Pages

Thursday, November 4, 2010

Using Sysprep with CopyProfile in Windows 7 and Windows Server 2008

First rule of testing a sysprep unattened file:

Thou shall test your unattend xml file on a newly unconfigured OS install before blaming the file.

The Reason: Before becomeing a server admin I made my way by developing new and better ways to deploy computers on campus. I moved to the server team before Vista came out so my experitise was in mostly with Windows XP. So recently after 5hrs of trying to do the once simple task of copying the administrator profile to the default profile I can say that things have changed.  First let me setup what I'm working on, then share what can so you can avoid the problems I had.

The Goal: To use the <CopyProfile> option with sysprep to copy the Administrator profile to the default profile on a Windows 7.

The Problems: Things that can go wrong will.
  • If your using a Virtual Machine that some one else built, you don't know what they did or didn't do. In my case my brother built a tweaked Virtual Machine for Windows 7 stripped for speed. At some point he made the profiles/registry gods upset and sysprep no longer can listen to the <CopyProfile> option. See here for fix. 
  • You need to be able to read the local disk Incase the box will not boot or in this case gets stuck in a sysprep endless boot. I can't over state this. You can not see whats wrong with sysprep with out this. In my case I used a network PXE server with WinPE loaded with VMware Drivers. However note that PXE doesn't work with VMXNET3 and ESX 4.1 as of yet. See my other post.
  • Sysprep isn't your friend, its more of the coworker you have to deal with. Learn to get along with it as its not going anywhere. 
The Solution
The only truly supported way to copy a profile in Windows 7 to the default to do so by using Sysprep to do the Profile copy. If you search the web many people list ways but they shouldn't be used in real production environments and require manually editing the registry files. And honestly you don't should need these shortcuts as doing the copy via sysprep is easy enough if you follow this post.

First configure the Administrator Profile to the way you want. Make sure you opened most programs and everything works. I'm not going to go through the finer points of this and may make a post on it later and link to it here.



Assuming this part is done, we now want to create copy the profile. But STOP. This is where things go wrong. You've spent all this time configuring the machine and now a single mistake will destroy the machine. You need backup the machine and thus all your work, I don't care if its a ghost image, Vmware Snapshot, something, anything. If it takes you longer to restore than it did to build then maybe no. But hopefully if your doing all this you also know something about cloning/backing up a machine.

With the clone/backup there to give you a warm fuzzy feeling now were going to create the sysprep file that will local administrative profile to the default. For the intent of this post all we're going to do is Copy the Profile.

Note: We could only do the <CopyProfile> however we only get 3 rearms. And up to 8 if we specify Skip Rearm in the file. I'll assume we'll pass Skip Rearm rather than not. However once you've tested this you most likely want to do more in the unattended file for you environment. Once you hit the rearm limit the only option is to rebuild the box so take caution and good notes as to how you built it.

You can and most likely should install Windows® Automated Installation Kit (AIK) for Windows® 7 to to create the Unattend.xml file. The order and details of the file are confusing unless you work with it every day. Once you have it installed open Windows System Image Manager, and Once open point it to a Windows Image of the OS your working with. On Windows 7 its on the Install DVD located at:
"<DRIVE>:\sources\install.wim". Now create or open your answer/unattend file to see if its formated correctly. Using this tool is also nice because it will incrypt the passwords so they are not in plan text. The links of the bottom of this post are the most useful I found for figuring out this process.

Flow Chart of what gets called by sysprep based on what options are used.
http://technet.microsoft.com/en-us/library/dd744341(WS.10).aspx

Simplified unattend .xml file for Profile copy for 64bit Windows 7
  • PersistAllDeviceInstalls - device drivers are removed from the system when you generalize the system. If you set PersistAllDeviceInstalls to True in an answer file then Sysprep will not remove the detected device drivers.
  • DoNotCleanUpNonPresentDevices -
  • SkipRearm
  • RunSynchronous - after sysprep the administrator account won't be disabled
  • SkipAutoActivation 
  • ComputerName - set to what ever your needs are.
  • CopyProfile = True
  • DoNotCleanTaskBar = True
  • ShowWindowsLive = False


    
 
        
            true
            true
        
  
            1
        
  
            
                
                    1
                    net user administrator /active:yes
                
            
        
    
    
        
            true
        
        
            Win7View
            Eastern Standard Time
            true
            false
            true
            false
        
    
    



The above file should be created on the host and named copyprofile.xml. If its not 64 bit os you must change the amd64 to x86. I left out the settings of the oobe (Out-of-box experience) section. As the file is it will prompt the user for that information. You can add those answers to the file but I would first test the profile copy.

TODO: Create link to full copyprofile file with oobe section.

Now Logged into the local administrator account, with its profile correctly configured.
  • Copy the unattend file to the local File system.
  • Open an Administrative command prompt.
  • Set the current working directory
    • cd C:\Windows\System32\sysprep
  • Run sysprep passing /unattend the file and path of the file.
    • sysprep.exe /generalize /oobe /reboot /unattend:c:\copyprofile.xml
The machine will reboot boot to sysprep (black screen with white letters telling you very little of what is going on). This should copy the Administrator profile to the default user aswell as the rest of the sysprep settings. If you did not pass the oobe settings in the unattend file you will also have to answer these before it will reboot to windows. If you can login, create a new local user account and login into it. Its desktop and settings should match that of your administrator account. Below are come things to test if it doesn't.

Common Problems:


Error Log Folders:
<Local Drive>:\Windows\Panther\
<Local Drive>:\Windows\Panther\UnattendGC

Note: Its often useful to copy the contents of these folders off to a share and opening rather than trying to debug them from however your getting at them.

Was there any error from sysprep while it was booted to the black screen? If so use a tool like WinPE or a boot disk to check C:\Windows\Panther\UnattendGC\setupact.log for any errors. If you see [Shell Unattend] CopyProfile failed (0x8007012b) [gle=0x0000012b] then congratulations on the same problem I had. see Sysprep Error Using CopyProfile for a fix.

If the Machine runs into an error during sysprep (black screen) it may tell you it needs to reboot and then does so. Only to boot back up to sysprep and run into the same error and result again. If this happens you must find a way to read the C:\Windows\Panther\ folder files for errors. I used a Network PXE hosting WinPE which had its own problems.

If it appears Sysprep simply isn't listening to the settings in the unattened file the best method is to test it on a newly installed untunched machine. I found out that after much testing that there was nothing wrong with my unattened file but rather the Machine I wanted to copy the profile on had issues.

If your unsure if your answer file is correct, load Windows® Automated Installation Kit (AIK) for Windows® 7 and read above notes on how to open the Windows Image and then load your unattend/answer file.

If setupact.log contains "[Windeploy.exe] Failure occured during online installation.  Online installation cannot complete at this time.; hr = 0x8007139f" take a look at my other post Sysprep 0x8007139f Error on Windows 7 about tracking it down.

If sysprep seems to not pay any attention to your unattend file make sure the file processorarchitecture="amd64" is correct for your OS and change it to "x86" if it is not.

Note: Besure to delete the unattend/answer file after the sysprep as it still has passwords stored in it. You can also add a SynchronousCommands to the oobe section to do this with sysprep.

Links:

7 comments:

  1. Hi Chris,

    You recently posted a link to this blog in this forum....http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/5a5d44b6-116a-4a21-bc64-53379218ecc6....I'm not sure how much of the now 18 month old thread with 100's of posts you read, but your blog is quite ironic as is highlights all of the major flaws using the sysprep method.

    "At some point he made the profiles/registry gods upset and sysprep no longer can listen to the " - Ouch, the copy profile tool never did this for me in 5 years. I just followed the simple rule of, us ehte copy profile tool, the copy profile tool and nothing but the copy profile tool.

    "Incase the box will not boot or in this case gets stuck in a sysprep endless boot. I can't over state this. You can not see whats wrong with sysprep with out this. In my case I used a network PXE server with WinPE loaded with VMware Drivers." SO from a tool that never goes wrong if used correctly you face this spectre everytime you sysprep just to copy a profile and you need this rediculous fall back plan in case is does all screw up.

    "Sysprep isn't your friend" - 'Nuf said!

    The reason the forum thread exists is because Sysprep....

    is VERY complicated

    is difficult to get to work with profiles other than the administrator's (very often the admin profile is significantly different to the profile you want a general user to use so it's not the right one to use)

    is VERY buggy and can brick your image - not much good if you want to update user profiles on 100 staff PC's and only to find the lot of them are bricked in the morning.

    is VERY slow - 10 mins or so instead of 1 at most

    does hundreds of things to your image that it has no need to do. These invasive processes can cause other problems completly unrealted to profile copying.

    For something that was quick and simple to do, Sysprep has made it difficult, slow and potentially dangerous.

    In all seriousness, what we do at a very large and well know UK university is make backups of the profiles manually, copy the profile manually, change the registry settings manually and change the registry permissions manually all of which works perfectly time and time again, is faster than sysprep and is very easy to do incomparison (and is talked about a lot in the thread mentioned above). No one can convince me to use Sysprep for this process.

    Cheers,

    Matt

    ReplyDelete
  2. Thanks for the Comment. And I fixed the double Post. Its always to interesting to know what is done at other universities, I work for Northern Kentucky University.

    The "At some point he made the profiles/registry gods upset and sysprep no longer can listen to the" was due to a profile being removed from the disk by delete rather than the profile manager. A mistake for windows 7 but a fast and easy fix in Windows XP.

    Over all I didn't find that Sysprep impossible to use but rather just a pain to debug problems with. I wouldn't have had any issues with sysprep if when it encountered an error had shown me the at least the option to open it. Or even better yet the option to roll back from the changes.

    As for manually editing the registry and folders I considered it and If the machine is already deployed I can also agree that may be a fine option. In my case I'm working on a image that isn't deployed so I had the freedom to test till I got it right.

    ReplyDelete
  3. Hi Chris,

    Thanks for clearing my mess up! :)

    You're quite right, Sysprep isn't impossible to use, in fact we have to use to image our machines. In this case however, generalising and respecialising is a neccassary step, I have no problem with using sysprep for this and fortunately it was a colleague of mine that figured out the fine detail.

    The big problem is that even after 100's of successful syspreps using exactly the same process, sysprep can still brick a PC but it only does this during the generalise pass. As we test all of our images for this problem before we deploy, it's not a big issue, just roll back, make changes again, run sysprep again and make new image. If the image works, the specialise pass never seems to muck up.

    Like you say, you've been using sysprep in a safe development environment and this is much the same, however for profile copies this environemnt can be live and suddenly sysprep can seem like a massive risk too far. You don't want the head of your university heading over to your office on a Monday morning because his PC has become inoperable over the weekend and he's lost some highly important data because he stored it locally instead of using the backed up central file store.

    I think less is more in IT. The fewer changes you make, the more stable the outcome is likely to be. Sysprep changes far more than is required and for me the instability this can create and the time it takes to do it are the big issues.

    Cheers,

    Matt

    ReplyDelete
  4. Hi Matt,

    I am discovering that to do what we need to, the following must happen:

    1) Create a user called "Custom Default User" and customize how the Default user should be

    2) Manually back up the "Custom Default User" profile and delete the "Custom Default User" account (leaving the profile intact)

    3) Create a custom Administrator account (we don't want to call it "Administrator" for security purposes) and customize it

    4) Use Sysprep with CopyProfile=false and allow it to disable the "Administrator" account

    5) After Sysprep, manually copy "Custom Default User" to the Default User profile

    6) The "Custom Administrator" should be intact already

    My question is, do you have any scripts, tips or registry modifications required that need to happen after a manual profile copy to ensure no small quirks happen?

    -Darren

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Unattend.xml (sysprep) - HELP!! W7 64bitMy Unattend.xml file keeps causing an error after the machine is booted back up. The error says that it cannot load the unattend.xml, due to settings.

    Can someone help me fix this code? Help is greatly needed and much appreciated!

    ReplyDelete

Please leave a comment; someone, anyone!