I need some help validating my "quick and dirty" trick I am thinking about using on MDT 2010 Update 1 to address some clear text password concern...
For my MDT 2010 Update 1 setup, I followed the following Mitch Tulloch's guidance:
- http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part20.html
- http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part21.html
After I confirmed everything is working as expected with above settings (e.g. Joining and moving computer to Builds OU with clear text passwords), I was trying to create a script to
- Move the computer account, which is joined and moved to "Builds" OU by using native MDT feature), to other permanent OU and
- Add or remove some group memberships on the computer account.
- Giving mdt-join ID more permissions to the "final" destination OU beats the purpose of Mitch's tutorial.
- Giving mdt-build ID more permissions made my .wsf to work but still it beats the purpose of limiting permission.
So my "quick and dirty" method I am trying to use with minimal customization is:
Since ZTIUtility.vbs has "sort-of" password protection with ObfuscateEncode/ObfuscateDecode functions, I am thinking about customizing its behaviour as follows:
- Set the passwords everywhere you want to set in clear text.
- Run a simple dummy task sequence to generate variables.dat file.
- Open C:\MININT\SMSOSD\OSDLOGS\VARIABLES.DAT and get "encoded passwords" of each variables.
- Go back to the places where you specified clear text passwords and put "encoded password strings".
- Backup \Scripts\ZTIUtility.vbs to \Scripts\ZTIUtility.Original.vbs
- Duplicate \Scripts\ZTIUtility.vbs to \Scripts\ZTIUtilty_Encode.vbs and look for the following codes under ObfuscateEncode function and add portion in bold
- Overwrite \Scripts\ZTIUtility.vbs with \Scripts\ZTIUtilty_Encode.vbs
(MDT 2010 Update X may overwrite ZTIUtility.vbs on top)
*** This hack is only applicable to MDT 2010 Update 1
*** MDT 2010 seems to have similar codes within SetDAT function
_______________________________________________
Function ObfuscateEncode(sVariable, sNew)
Select Case Ucase(sVariable)
Case "USERID", "USERPASSWORD", "USERDOMAIN", "DOMAINADMIN", "DOMAINADMINPASSWORD", "DOMAINADMINDOMAIN", _
"ADMINPASSWORD", "BDEPIN", "TPMOWNERPASSWORD", "ADDSUSERNAME", "ADDSPASSWORD", _
"SAFEMODEADMINPASSWORD", "USERNAME", "USERPASSWORD", "PRODUCTKEY"
'### YP - Customization 1 Begin
'Dim sObfuscateEncodeTest
'sObfuscateEncodeTest = oStrings.Base64Decode(sNew)
'If sNew exists but if it is invalid Base64 (Not pre-encoded), encode it...
'If sObfuscateEncodeTest = "" and sNew <> "" then
' ObfuscateEncode = oStrings.Base64Encode(sNew)
'End if
'If sNew exists but if it is already Base64 (Not pre-encoded), return it as-is...
'If sObfuscateEncodeTest <> "" and sNew <> "" then
' ObfuscateEncode = sNew
'End if
'### YP - Customization 1 End
'### YP - Customization 2 Begin
Dim bPreEncoded
bPreEncoded = False
'Check if current value is already encoded...
If sNew = "WhateverEncodedValue1=" Then bPreEncoded = True End if
If sNew = " WhateverEncodedValue2==
" Then bPreEncoded = True End if
If bPreEncoded = True Then
'If it is pre-encoded, don't do it again
ObfuscateEncode = sNew
Else
'If it is not, do it.
ObfuscateEncode = oStrings.Base64Encode(sNew)
End if
'### YP - Customization 2 End
Case Else
ObfuscateEncode = sNew
End Select
End Function
_______________________________________________
Initially, I was trying to use ### YP Customization 1 . It worked fine for USERPASSWORD usage for MDT Share access but all others were quite troublesome:
- On C:\MININT\UNATTEND.XML, DomainAdminPassword, AdminPassword's value were stored in encoded format instead of decoded version.
- DomainAdminID was garbled up for some reason...
With ### YP - Customization 2 , I simply listed the "pre-encoded" values and let it skip only if it is already encoded.
So, for my case of running a vbscript (.vbs or .wsf) to allow the current USERID to move computer account around, I can encode USERPASSWORD on bootstrap.ini and set appropriate permission on all OUs (Source and Destination OUs) - way more than just "Builds" OU.
But because I still have an issue on putting encoded password for DomainAdminPassword, DomainJoin is still failing unless I put "clear-text" password on customsettings.ini
Since USERPASSWORD is encoded successfully, I am thinking about settling with mdt-build account to run the wsf scripts to perform OU/Group manipulation...
If anyone have a solution to address this issue other than encoded .vbe or compiled .exe to perform what I am trying to do, please let the world know... :)
Thanks,
YPae