I ask for user name and password during pre-execution hook and check to see if
the supplied user is in an AD group that is allowed to deploy computers.
What are you using for your pre-execution hook? Anything? HTA, a MDT Wizard
thing, Jason's thing?
You just ask for the user name and password and then validate it... I've not
been able to do this without loading ADSI into WinPE -but I haven't tried very
hard to find an alternative either... You just try to bind to AD using the
supplied user/pass like this... If you don't get an error than you have a good
user/pass
If DebugMode = True then msgbox ("Attempting to
validate user Password")
'Validate user is allowed to run OSD Setup
' Bind to the root of the directory using the
Root Directory Service Entry
Set objContainer = GetObject("LDAP:")
If DebugMode = True then msgbox ("Created LDAP
object")
' Set USername and Password
strPassword =
oEnvironment.Item("OSDUserPassword")
strUsername = oEnvironment.Item("UserDomain") &
"\" & oEnvironment.Item("OSDUserID")
' Bind to the root of the directory using
previously entered credentials
err.clear
strADSPath =
"LDAP://healthcare.uiowa.edu/dc=mydomain,dc=corp,dc=com"
on error resume next
If DebugMode = True then msgbox ("Querying
lDAP")
Set adsMyObject = objContainer.OpenDSObject
(strADsPath, strUsername, strPassword, ADS_SECURE_AUTHENTICATION +
ADS_SERVER_BIND)
if err.number = 0 then
PasswordOK = TRUE
If DebugMode = True then MSGBOX
("Password verified")
else
MSGBOX ("You have entered an
invalid password. Error= " & err.number)
err.clear
End If
You can check to see if the user is authorized to run OS Deployments by
checking if they are in an AD group... Like this... The code below checks to
see if the user is in the AD group "ClientSetup" - of course for this one,
using a web service like Maik's would work better - probably, but I did this
before there were AD webservices from Maik available... It doesn't do nesting
though- the user must be in the group directly.
strGroupName = "ClientSetup"
If DebugMode then msgbox ("The
user DN is " & strUserDN)
Set objContainer =
GetObject("LDAP:")
strADSPath =
"LDAP://mydomain.mycorp.com/" & strUserDN
Set objAuth =
objContainer.OpenDSObject (strADsPath, strUserName, strPassword,
ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
userAuthorized = FALSE
colstrGroups = objAuth.memberOf
For Each objGroup in
colstrGroups
strGroupInstance = (Mid(objGroup,4,Instr(objGroup,",")-4))
'If DebugMode
then msgbox ("Checking " & strGroupInstance)
If
strGroupInstance = strGroupName then
userAuthorized = TRUE
Exit For
end if
Next
If userAuthorized then
ValidatedUser =
1
else
msgbox
(strUserName & " is not authorized to run OS installations.")
End If
Now that you have the name, just store it somewhere. I modified ztitatto to
store OSDUserID and TEMPLATE (which is what I call ROLE).
'//----------------------------------------------------------------------------
'// If this is ConfigMgr,
populate the package ID and program name
'//----------------------------------------------------------------------------
If
oEnvironment.Item("_SMSTSPackageID") <> "" then
sValue =
oEnvironment.Item("_SMSTSSiteCode") & ":" & oEnvironment.Item("_SMSTSPackageID")
oShell.RegWrite
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CM_DSLID",
sValue, "REG_SZ"
oInfo.OSDPackageID = oEnvironment.Item("_SMSTSPackageID")
oInfo.OSDProgramName = "*"
oInfo.OSDAdvertisementID = oEnvironment.Item("_SMSTSAdvertID")
oInfo.OSDBuilderID = oEnvironment.Item("OSDUserID")
oInfo.OSDTemplate = oEnvironment.Item("TEMPLATE")
End if
Along with a change to the tatto mof
[PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Deployment
4|OSD Template"), Dynamic, Provider("RegPropProv")]
OSDTemplate;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Deployment
4|Task Sequence ID"), Dynamic, Provider("RegPropProv")]
TaskSequenceID;
I even extended MDT Monitoring report so that you can include the person who
started the deployment in your MDT Monitoring web site It pulls that
information from the MDT Database
[cid:[email protected]]
The whole thing on how to do this is probably a bit more intense than a post in
email and more suited to a presentation and blog post, but I lack the time to
do a polished thing. I know, this is a mess.
From: [email protected] [mailto:[email protected]] On
Behalf Of Marcum, John
Sent: Monday, February 15, 2016 3:06 PM
To: [email protected]
Subject: [MDT-OSD] Report on who installed OS Task Sequence
Does anyone know of a way to force the use of AD credentials to load a bare
metal task sequence? Furthermore I'd like to capture who logged in as part of
the tattoo info.
________________________________
John Marcum
MCITP, MCTS, MCSA
Desktop Architect
Bradley Arant Boult Cummings LLP
________________________________
[H_Logo]
________________________________
Confidentiality Notice: This e-mail is from a law firm and may be protected by
the attorney-client or work product privileges. If you have received this
message in error, please notify the sender by replying to this e-mail and then
delete it from your computer.
________________________________
Notice: This UI Health Care e-mail (including attachments) is covered by the
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and
may be legally privileged. If you are not the intended recipient, you are
hereby notified that any retention, dissemination, distribution, or copying of
this communication is strictly prohibited. Please reply to the sender that you
have received the message in error, then delete it. Thank you.
________________________________
