Requiring a Local Administrator Password When Launching DaRT

  • Article

DaRT 7 Provides Additional Deployment Options

A major focus of Microsoft Diagnostic and Recovery Toolset (DaRT) 7 was to make the toolset more accessible when IT professionals needed to repair or diagnose a machine. Prior to version 7 the only officially supported way to use the DaRT tools was via CD/DVD. But now, with DaRT 7, Microsoft supports several deployment options (CD/DVD, USB, recovery partition, and PXE boot). With these options DaRT can always be available when needed. If, for example, DaRT is deployed to a PXE server, an IT administrator no longer has to hunt down his DaRT CD/DVD, but can now choose to boot DaRT straight from the network. Tada!

Requiring a Local Admin Password

With DaRT being more accessible to IT administrators it also makes it more accessible to non-IT administrators. In these cases it might make sense to require a local Administrator's password when booting into the Diagnostics and Recovery Toolset. This assumes of course that your users are not running in the context of a local administrator.

This feature is more a capability of WinRE than DaRT itself. The first thing to understand is that some deployment options always require a local administrator’s password. When WinPE is booted to what it believes is fixed media then a password is always required. This is the case for a recovery partition, and some USB drives. So, if you are deploying to a local partition (or recovery partition) the password is always on – no configuration necessary. If however you are deploying DaRT by some other means – particularly PXE – then follow the instructions listed here.

When This Doesn’t Make Sense

There are several scenarios where enabling a local administrator password doesn’t make sense –

  1. If your company does not manage a local administrator password on each workstation then it doesn’t make sense to enable this password option. You have essentially locked your IT-Professionals out of DaRT too.
  2. Locksmith is the wildcard here. Locksmith can be used to reset a local administrator’s password. The common case for using Locksmith is when you have forgotten the local administrator’s password. So a local administrator’s password to get into Locksmith defeats the purpose. My suggestion is to only enable Locksmith on portable media.
  3. If your company deploys DaRT onto a local/recovery partition a password is always required so there is no configuration necessary. I do not know of any way to turn that feature off for fixed media.

How to Configure DaRT to Require a Local Administrators Password

  1. Create a local administrator’s account on every machine. You might want to make this account specifically for the DaRT tools. Only share the password with those authorized to run the DaRT toolset.

  2. When creating the DaRT media one of the last steps in the wizard is to add additional files. This is where we will make the configuration change. Click Show Files at this step in the wizard.

  3. Drill down until you find the file sources\recovery\tools\WinREConfig.xml. Open this file with your favorite text editor. Add the tag <AlwaysAuthenticate/> somewhere within the <Recovery> tag.

    Note: In order to save changes to this file you will need to either run your editor as an Administrator or change permissions on the file to give yourself write persmissions.

    More details on this configuration file can be found here -- https://technet.microsoft.com/en-us/library/cc749546(v=ws.10).aspx

  4. Once the file is saved then continue creating your DaRT image. You can then deploy DaRT via your favorite deployment option.

 

Good luck! I hope this was helpful.