Jump to content


Photo

Password Protect a Task Sequence?


  • Please log in to reply
34 replies to this topic

#1 thadkew

thadkew

    Advanced Member

  • Members
  • PipPipPip
  • 99 posts
  • Gender:Male
  • Location:Louisville, KY
  • Interests:College football
    Cartoons
    Apple computers
    Making people laugh

Posted 21 July 2010 - 05:22 PM

I have successfully set up our environment to PXE (thanks to Anyweb's many guides) and have the boot media set to use a password to get to the list of available Task Sequences, but I was wondering if there were a way to password protect a task sequence that is selected.
For example: anyone can select the task to deploy Windows XP or Windows7, however, if someone selects Windows Server 2008, something will prompt for another password and the sequence will fail if it's not correct.

Does that make any sense or is it possible?

Thanks in advance!
---

I'm freakin all about sugar. But I'm even more about feeding hobos!

#2 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,870 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 21 July 2010 - 06:26 PM

yes it's possible and here's how to do it *note this happens in Windows PE*

PromptForPassword.wsf

create a blank text file in notepad called promptforpassword.wsf

paste the following into it

<job id="PromptForPassword">

<script language="VBScript" >

Dim env,oTSProgressUI,MyPass
Set env = CreateObject("Microsoft.SMS.TSEnvironment")

set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
oTSProgressUI.CloseProgressDialog()

env("ALLOWOSDBUILD") = "NO"

MyPass=Inputbox("Please enter the Password to continue")

If MyPass = "password" then
  env("ALLOWOSDBUILD") = "YES"
End If

</script>
</job>


Shutdown.wsf

Create another blank text file in notepad called Shutdown.wsf, this file will be placed in a sub folder of the scripts folder of your MDT Files package (eg: scripts\ts password)

The Shutdown.wsf file should look like this, note that it depends on the MDT toolkit files package to be loaded prior to running.

<job id="setEnv">
  <script language="VBScript" src="..\ZTIUtility.vbs"/>
  <script language="VBScript">

Dim oTSProgressUI
set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
oTSProgressUI.CloseProgressDialog()


  	On error resume next
	Dim fso, WShell, oFile
	Set WShell = CreateObject("WScript.Shell")
	Set fso = CreateObject("scripting.filesystemobject")

	scriptroot = oEnvironment.Item("SCRIPTROOT")

	MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted"
	WShell.Run "wpeutil shutdown",0, True 

  </script>
</job>

Create the Package

Create a package called Prompt for Password and place the password script file above in the package, distribute it to distribution points. Add the shutdown.wsf script to a folder called TS Password and copy that folder to the Scripts subfolder of your MDT files package, redistribute that to it's distribution Points.


Create the Task Sequence

In ConfigMgr create a blank custom MDT task sequence, and for the first step have a Use Tollkit Package (this step is needed for the shutdown.wsf script later).

Once done, add a new Run Command Line step to your task sequence, the step will call the promptforpassowrd.wsf file in the package you've just created, like so

Command line:
cscript "promptforpassword.wsf"

Package:
Prompt For Password

Next create a Shutdown Step,

The Shutdown step in the task sequence will check for the variable called ALLOWOSDBUILD,
if ALLOWOSDBUILD = no then the Task Sequence will run another script (shutdown.wsf) otherwise it will continue as normal.

So for the Shutdown step click on the options tab and set it as follows


This group/step will run if the following conditions are met:
Task Sequence Variable ALLOWOSDBUILD not equals "YES"



Command line:
cscript "shutdown.wsf"

Package:
MDT Files


so long story short, if someone enters the right password, they are allowed to continue, if they don't the task sequence shuts down.
if you want I can post a demo of this via webcast..



Update
if you want a HTA to run within windows to prompt the user to enter a password then read this post on Technet, the code from that post is listed below, thanks Nick

<html>
<head>
<title>HTA Test</title>
<HTA:APPLICATION
     ID="objTest"
     APPLICATIONNAME="REBUILD"
     SCROLL="yes"
     SINGLEINSTANCE="yes"
>
</head>

<script LANGUAGE="VBScript">


    Sub TestSub
 
 set WshShell = WScript.CreateObject("WScript.Shell")

 if PasswordArea.value = "password" Then
  Msgbox "Thanks password is correct. Task sequence will now continue"
  WshShell.RegWrite "HKLM\Software\REBUILD\Rebuild","00000000","REG_DWORD"
  Self.Close  
 Else
  Msgbox "Sorry, password is not correct. Please try again"
 End If
    End Sub

</SCRIPT>

<body>


 <P>MICROSOFT SCCM</p>
 <P>SYSTEM REBUILD</P>
    <input type="password" name="PasswordArea" size="30"><P>
    <input id=runbutton  class="button" type="button" value="ENTER" name="run_button"  onClick="TestSub">

</body>

cheers
niall
  • djekl likes this
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#3 thadkew

thadkew

    Advanced Member

  • Members
  • PipPipPip
  • 99 posts
  • Gender:Male
  • Location:Louisville, KY
  • Interests:College football
    Cartoons
    Apple computers
    Making people laugh

Posted 22 July 2010 - 02:19 PM

yes it's possible and here's how to do it
<snip>


You, Sir, are a KING among men...
Thank you!!!!
---

I'm freakin all about sugar. But I'm even more about feeding hobos!

#4 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,870 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 22 July 2010 - 02:46 PM

thanks,

by the way you can even make the Task Sequence 'invisible' to computers in RAP (Run Advertised Programs) by doing as follows:

right click on your task sequence, choose Properties

click on the Advanced tab

Select an operating system from the list which is NOT in use in your organisation *eg: Windows Vista X64, or Windows 2000*

click Apply,

promptforpassword.jpg

once done, you will not see the Task Sequence listed in RAP on any of your Windows XP or Windows 7 or Windows Server computers, but you will be able to PXE boot and run the Task Sequence as normal.
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#5 boognish

boognish

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 27 July 2010 - 04:20 PM

if you want I can post a demo of this via webcast..

cheers
niall



That would be great if its not too much work

#6 thadkew

thadkew

    Advanced Member

  • Members
  • PipPipPip
  • 99 posts
  • Gender:Male
  • Location:Louisville, KY
  • Interests:College football
    Cartoons
    Apple computers
    Making people laugh

Posted 27 July 2010 - 10:33 PM

That would be great if its not too much work

I can tell you that it works great. I got it set up and it works exactly the way i need it to do.
Thank you so much, anyweb!!!!
---

I'm freakin all about sugar. But I'm even more about feeding hobos!

#7 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,870 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 30 July 2010 - 05:01 AM

here's a sample Task Sequence to see it in action, simply import the XML file into SCCM 2007 sp2 (with MDT 2010 integrated) and you are nearly ready to go,
you will have to edit the task sequence to point to your packages, one package is the prompt for password containing the original wsf file, the second package is your mdt files package (which contains a subfolder in scripts called TS Password, which in turn contains the shutdown.wsf script)

Attached File  Prompt For Password.xml   7.14KB   1109 downloads

In my example task sequence I install an application (microsoft security essentials) after successful password completion, however you could install an entire OS or more as you would with any task sequence, it's up to you.

Here's a description of the Task Sequence Steps:-

Restart to Windows PE

This does a check in the options tab to see if we are in WinPE, if not, it restarts the computer into WinPE so you will need to attach a boot image to this Task Sequence. The reason for this check is that we cannot interact with the user on the desktop in Windows itself, only in WinPE.

The options we set are:

This group/step will run if the following conditions are met:
If All the conditions are true:

Task Sequence Variable _SMSTSinWInPE equals False

restart to windows pe.jpg

Prompt For Password

This step runs the actual promptforpassword.wsf script directly from the package we put it in, you could clean this up even more by placing the script in the mdtfiles/scripts/ts password folder (more on that later). I've also got yet another check in here (not needed if you include the previous step) to see that we are in WinPE (see the options tab). This script returns a value for the AllowOSDBuild variable, either YES or NO depending on whether you enter the password correctly or not.

promptforpassword.jpg

Use Toolkit Package

This step loads the MDT Files package (needed for the next step) and you should know by now that we have copied the TS Password folder containing shutdown.wsf to the scripts sub directory of the MDT Files package.

Shutdown

shutdown1.jpg

This step executes the script called shutdown.wsf contained in the TS Password subfolder (in the scripts directory of MDT Files package). This script will shutdown the computer if:

* AllowOSDBuild=NO
or
* If you click on Cancel at the password prompt screen.

Below is a copy of the Shutdown Step options

shutdown2.jpg

Rest of Task Sequence

If the user enters the correct password the the Rest of the Task sequence steps will be ran as normal, in this example I install an application after rebooting back into Windows, (you can put whatever you want here, like installing an OS or migrating from XP to 7 or whatever !).


restofts.jpg
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#8 boognish

boognish

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 30 July 2010 - 02:14 PM

Im getting the following error. Shutdown.wsf is in the TS password directory

Cannot retrieve referenced URL : ..\ZTIUtility.vbs

My TS is always aborting after i put in the password

#9 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,870 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 05 August 2010 - 08:17 PM

are you loading the mdt files package in a previous step, it contains that vbs file...
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#10 boognish

boognish

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 06 August 2010 - 12:08 PM

are you loading the mdt files package in a previous step, it contains that vbs file...



That's the way I have it set. I would assume that the toolkit files are loading because the shutdown.wsf is being called. My password would simply replace "password" in this, correct?

If MyPass = "password" then
env("ALLOWOSDBUILD") = "YES"
End If

#11 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,870 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 20 September 2010 - 07:08 AM

yes that's correct
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#12 Tjindarr

Tjindarr

    Advanced Member

  • Members
  • PipPipPip
  • 31 posts

Posted 28 September 2010 - 07:00 AM

Is there anyway to change the pass.wsf so that when you type the password its not in cleartext but in *******?

#13 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,870 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 28 September 2010 - 08:31 AM

good question, how about this http://www.msfn.org/...mething-to-ask/
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#14 pollewops

pollewops

    Member

  • Members
  • PipPip
  • 16 posts

Posted 30 September 2010 - 05:41 AM

A way to display the passwords using "dots" is by using a HTA instead of a WSF file.

See my used scripts in the attachment.

Attached File  PromptForPassword.zip   18.47KB   1207 downloads
  • anyweb likes this

#15 Tjindarr

Tjindarr

    Advanced Member

  • Members
  • PipPipPip
  • 31 posts

Posted 08 April 2011 - 04:16 PM

how would i go about implementing this into a task sequence?
is it as easy as the one above?


A way to display the passwords using "dots" is by using a HTA instead of a WSF file.

See my used scripts in the attachment.

Attached File  PromptForPassword.zip   18.47KB   1207 downloads



#16 Tjindarr

Tjindarr

    Advanced Member

  • Members
  • PipPipPip
  • 31 posts

Posted 11 April 2011 - 07:39 AM

how would i go about implementing this into a task sequence?
is it as easy as the one above?


Nevermind got it sorted :) Thanks pollewops for an awsome script.
And anyweb for the "how to display hta" guide

#17 silverSl!DE

silverSl!DE

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 11 January 2012 - 01:34 PM

just one dump question: how do i create the MDT toolkit files package?

#18 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,870 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 11 January 2012 - 08:46 PM

  • integrate mdt 2010 update 1 with configmgr, go through the wizard in task sequences to create a Microsoft Deployment Toolkit task sequence, easy. done.

Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#19 ogeccut

ogeccut

    Advanced Member

  • Members
  • PipPipPip
  • 66 posts
  • Gender:Male

Posted 17 February 2012 - 07:03 PM

Thanks guys, this works great. However........Lets say a user inputs a wrong password.....and we shutdown!!!! Then a user boots again and.....i am guessing wrong password is saved in MININT directory on the local drive and there will be no more prompt to enter a password.

I am going to try to edit the script to delete MININT right before the shutdown from shutdown.wsf.

#20 ogeccut

ogeccut

    Advanced Member

  • Members
  • PipPipPip
  • 66 posts
  • Gender:Male

Posted 17 February 2012 - 08:13 PM

I tested and got this working this in MDT:

<job id="setEnv">
<script language="VBScript" src="..\ZTIUtility.vbs"/>
<script language="VBScript">

Dim oTSProgressUI
'set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
'oTSProgressUI.CloseProgressDialog()


' Clean up any existing C:\MININT directory
If oFSO.FolderExists("C:\MININT") then
On Error Resume Next
oFSO.DeleteFolder "C:\MININT", true
On Error Goto 0
End If

' Clean up any existing C:\_smstasksequence directory
If oFSO.FolderExists("C:\_smstasksequence") then
On Error Resume Next
oFSO.DeleteFolder "C:\_smstasksequence", true
On Error Goto 0
End If

On error resume next
Dim fso, WShell, oFile
Set WShell = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.filesystemobject")

scriptroot = oEnvironment.Item("SCRIPTROOT")

MsgBox "Please click OK to shutdown the computer.",0, "Task Sequence Aborted"
WShell.Run "wpeutil shutdown",0, True

</script>
</job>







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Locations of visitors to this page