355 lines
13 KiB
Plaintext
355 lines
13 KiB
Plaintext
|
; Copyright (c) uib gmbh (www.uib.de)
|
||
|
|
; This sourcecode is owned by uib
|
||
|
|
; and published under the Terms of the General Public License.
|
||
|
|
|
||
|
|
; TEMPLATE for
|
||
|
|
; Skript fuer Installationen im Kontext eines temporaeren lokalen Administrators
|
||
|
|
; installations as temporary local admin
|
||
|
|
; see winst_manual.pdf / winst_handbuch.pdf
|
||
|
|
|
||
|
|
;
|
||
|
|
; !!! Das lokale Installations-Skript, das durch den temporaeren lokalen Admin ausgefuehrt wird
|
||
|
|
; !!! (sein Name steht in $LocalSetupScript$), muss mit dem Befehl
|
||
|
|
; !!! exitWindows /Reboot
|
||
|
|
; !!! enden
|
||
|
|
;
|
||
|
|
|
||
|
|
; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||
|
|
; Vorarbeiten/Voraussetzungen/Doku pruefen wie in Winsthandbuch
|
||
|
|
; Skript fuer Installationen im Kontext eines lokalen Administrators
|
||
|
|
; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||
|
|
|
||
|
|
|
||
|
|
[Actions]
|
||
|
|
requiredWinstVersion >= 4.12.0.16
|
||
|
|
setLogLevel=7
|
||
|
|
ScriptErrorMessages=off
|
||
|
|
DefVar $ProductName$
|
||
|
|
DefVar $ProductSizeMB$
|
||
|
|
DefVar $LocalSetupScript$
|
||
|
|
DefVar $LockKeyboard$
|
||
|
|
DefVar $OpsiAdminPass$
|
||
|
|
DefVar $RebootFlag$
|
||
|
|
DefVar $WinstRegKey$
|
||
|
|
DefVar $AutoName$
|
||
|
|
DefVar $AutoPass$
|
||
|
|
DefVar $AutoDom$
|
||
|
|
DefVar $AutoLogon$
|
||
|
|
DefVar $AutoBackupKey$
|
||
|
|
DefVar $LocalFilesPath$
|
||
|
|
DefVar $LocalWinst$
|
||
|
|
DefVar $DefaultLoglevel$
|
||
|
|
DefVar $PasswdLogLevel$
|
||
|
|
DefVar $AdminGroup$
|
||
|
|
DefVar $SearchResult$
|
||
|
|
DefVar $LocalDomain$
|
||
|
|
DefVar $debug$
|
||
|
|
DefVar $isFatal$
|
||
|
|
DefVar $BackupConsentPromptBehaviorAdmin$
|
||
|
|
DefVar $BackupEnableInstallerDetection$
|
||
|
|
DefVar $BackupEnableLUA$
|
||
|
|
DefVar $BackupEnableVirtualization$
|
||
|
|
DefVar $BackupPromptOnSecureDesktop$
|
||
|
|
;DefVar $BackupFilterAdministratorToken$
|
||
|
|
DefVar $UAC_off$
|
||
|
|
|
||
|
|
; ----------------------------------------------------------------
|
||
|
|
; - Please edit the following values
|
||
|
|
; ----------------------------------------------------------------
|
||
|
|
;Set $ProductName$ = "opsi-template-with-admin"
|
||
|
|
Set $ProductName$ = "%installingProdName%"
|
||
|
|
Set $ProductSizeMB$ = "1"
|
||
|
|
Set $LocalSetupScript$ = "setup32.opsiscript"
|
||
|
|
set $UAC_off$ = "false"
|
||
|
|
; ----------------------------------------------------------------
|
||
|
|
|
||
|
|
comment "get and set initial values..."
|
||
|
|
set $debug$ = GetProductProperty("debug","false")
|
||
|
|
set $isFatal$ = "false"
|
||
|
|
set $DefaultLoglevel$ = "7"
|
||
|
|
SetLogLevel=$DefaultLoglevel$
|
||
|
|
Set $LocalDomain$ = "%PCNAME%"
|
||
|
|
|
||
|
|
|
||
|
|
comment "check if we productive or debugging..."
|
||
|
|
if $debug$ = "true"
|
||
|
|
comment "we are in debug mode"
|
||
|
|
Set $LockKeyboard$="false"
|
||
|
|
Set $PasswdLogLevel$="7"
|
||
|
|
else
|
||
|
|
comment "we are in productive mode"
|
||
|
|
comment "set $LockKeyboard$ to true to prevent user hacks while admin is logged in"
|
||
|
|
Set $LockKeyboard$="true"
|
||
|
|
comment " set $PasswdLogLevel$ to 0 for production"
|
||
|
|
Set $PasswdLogLevel$="0"
|
||
|
|
endif
|
||
|
|
|
||
|
|
comment "handle Rebootflag"
|
||
|
|
Set $WinstRegKey$ = "HKLM\SOFTWARE\opsi.org\winst\"+$ProductName$
|
||
|
|
Set $RebootFlag$ = GetRegistryValue($WinstRegKey$, "RebootFlag", "32bit")
|
||
|
|
|
||
|
|
comment "some paths required"
|
||
|
|
Set $AutoBackupKey$ = $WinstRegKey$+"\AutoLogonBackup"
|
||
|
|
Set $LocalFilesPath$ = "C:\opsi.org\tmp\opsi_local_inst"
|
||
|
|
Set $LocalWinst$ = "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsi-winst\winst32.exe"
|
||
|
|
if not( FileExists($LocalWinst$) )
|
||
|
|
LogError "No opsi-winst found. Abborting."
|
||
|
|
isFatalError
|
||
|
|
endif
|
||
|
|
|
||
|
|
comment "show product picture"
|
||
|
|
ShowBitmap "%scriptpath%\localsetup\"+$ProductName$+".png" $ProductName$
|
||
|
|
|
||
|
|
if not (($RebootFlag$ = "1") or ($RebootFlag$ = "2") or ($RebootFlag$ = "3"))
|
||
|
|
comment "Part before first Reboot"
|
||
|
|
comment "just reboot - this must be done if this is the first product after OS installation"
|
||
|
|
comment "handle Rebootflag"
|
||
|
|
Set $RebootFlag$ = "1"
|
||
|
|
Registry_SaveRebootFlag /32bit
|
||
|
|
;ExitWindows /ImmediateReboot
|
||
|
|
endif ; Rebootflag = not (1 or 2 or 3)
|
||
|
|
|
||
|
|
if $RebootFlag$ = "1"
|
||
|
|
comment "Part before second Reboot"
|
||
|
|
setActionProgress "Preparing"
|
||
|
|
|
||
|
|
if not(HasMinimumSpace ("%SYSTEMDRIVE%", ""+$ProductSizeMB$+" MB"))
|
||
|
|
LogError "Not enough space on drive C: . "+$ProductSizeMB$+" MB on C: required for "+$ProductName$
|
||
|
|
isFatalError
|
||
|
|
endif
|
||
|
|
|
||
|
|
comment "Lets work..."
|
||
|
|
Message "Preparing "+$ProductName$+" install step 1..."
|
||
|
|
sub_Prepare_AutoLogon
|
||
|
|
|
||
|
|
comment "we need to reboot now to be sure that the autologon work"
|
||
|
|
comment "handle Rebootflag"
|
||
|
|
Set $RebootFlag$ = "2"
|
||
|
|
Registry_SaveRebootFlag /32bit
|
||
|
|
ExitWindows /ImmediateReboot
|
||
|
|
endif ; Rebootflag = not (1 or 2)
|
||
|
|
|
||
|
|
if ($RebootFlag$ = "2")
|
||
|
|
comment "Part after first Reboot"
|
||
|
|
|
||
|
|
comment "handle Rebootflag"
|
||
|
|
Set $RebootFlag$ = "3"
|
||
|
|
Registry_SaveRebootFlag /32bit
|
||
|
|
|
||
|
|
comment "Lets work..."
|
||
|
|
Message "Preparing "+$ProductName$+" install step 2..."
|
||
|
|
Registry_enable_keyboard /sysnative
|
||
|
|
|
||
|
|
comment "now let the autologon work"
|
||
|
|
comment "it will stop with a reboot"
|
||
|
|
setActionProgress "Run Installation"
|
||
|
|
|
||
|
|
ExitWindows /ImmediateLogout
|
||
|
|
endif ; Rebootflag = 2
|
||
|
|
|
||
|
|
if ($RebootFlag$ = "3")
|
||
|
|
comment "Part after second Reboot"
|
||
|
|
ExitWindows /Reboot
|
||
|
|
setActionProgress "Cleanup"
|
||
|
|
comment "handle Rebootflag"
|
||
|
|
Set $RebootFlag$ = "0"
|
||
|
|
Registry_SaveRebootFlag /32bit
|
||
|
|
|
||
|
|
comment "Lets work..."
|
||
|
|
Message "Cleanup "+$ProductName$+" install (step 3)..."
|
||
|
|
sub_Restore_AutoLogon
|
||
|
|
set $SearchResult$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", "opsi_autologon_setup")
|
||
|
|
if $SearchResult$ = $LocalWinst$+" "+$LocalFilesPath$+"\"+$LocalSetupScript$+" /batch /productid %installingProdName%"
|
||
|
|
LogError "Localscript did not run. We remove the RunOnce entry and abort"
|
||
|
|
Registry_del_runonce /sysnative
|
||
|
|
set $isFatal$ = "true"
|
||
|
|
endif
|
||
|
|
if "true" = GetRegistryValue("HKLM\Software\opsi.org\winst" , "with-admin-fatal", "32bit")
|
||
|
|
LogError "set to fatal because the local script stored this result"
|
||
|
|
set $isFatal$ = "true"
|
||
|
|
endif
|
||
|
|
comment "cleanup the registry key which stores a fatal result of the local script"
|
||
|
|
Registry_clean_fatal_flag /32bit
|
||
|
|
if $isFatal$ = "true"
|
||
|
|
isFatalError
|
||
|
|
endif
|
||
|
|
comment "This is the clean end of the installation"
|
||
|
|
endif ; Rebootflag = 3
|
||
|
|
|
||
|
|
|
||
|
|
[sub_Prepare_AutoLogon]
|
||
|
|
comment "copy the setup script and files"
|
||
|
|
Files_copy_Setup_files_local
|
||
|
|
comment "read actual Autologon values for backup"
|
||
|
|
set $AutoName$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultUserName")
|
||
|
|
comment "if AutoLogonName is our setup admin user, something bad happend"
|
||
|
|
comment "then let us cleanup"
|
||
|
|
if ($AutoName$="opsiSetupAdmin")
|
||
|
|
set $AutoName$=""
|
||
|
|
set $AutoPass$=""
|
||
|
|
set $AutoDom$=""
|
||
|
|
set $AutoLogon$="0"
|
||
|
|
else
|
||
|
|
set $AutoPass$ = asConfidential(GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultPassword"))
|
||
|
|
set $AutoDom$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultDomainName")
|
||
|
|
set $AutoLogon$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")
|
||
|
|
endif
|
||
|
|
if $UAC_off$ = "true"
|
||
|
|
set $BackupConsentPromptBehaviorAdmin$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorAdmin")
|
||
|
|
set $BackupEnableInstallerDetection$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection")
|
||
|
|
set $BackupEnableLUA$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
|
||
|
|
set $BackupEnableVirtualization$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization")
|
||
|
|
set $BackupPromptOnSecureDesktop$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop")
|
||
|
|
;set $BackupFilterAdministratorToken$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken")
|
||
|
|
Registry_backup_uac /32bit
|
||
|
|
Registry_UAC_off /sysnative
|
||
|
|
endif
|
||
|
|
|
||
|
|
comment "backup AutoLogon values"
|
||
|
|
Registry_save_autologon /32bit
|
||
|
|
|
||
|
|
comment "prepare the admin AutoLogon"
|
||
|
|
set $OpsiAdminPass$= asConfidential(randomstr)
|
||
|
|
Registry_autologon /sysnative
|
||
|
|
|
||
|
|
comment "get the name of the admin group"
|
||
|
|
set $AdminGroup$ = SidToName("S-1-5-32-544")
|
||
|
|
comment "create our setup admin user"
|
||
|
|
DosInAnIcon_makeadmin
|
||
|
|
|
||
|
|
comment "store our setup script as run once"
|
||
|
|
Registry_runOnce /sysnative
|
||
|
|
|
||
|
|
comment "disable keyboard and mouse while the autologin admin works"
|
||
|
|
if ($LockKeyboard$="true")
|
||
|
|
Registry_disable_keyboard /Sysnative
|
||
|
|
endif
|
||
|
|
|
||
|
|
comment "cleanup the registry key which stores a fatal result of the local script"
|
||
|
|
Registry_clean_fatal_flag /32bit
|
||
|
|
|
||
|
|
[sub_Restore_AutoLogon]
|
||
|
|
comment "read AutoLogon values from backup"
|
||
|
|
set $AutoName$ = GetRegistryValue($AutoBackupKey$, "DefaultUserName", "32bit")
|
||
|
|
set $AutoPass$ = asConfidential(GetRegistryValue($AutoBackupKey$, "DefaultPassword", "32bit"))
|
||
|
|
set $AutoDom$ = GetRegistryValue($AutoBackupKey$, "DefaultDomainName", "32bit")
|
||
|
|
set $AutoLogon$ = GetRegistryValue($AutoBackupKey$, "AutoAdminLogon", "32bit")
|
||
|
|
|
||
|
|
comment "restore the values"
|
||
|
|
Registry_restore_autologon /Sysnative
|
||
|
|
comment "delete our setup admin user"
|
||
|
|
DosInAnIcon_deleteadmin
|
||
|
|
comment "cleanup setup script, files and profiledir"
|
||
|
|
Files_delete_Setup_files_local
|
||
|
|
comment "delete profiledir"
|
||
|
|
DosInAnIcon_deleteprofile
|
||
|
|
|
||
|
|
if $UAC_off$ = "true"
|
||
|
|
set $BackupConsentPromptBehaviorAdmin$ = GetRegistryValue($AutoBackupKey$, "ConsentPromptBehaviorAdmin", "32bit")
|
||
|
|
set $BackupEnableInstallerDetection$ = GetRegistryValue($AutoBackupKey$, "EnableInstallerDetection", "32bit")
|
||
|
|
set $BackupEnableLUA$ = GetRegistryValue($AutoBackupKey$, "EnableLUA", "32bit")
|
||
|
|
set $BackupEnableVirtualization$ = GetRegistryValue($AutoBackupKey$, "EnableVirtualization", "32bit")
|
||
|
|
set $BackupPromptOnSecureDesktop$ = GetRegistryValue($AutoBackupKey$, "PromptOnSecureDesktop", "32bit")
|
||
|
|
;set $BackupFilterAdministratorToken$ = GetRegistryValue($AutoBackupKey$, "FilterAdministratorToken")
|
||
|
|
Registry_UAC_restore /sysnative
|
||
|
|
endif
|
||
|
|
|
||
|
|
|
||
|
|
[Registry_save_autologon]
|
||
|
|
openkey [$AutoBackupKey$]
|
||
|
|
set "DefaultUserName"="$AutoName$"
|
||
|
|
set "DefaultPassword"="$AutoPass$"
|
||
|
|
set "DefaultDomainName"="$AutoDom$"
|
||
|
|
set "AutoAdminLogon"="$AutoLogon$"
|
||
|
|
|
||
|
|
[Registry_restore_autologon]
|
||
|
|
openkey [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
|
||
|
|
set "DefaultUserName"="$AutoName$"
|
||
|
|
set "DefaultPassword"="$AutoPass$"
|
||
|
|
set "DefaultDomainName"="$AutoDom$"
|
||
|
|
set "AutoAdminLogon"="$AutoLogon$"
|
||
|
|
|
||
|
|
[Registry_backup_uac]
|
||
|
|
openkey [$AutoBackupKey$]
|
||
|
|
Set "ConsentPromptBehaviorAdmin" = REG_DWORD:$BackupConsentPromptBehaviorAdmin$
|
||
|
|
Set "EnableInstallerDetection" = REG_DWORD:$BackupEnableInstallerDetection$
|
||
|
|
Set "EnableLUA" = REG_DWORD:$BackupEnableLUA$
|
||
|
|
Set "EnableVirtualization" = REG_DWORD:$BackupEnableVirtualization$
|
||
|
|
Set "PromptOnSecureDesktop" = REG_DWORD:$BackupPromptOnSecureDesktop$
|
||
|
|
;Set "FilterAdministratorToken" = REG_DWORD:$BackupFilterAdministratorToken$
|
||
|
|
|
||
|
|
|
||
|
|
[DosInAnIcon_deleteadmin]
|
||
|
|
NET USER opsiSetupAdmin /DELETE
|
||
|
|
|
||
|
|
[Registry_SaveRebootFlag]
|
||
|
|
openKey [$WinstRegKey$]
|
||
|
|
set "RebootFlag" = "$RebootFlag$"
|
||
|
|
|
||
|
|
[Files_copy_Setup_files_local]
|
||
|
|
copy -s "%ScriptPath%\localsetup\*.*" "$LocalFilesPath$"
|
||
|
|
|
||
|
|
[Files_delete_Setup_files_local]
|
||
|
|
del -sf $LocalFilesPath$\
|
||
|
|
; the following command does not wor completely and is therefor commented
|
||
|
|
; the command is replaced by the section "DosInAnIcon_deleteprofile" (P.Ohler)
|
||
|
|
;delete -sf "%ProfileDir%\opsiSetupAdmin"
|
||
|
|
|
||
|
|
[DosInAnIcon_deleteprofile]
|
||
|
|
rmdir /S /Q "%ProfileDir%\opsiSetupAdmin"
|
||
|
|
|
||
|
|
[DosInAnIcon_makeadmin]
|
||
|
|
NET USER opsiSetupAdmin $OpsiAdminPass$ /ADD
|
||
|
|
NET LOCALGROUP $AdminGroup$ /ADD opsiSetupAdmin
|
||
|
|
|
||
|
|
[Registry_autologon]
|
||
|
|
openkey [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
|
||
|
|
set "DefaultUserName"="opsiSetupAdmin"
|
||
|
|
set "DefaultPassword"="$OpsiAdminPass$"
|
||
|
|
set "DefaultDomainName"="$LocalDomain$"
|
||
|
|
set "AutoAdminLogon"="1"
|
||
|
|
|
||
|
|
[Registry_runonce]
|
||
|
|
openkey [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
|
||
|
|
set "opsi_autologon_setup"='"$LocalWinst$" "$LocalFilesPath$\$LocalSetupScript$" /batch /productid %installingProdName%'
|
||
|
|
|
||
|
|
[Registry_del_runonce]
|
||
|
|
openkey [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
|
||
|
|
DeleteVar "opsi_autologon_setup"
|
||
|
|
|
||
|
|
[Registry_disable_keyboard]
|
||
|
|
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass]
|
||
|
|
set "Start"=REG_DWORD:0x4
|
||
|
|
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mouclass]
|
||
|
|
set "Start"=REG_DWORD:0x4
|
||
|
|
|
||
|
|
[Registry_enable_keyboard]
|
||
|
|
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass]
|
||
|
|
set "Start"=REG_DWORD:0x1
|
||
|
|
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mouclass]
|
||
|
|
set "Start"=REG_DWORD:0x1
|
||
|
|
|
||
|
|
[Registry_clean_fatal_flag]
|
||
|
|
openkey [$WinstRegKey$]
|
||
|
|
DeleteVar "with-admin-fatal"
|
||
|
|
|
||
|
|
[Registry_UAC_off]
|
||
|
|
OpenKey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
|
||
|
|
Set "ConsentPromptBehaviorAdmin" = REG_DWORD:00000000
|
||
|
|
Set "EnableInstallerDetection" = REG_DWORD:00000001
|
||
|
|
Set "EnableLUA" = REG_DWORD:00000000
|
||
|
|
Set "EnableVirtualization" = REG_DWORD:00000001
|
||
|
|
Set "PromptOnSecureDesktop" = REG_DWORD:00000000
|
||
|
|
;Set "FilterAdministratorToken" = REG_DWORD:00000000
|
||
|
|
|
||
|
|
|
||
|
|
[Registry_UAC_restore]
|
||
|
|
OpenKey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
|
||
|
|
Set "ConsentPromptBehaviorAdmin" = REG_DWORD:$BackupConsentPromptBehaviorAdmin$
|
||
|
|
Set "EnableInstallerDetection" = REG_DWORD:$BackupEnableInstallerDetection$
|
||
|
|
Set "EnableLUA" = REG_DWORD:$BackupEnableLUA$
|
||
|
|
Set "EnableVirtualization" = REG_DWORD:$BackupEnableVirtualization$
|
||
|
|
Set "PromptOnSecureDesktop" = REG_DWORD:$BackupPromptOnSecureDesktop$
|
||
|
|
;Set "FilterAdministratorToken" = REG_DWORD:$BackupFilterAdministratorToken$
|
||
|
|
|