Disable UAC, AutoLogon, Replicate Check, GenerateConfig - custom functions

Jun 19, 2011 at 7:14 PM
Edited Jun 20, 2011 at 2:02 AM

 

Here is an entire custom functions file that does lots of stuff for you.  If you use vms, you can set the autospinstallerlaunch.bat as a runonce in the vm template, spin up the vm and let it go!

If you setup the generate config function from my other post, you will have to enter the sql server name. i want to add a step in the function below to prompt for a sql server name, add it to the registry and have it removed after reboot.. 

i have a post install script that we add to the main install finalize function that also sets some required provisioning steps and important fixes for user profile services.  I never start profile services sync during setup because of these post install fixes, which also require a restart before starting the profile sync.  i worked many months with ms support on this so its well worth automating.

The post install script also performs the final reboot, which enables uac again for security, removes the install user from local admins, and applies the changes for profile sync mentioned above.

the idea is complete handsoff...

see follow-up discussion with post install script instructions.  it would be great to have this prep machine step added to the config with a couple xml flags for users who want the option to disable...

To use the code below, the machine names must include either WFE or SAE respectively (if neither, the function assumes SAE). The SAE vs. WFE logic is used to determine whether or not the "pro" (provision) flag is set to true or not on the service apps - no in the WFE case - sandboxed code service is always set to true.

Simply update your Input.xml file so that all Provision="true|false" are set to Provision="!!pro!!", all instances of SQL server names use "!!sql!!", and all instances of the target install machine name are set to "!!env!!". The script will go through and replace these with values if you choose "yes" to the generate autoconfiguration file when you launch the .bat file.

Just drop the following function into your customfunctions.ps1 file and change the path to your autospinstaller root. Also MAKE SURE you rename your base input file AutoSPInstallerInputQA.xml for QA environments and AutoSPInstallerInputProd.xml for production environments - this is for separation of accounts obviously.

Here is the code to add to your AutoSPInstallerFunctionsCustom.ps1 file ... I have tested this so parse through this code and replace <something> with your things:

#Region Custom Functions
$InputFile = "\\<yourinstallservershare>\SP2010\AutoSPInstaller\AutoSPInstallerInput-$env:COMPUTERNAME.xml"
[xml]$xmlinput = (Get-Content $InputFile) -replace ("localhost", $env:COMPUTERNAME)

function PrepFirstBoot()
{
	Push-Location
  	# disable uac
	# disable file warnings- need to see where reg key is for : 
	# set auto login once with  (install user)
    # get/set sql server name
	# set runonce to autosp.bat
	
	Write-Verbose "Adding required registry values"
	$uac = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
	if($uac.EnableLUA)
	{
        Write-Verbose "Disabling file warnings"
    	New-Item -Path registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations -Force | Out-Null
        New-ItemProperty -Path registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations -Name "LowRiskFileTypes" -Value '.exe' -PropertyType "String"  -Force | Out-Null
        
		Write-Host "Disabling UAC"
		Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0 -Force | Out-Null

		Write-Verbose "Setting autolaunch to start at next login..."
		$runit = "\\<yourinstallservershare>\SP2010\AutoSPInstaller\AutoSPInstallerLaunch.bat"
		

New-Item

-Path registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce -Force | Out-Null
 

 

 

New-ItemProperty -Path registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce -Name "Auto SP Install" -Value $runit -PropertyType "String" -Force | Out-Null

 

 

Write-Verbose "Setting autologin credentials" Set-Location "HKLM:\Software\Microsoft\Windows NT\Currentversion\WinLogon" New-ItemProperty -Path $pwd.Path -Name "AutoAdminLogon" -Value 1 -PropertyType "String" -Force | Out-Null New-ItemProperty -Path $pwd.Path -Name "DefaultUserName" -Value "<yourinstalluser>" -PropertyType "String" -Force | Out-Null New-ItemProperty -Path $pwd.Path -Name "DefaultPassword" -Value "<yourinstallpassword>" -PropertyType "String" -Force | Out-Null New-ItemProperty -Path $pwd.Path -Name "DefaultDomainName" -Value "<yourdomain>" -PropertyType "String" -Force | Out-Null New-ItemProperty -Path $pwd.Path -Name "AutoLogonCount" -Value 1 -PropertyType "Dword" -Force | Out-Null Write-Verbose "Done setting auto-logon" } Pop-Location } function StoreSQL() { Push-Location Write-Verbose "Adding required registry values" $uac = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system if($uac.EnableLUA) { Write-Host -NoNewline "Enter the sql server name e.g. vmspsqasql1" Write-Host "" $sql = Read-Host Write-Host "" Write-Host "" Write-Verbose "Setting SQL server name registry entry for after reboot" New-Item -Path registry::HKLM\Software\_DeleteMe -Force | Out-Null Set-Location "HKLM:\Software\_DeleteMe" New-ItemProperty -Path $pwd.Path -Name "SQLServerName" -Value $sql -PropertyType "String" -Force | Out-Null } Pop-Location } StoreSQL function Generate-AutoSPConfig() { #Ask if we want to generate the configuration Write-Host -NoNewline "Generating a new configuration file (WARNING: this will overwrite the existing configuration)" $tempKey = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\Software\_DeleteMe if($tempKey.SQLServerName) { $sql = $tempKey.SQLServerName } else { Write-Verbose "Error reading SQL Server name from registry - enter now:" $sql = Read-Host } Write-Host "" Write-Host "" $comp = $Env:COMPUTERNAME $build = "QA" $type = "SAE" $provisionServices = $true if($comp.Contains("QA") -or -not ($comp.Contains("WFE") -or $comp.Contains("SAE"))) { $build = "QA" } else { $build = "Prod" } if($comp.Contains("WFE")) { $type = "WFE" $provisionServices = $false } elseif($comp.Contains("SAE")) { $type = "SAE" } cd '\\<yourinstallservershare>\sp2010\AutoSPInstaller\' $inTemp = "\\<yourinstallservershare>\SP2010\AutoSPInstaller\AutoSPInstallerInput$build.xml" Write-Host "Reading: " Write-Host $inTemp $outFile = "\\<yourinstallservershare>\SP2010\AutoSPInstaller\AutoSPInstallerInput-$Env:COMPUTERNAME.xml" $sqlold = "!!sql!!" $sqlnew = $sql Write-Host "Replacing $sqlold with $sqlnew" $envold = "!!env!!" $envnew = $comp $proold = "!!pro!!" $pronew = $provisionServices Write-Host "Replacing $envold with $envnew" $content = (Get-Content $inTemp) $newContent = "" foreach($line in $content) { if($line.Contains($sqlold)) { $line = $line.Replace($sqlold, $sqlnew) } if($line.Contains($envold)) { $line = $line.Replace($envold, $envnew) } if($line.Contains($proold)) { $line = $line.Replace($proold, $pronew) } $newContent += $line $newContent += "`n" } $newContent | Set-Content -path $outFile Write-Host "Writing: " Write-Host $outFile } Generate-AutoSPConfig $InputFile = "\\<yourinstallservershare>\SP2010\AutoSPInstaller\AutoSPInstallerInput-$env:COMPUTERNAME.xml" [xml]$xmlinput = (Get-Content $InputFile) -replace ("localhost", $env:COMPUTERNAME) function GetVersion() { ## Detect installer/product version #$0 = $myInvocation.MyCommand.Definition #$dp0 = [System.IO.Path]::GetDirectoryName($0) #$bits = Get-Item $dp0 | Split-Path -Parent [string]$bits = Get-Location write-host (Get-Command "$bits\setup.exe" -ErrorAction SilentlyContinue).FileVersionInfo.ProductVersion } function DisableVirusScan() { Write-Host Checking OfficeScan NT Listener... try { $s1 = get-service -displayname "OfficeScan NT Listener" -ErrorAction SilentlyContinue stop-service $s1.Name -force -ErrorAction SilentlyContinue Set-Service $s1.Name -startupType Disabled Write-Host Checking OfficeScan NT Proxy Service... $s2 = get-service -displayname "OfficeScan NT Proxy Service" -ErrorAction SilentlyContinue stop-service $s2.Name -force -ErrorAction SilentlyContinue Set-Service $s2.Name -startupType Disabled Write-Host Checking OfficeScanNT RealTime Scan... $s3 = get-service -displayname "OfficeScanNT RealTime Scan" -ErrorAction SilentlyContinue stop-service $s3.Name -force -ErrorAction SilentlyContinue Set-Service $s3.Name -startupType Disabled Write-Host Checking SMS Agent Host... $s4 = get-service -displayname "SMS Agent Host" -ErrorAction SilentlyContinue stop-service $s4.Name -force -ErrorAction SilentlyContinue Set-Service $s4.Name -startupType Disabled Write-Host Checking Trend Micro OfficeScan... $p1 = get-process pccntmon -ErrorAction SilentlyContinue if ($p1 -ne $null) { stop-process -inputobject $p1 -ErrorAction SilentlyContinue -force } } catch { } } function Enable-MSDTC($machineName) { Write-Host "Ensuring MSDTC is enabled on " $machineName "..." $MachineName = $machineName $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $MachineName) $regKey = $reg.OpenSubKey("Software\\Microsoft\\MSDTC\\Security", $true) $regKey.SetValue('NetworkDtcAccessClients', '1', 'DWord') $regKey.SetValue('LuTransactions', '1', 'DWord') $regKey.SetValue('NetworkDtcAccess', '1', 'DWord') $regKey.SetValue('NetworkDtcAccessInbound', '1', 'DWord') $regKey.SetValue('NetworkDtcAccessOutbound', '1', 'DWord') $regKey.SetValue('NetworkDtcAccessTransactions', '1', 'DWord') Write-Host "Restarting MSDTC Service..." gwmi win32_service -comp ($machineName) -filter "name like 'msdtc'" | % {$_.stopservice() | Out-Null} gwmi win32_service -comp ($machineName) -filter "name like 'msdtc'" | % {$_.startservice() | Out-Null} } function Check-ADUserPermission( [System.DirectoryServices.DirectoryEntry]$entry, [string]$user, [string]$permission) { $dse = [ADSI]"LDAP://Rootdse" $ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext) $right = $ext.psbase.Children | ? { $_.DisplayName -eq $permission } if($right -ne $null) { $perms = $entry.psbase.ObjectSecurity.Access | ? { $_.IdentityReference -eq $user } | ? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value } return ($perms -ne $null) } else { Write-Warning "Permission '$permission' not found." return $false } } function Check-ReplicateChanges() { # Globals $userName = $xmlinput.Configuration.Farm.Account.Username $replicationPermissionName = "Replicating Directory Changes" # Main() $dse = [ADSI]"LDAP://Rootdse" $entries = @( [ADSI]("LDAP://" + $dse.defaultNamingContext), [ADSI]("LDAP://" + $dse.configurationNamingContext)); Write-Host -ForegroundColor Yellow " User '$userName': " foreach($entry in $entries) { $result = Check-ADUserPermission $entry $userName $replicationPermissionName if($result) { Write-Host " has '$replicationPermissionName' permissions on '$($entry.distinguishedName)'" ` -ForegroundColor Green } else { Write-Host " does NOT have '$replicationPermissionName' permissions on '$($entry.distinguishedName)'" ` -ForegroundColor Red Write-Host "Press any key to continue or close this shell window to stop the installation..." $null = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") } } } function PrepMachine() { $prepMachine = $false $uac = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system $prepMachine = $uac.EnableLUA if($prepMachine) { PrepFirstBoot Enable-MSDTC $xmlinput.Configuration.Farm.Database.DBServer Enable-MSDTC $env:COMPUTERNAME Write-Verbose " Saved, finished and rebooting!!!" Restart-Computer -Force } else { DisableVirusScan Check-ReplicateChanges } } PrepMachine

 

 

Aug 7, 2014 at 7:18 PM
These are nice. Which have been incorporated and which functions have not?
Coordinator
Aug 11, 2014 at 5:40 PM
Sorry, I haven't had a chance to review or incorporate any of them yet.

Brian
Coordinator
Aug 11, 2014 at 5:41 PM
Whoops actually I just realized how old this thread was... some of the functionality (e.g. autologin, UAC) has in fact effectively been implemented.

Brian