysprep I use/created Sysprep.inf using Setupmgr.exe
This 99% automates the Sysprep procedure and joins the domain. I just manually specify the computer name and that's it. The only thing left of course is to move the Computer Objects in Active Directory to the relevant OUs so machines pick up domain policies.Code:;SetupMgrTag [GuiUnattended] AdminPassword="password" (for example) EncryptedAdminPassword=NO OEMSkipRegional=1 TimeZone=85 [UserData] ProductID=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX FullName="Logistix Computer Solutions" OrgName="Logistix Computer Solutions" [TapiLocation] CountryCode=44 Dialing=Tone AreaCode=0121 [RegionalSettings] LanguageGroup=1 Language=00000809 [Identification] JoinDomain=DOMAIN_NAME DomainAdmin=administrator (for example) DomainAdminPassword=password (for example) [Networking] InstallDefaultComponents=Yes [Unattended] TargetPath=\WINDOWS [Branding] BrandIEUsingUnattended=Yes [Proxy] Proxy_Enable=0 Use_Same_Proxy=0
That's nice Michael. Tho' I wouldn't fancy manually entering 5000 computer names
Matk, I'm in the middel of a CMIS upgrade (Yay!! Lucky old me!)
Once done, I'll post a VBScript that'd take the local PC name and write it into Michael's answer file.
What would still be needed is a method to a) check if the machine's been Sysprepped and joined to the domain and b) something (like a start-up script) to kick it all off.
Once you have all that, you can go and test and report back, and once finetuning's completed you should have an automated solution, and the beer's will be on you! :-D
The only reason I manually specify a computer name is so I can put machines in numerical order (like in an ICT Suite). If it doesn't matter, you can specify a list of computer names and Sysprep automatically uses the next available name. Only problem with this, is Workstation14 could be positioned next to Workstation25 (for example).That's nice Michael. Tho' I wouldn't fancy manually entering 5000 computer names
Michael, you've done a lot already simply by posting the answer file.
I'm working on the assumtion that they'd want to keep all 5 000 PC's named exactly as they are, so I'm building a simple script to find the localhost name, then write that into the answer file, prior to Sysprepping.
Yes that would work, but I thought the 5000 machines were imaged from the same image, so theoretically they must all have the same name too? Just a thought... I can't see how the machines would have different names without using Sysprep?I'm working on the assumtion that they'd want to keep all 5 000 PC's named exactly as they are, so I'm building a simple script to find the localhost name, then write that into the answer file, prior to Sysprepping.
Depending on how they ghosted the machines, I know the latest version of ghost can get a name say Computer and add a number to the end of each it ghosts so Computer1, Computer2, but this is only when using the console and im not even sure how it works, or even how reliable it is. Try using Ghost Walker instead of NewSid?
D
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote