Many of my customers have Group Policy settings that are very restrictive and cause problems during operating system deployments. For example the legal notice messages can interrupt an automated logon process.
This can be a real hassle to get around when deploying so to solve the issue the I perform by performing one of the following steps:
1. If the computer is already in the domain – I move the computer to a “Staging OU” that has no group policy settings applied.
2. If the computer is not in the domain – I ensure that the computer will be created in the “Staging OU”.
This process is performed during the State Restore phase from within Windows PE. At the end of the deployment I then run another script that moves the computer to the correct OU, the group policy is applied and everyone is happy. 🙂
To make this happen I use two scripts:
1. Z-MoveComputer-StagingOU.wsf – This script move the computer to the “Staging OU” and updates the MachineObjectOU property with the “Staging OU” value.
2. Z-MoveComputer-SwapOUValues.wsf – This script runs after BDD has configured the Sysprep or Unattend.xml files, it’s purpose to change the MachineObjectOU and “Staging OU” properties back to their original values.
I have attached the required scripts, to implement the scripts follow the steps detailed below:
Enable ADSI in Windows PE
Windows PE must have ADSI enabled (not officially supported) for these scripts to work, the steps below details how to enable ADSI.
To enable ADSI to in Windows PE 2004/2005 (ZTI Only) you will need to perform the following steps:
1. Update Extra.inf located within the WinPE source directory with the following lines:
activeds.tlb = 1,,,,,,,2,0,0,,1,2
adsldp.dll = 1,,,,,,,2,0,0,,1,2
2. Update the BDD OSD deployment point creating an updated Windows PE source
3. Import the new Windows PE source into SMS
4. Recreate SMS deployment CD
To enable ADSI in Windows PE 2.0 (LTI) then follow Johan Arwidmark’s instructions here.
Update the deployment point rules
1. The following properties to be declared in the deployment point rules. These properties are used to connect to AD and move the computers. The account used must have the rights to create and delete computer objects in the domain:
2. You also need two new custom properties to be declared in the deployment point rules:
StagingOU – The full staging OU path, this is in the same format as the MachineObjectOU property.
DomainDC – The name of a Domain Controller to connect too.
Here is an example CustomSettings.ini file:
Update the scripts folder
Next you must add the scripts to the .\distribution\scripts folder. You will notice that the script names have the prefix “Z-” this is because BDD automatically copies all scripts that start with “Z” from the distribution share to other deployment points when they are updated.
Update the build task sequence
The next thing you do is add the scripts to the build task sequence. I would recommend creating an application for each script that executes a script and then add it to the task sequence as shown below. It is important to note that the “Move Computer” script must be run before the Configure task and the “Revert OU” script must be run after the configure task.
Update your deployment points
Finally you should update your deployment points to so that these changes are propagated to the correct places.
If you want to see how to move the computer to it’s final OU (MachineObjectOU) then have a look at this blog post.