; Copyright (c) uib gmbh (www.uib.de) ; This sourcecode is owned by uib ; and published under the Terms of the General Public License. ; TEMPLATE for ; Skript fuer Installationen im Kontext eines temporaeren lokalen Administrators ; installations as temporary local admin ; see winst_manual.pdf / winst_handbuch.pdf ; ; !!! Das lokale Installations-Skript, das durch den temporaeren lokalen Admin ausgefuehrt wird ; !!! (sein Name steht in $LocalSetupScript$), muss mit dem Befehl ; !!! exitWindows /Reboot ; !!! enden ; ; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ; Vorarbeiten/Voraussetzungen/Doku pruefen wie in Winsthandbuch ; Skript fuer Installationen im Kontext eines lokalen Administrators ; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [Actions] requiredWinstVersion >= 4.12.0.16 setLogLevel=7 ScriptErrorMessages=off DefVar $ProductName$ DefVar $ProductSizeMB$ DefVar $LocalSetupScript$ DefVar $LockKeyboard$ DefVar $OpsiAdminPass$ DefVar $RebootFlag$ DefVar $WinstRegKey$ DefVar $AutoName$ DefVar $AutoPass$ DefVar $AutoDom$ DefVar $AutoLogon$ DefVar $AutoBackupKey$ DefVar $LocalFilesPath$ DefVar $LocalWinst$ DefVar $DefaultLoglevel$ DefVar $PasswdLogLevel$ DefVar $AdminGroup$ DefVar $SearchResult$ DefVar $LocalDomain$ DefVar $debug$ DefVar $isFatal$ DefVar $BackupConsentPromptBehaviorAdmin$ DefVar $BackupEnableInstallerDetection$ DefVar $BackupEnableLUA$ DefVar $BackupEnableVirtualization$ DefVar $BackupPromptOnSecureDesktop$ ;DefVar $BackupFilterAdministratorToken$ DefVar $UAC_off$ ; ---------------------------------------------------------------- ; - Please edit the following values ; ---------------------------------------------------------------- ;Set $ProductName$ = "opsi-template-with-admin" Set $ProductName$ = "%installingProdName%" Set $ProductSizeMB$ = "1" Set $LocalSetupScript$ = "setup32.opsiscript" set $UAC_off$ = "false" ; ---------------------------------------------------------------- comment "get and set initial values..." set $debug$ = GetProductProperty("debug","false") set $isFatal$ = "false" set $DefaultLoglevel$ = "7" SetLogLevel=$DefaultLoglevel$ Set $LocalDomain$ = "%PCNAME%" comment "check if we productive or debugging..." if $debug$ = "true" comment "we are in debug mode" Set $LockKeyboard$="false" Set $PasswdLogLevel$="7" else comment "we are in productive mode" comment "set $LockKeyboard$ to true to prevent user hacks while admin is logged in" Set $LockKeyboard$="true" comment " set $PasswdLogLevel$ to 0 for production" Set $PasswdLogLevel$="0" endif comment "handle Rebootflag" Set $WinstRegKey$ = "HKLM\SOFTWARE\opsi.org\winst\"+$ProductName$ Set $RebootFlag$ = GetRegistryValue($WinstRegKey$, "RebootFlag", "32bit") comment "some paths required" Set $AutoBackupKey$ = $WinstRegKey$+"\AutoLogonBackup" Set $LocalFilesPath$ = "C:\opsi.org\tmp\opsi_local_inst" Set $LocalWinst$ = "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsi-winst\winst32.exe" if not( FileExists($LocalWinst$) ) LogError "No opsi-winst found. Abborting." isFatalError endif comment "show product picture" ShowBitmap "%scriptpath%\localsetup\"+$ProductName$+".png" $ProductName$ if not (($RebootFlag$ = "1") or ($RebootFlag$ = "2") or ($RebootFlag$ = "3")) comment "Part before first Reboot" comment "just reboot - this must be done if this is the first product after OS installation" comment "handle Rebootflag" Set $RebootFlag$ = "1" Registry_SaveRebootFlag /32bit ;ExitWindows /ImmediateReboot endif ; Rebootflag = not (1 or 2 or 3) if $RebootFlag$ = "1" comment "Part before second Reboot" setActionProgress "Preparing" if not(HasMinimumSpace ("%SYSTEMDRIVE%", ""+$ProductSizeMB$+" MB")) LogError "Not enough space on drive C: . "+$ProductSizeMB$+" MB on C: required for "+$ProductName$ isFatalError endif comment "Lets work..." Message "Preparing "+$ProductName$+" install step 1..." sub_Prepare_AutoLogon comment "we need to reboot now to be sure that the autologon work" comment "handle Rebootflag" Set $RebootFlag$ = "2" Registry_SaveRebootFlag /32bit ExitWindows /ImmediateReboot endif ; Rebootflag = not (1 or 2) if ($RebootFlag$ = "2") comment "Part after first Reboot" comment "handle Rebootflag" Set $RebootFlag$ = "3" Registry_SaveRebootFlag /32bit comment "Lets work..." Message "Preparing "+$ProductName$+" install step 2..." Registry_enable_keyboard /sysnative comment "now let the autologon work" comment "it will stop with a reboot" setActionProgress "Run Installation" ExitWindows /ImmediateLogout endif ; Rebootflag = 2 if ($RebootFlag$ = "3") comment "Part after second Reboot" ExitWindows /Reboot setActionProgress "Cleanup" comment "handle Rebootflag" Set $RebootFlag$ = "0" Registry_SaveRebootFlag /32bit comment "Lets work..." Message "Cleanup "+$ProductName$+" install (step 3)..." sub_Restore_AutoLogon set $SearchResult$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", "opsi_autologon_setup") if $SearchResult$ = $LocalWinst$+" "+$LocalFilesPath$+"\"+$LocalSetupScript$+" /batch /productid %installingProdName%" LogError "Localscript did not run. We remove the RunOnce entry and abort" Registry_del_runonce /sysnative set $isFatal$ = "true" endif if "true" = GetRegistryValue("HKLM\Software\opsi.org\winst" , "with-admin-fatal", "32bit") LogError "set to fatal because the local script stored this result" set $isFatal$ = "true" endif comment "cleanup the registry key which stores a fatal result of the local script" Registry_clean_fatal_flag /32bit if $isFatal$ = "true" isFatalError endif comment "This is the clean end of the installation" endif ; Rebootflag = 3 [sub_Prepare_AutoLogon] comment "copy the setup script and files" Files_copy_Setup_files_local comment "read actual Autologon values for backup" set $AutoName$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultUserName") comment "if AutoLogonName is our setup admin user, something bad happend" comment "then let us cleanup" if ($AutoName$="opsiSetupAdmin") set $AutoName$="" set $AutoPass$="" set $AutoDom$="" set $AutoLogon$="0" else set $AutoPass$ = asConfidential(GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultPassword")) set $AutoDom$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultDomainName") set $AutoLogon$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon") endif if $UAC_off$ = "true" set $BackupConsentPromptBehaviorAdmin$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorAdmin") set $BackupEnableInstallerDetection$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection") set $BackupEnableLUA$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") set $BackupEnableVirtualization$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization") set $BackupPromptOnSecureDesktop$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop") ;set $BackupFilterAdministratorToken$ = GetRegistryValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken") Registry_backup_uac /32bit Registry_UAC_off /sysnative endif comment "backup AutoLogon values" Registry_save_autologon /32bit comment "prepare the admin AutoLogon" set $OpsiAdminPass$= asConfidential(randomstr) Registry_autologon /sysnative comment "get the name of the admin group" set $AdminGroup$ = SidToName("S-1-5-32-544") comment "create our setup admin user" DosInAnIcon_makeadmin comment "store our setup script as run once" Registry_runOnce /sysnative comment "disable keyboard and mouse while the autologin admin works" if ($LockKeyboard$="true") Registry_disable_keyboard /Sysnative endif comment "cleanup the registry key which stores a fatal result of the local script" Registry_clean_fatal_flag /32bit [sub_Restore_AutoLogon] comment "read AutoLogon values from backup" set $AutoName$ = GetRegistryValue($AutoBackupKey$, "DefaultUserName", "32bit") set $AutoPass$ = asConfidential(GetRegistryValue($AutoBackupKey$, "DefaultPassword", "32bit")) set $AutoDom$ = GetRegistryValue($AutoBackupKey$, "DefaultDomainName", "32bit") set $AutoLogon$ = GetRegistryValue($AutoBackupKey$, "AutoAdminLogon", "32bit") comment "restore the values" Registry_restore_autologon /Sysnative comment "delete our setup admin user" DosInAnIcon_deleteadmin comment "cleanup setup script, files and profiledir" Files_delete_Setup_files_local comment "delete profiledir" DosInAnIcon_deleteprofile if $UAC_off$ = "true" set $BackupConsentPromptBehaviorAdmin$ = GetRegistryValue($AutoBackupKey$, "ConsentPromptBehaviorAdmin", "32bit") set $BackupEnableInstallerDetection$ = GetRegistryValue($AutoBackupKey$, "EnableInstallerDetection", "32bit") set $BackupEnableLUA$ = GetRegistryValue($AutoBackupKey$, "EnableLUA", "32bit") set $BackupEnableVirtualization$ = GetRegistryValue($AutoBackupKey$, "EnableVirtualization", "32bit") set $BackupPromptOnSecureDesktop$ = GetRegistryValue($AutoBackupKey$, "PromptOnSecureDesktop", "32bit") ;set $BackupFilterAdministratorToken$ = GetRegistryValue($AutoBackupKey$, "FilterAdministratorToken") Registry_UAC_restore /sysnative endif [Registry_save_autologon] openkey [$AutoBackupKey$] set "DefaultUserName"="$AutoName$" set "DefaultPassword"="$AutoPass$" set "DefaultDomainName"="$AutoDom$" set "AutoAdminLogon"="$AutoLogon$" [Registry_restore_autologon] openkey [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] set "DefaultUserName"="$AutoName$" set "DefaultPassword"="$AutoPass$" set "DefaultDomainName"="$AutoDom$" set "AutoAdminLogon"="$AutoLogon$" [Registry_backup_uac] openkey [$AutoBackupKey$] Set "ConsentPromptBehaviorAdmin" = REG_DWORD:$BackupConsentPromptBehaviorAdmin$ Set "EnableInstallerDetection" = REG_DWORD:$BackupEnableInstallerDetection$ Set "EnableLUA" = REG_DWORD:$BackupEnableLUA$ Set "EnableVirtualization" = REG_DWORD:$BackupEnableVirtualization$ Set "PromptOnSecureDesktop" = REG_DWORD:$BackupPromptOnSecureDesktop$ ;Set "FilterAdministratorToken" = REG_DWORD:$BackupFilterAdministratorToken$ [DosInAnIcon_deleteadmin] NET USER opsiSetupAdmin /DELETE [Registry_SaveRebootFlag] openKey [$WinstRegKey$] set "RebootFlag" = "$RebootFlag$" [Files_copy_Setup_files_local] copy -s "%ScriptPath%\localsetup\*.*" "$LocalFilesPath$" [Files_delete_Setup_files_local] del -sf $LocalFilesPath$\ ; the following command does not wor completely and is therefor commented ; the command is replaced by the section "DosInAnIcon_deleteprofile" (P.Ohler) ;delete -sf "%ProfileDir%\opsiSetupAdmin" [DosInAnIcon_deleteprofile] rmdir /S /Q "%ProfileDir%\opsiSetupAdmin" [DosInAnIcon_makeadmin] NET USER opsiSetupAdmin $OpsiAdminPass$ /ADD NET LOCALGROUP $AdminGroup$ /ADD opsiSetupAdmin [Registry_autologon] openkey [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] set "DefaultUserName"="opsiSetupAdmin" set "DefaultPassword"="$OpsiAdminPass$" set "DefaultDomainName"="$LocalDomain$" set "AutoAdminLogon"="1" [Registry_runonce] openkey [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] set "opsi_autologon_setup"='"$LocalWinst$" "$LocalFilesPath$\$LocalSetupScript$" /batch /productid %installingProdName%' [Registry_del_runonce] openkey [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] DeleteVar "opsi_autologon_setup" [Registry_disable_keyboard] openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass] set "Start"=REG_DWORD:0x4 openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mouclass] set "Start"=REG_DWORD:0x4 [Registry_enable_keyboard] openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass] set "Start"=REG_DWORD:0x1 openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mouclass] set "Start"=REG_DWORD:0x1 [Registry_clean_fatal_flag] openkey [$WinstRegKey$] DeleteVar "with-admin-fatal" [Registry_UAC_off] OpenKey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] Set "ConsentPromptBehaviorAdmin" = REG_DWORD:00000000 Set "EnableInstallerDetection" = REG_DWORD:00000001 Set "EnableLUA" = REG_DWORD:00000000 Set "EnableVirtualization" = REG_DWORD:00000001 Set "PromptOnSecureDesktop" = REG_DWORD:00000000 ;Set "FilterAdministratorToken" = REG_DWORD:00000000 [Registry_UAC_restore] OpenKey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] Set "ConsentPromptBehaviorAdmin" = REG_DWORD:$BackupConsentPromptBehaviorAdmin$ Set "EnableInstallerDetection" = REG_DWORD:$BackupEnableInstallerDetection$ Set "EnableLUA" = REG_DWORD:$BackupEnableLUA$ Set "EnableVirtualization" = REG_DWORD:$BackupEnableVirtualization$ Set "PromptOnSecureDesktop" = REG_DWORD:$BackupPromptOnSecureDesktop$ ;Set "FilterAdministratorToken" = REG_DWORD:$BackupFilterAdministratorToken$