As you may know, to make a Linux server replace a Windows file server you’ll need a common file sharing protocol between both server and client. Well, SAMBA is the answer. In reality I think that SAMBA is the only answer.

Installing SAMBA

To be honest, I just rebuilt my Linux machine this month and have already forgotten whether SAMBA came preinstalled on Ubuntu Server 9.10 or not. Even if it is already install, it doesn’t hurt to try installing it again:

aaron@server:/# sudo apt-get install samba

Among other files, the three files you will use the most in configuring SAMBA are the config file, /etc/samba/smb.conf, and the init script for the daemon, /etc/init.d/samba, and the SAMBA password tool, /usr/bin/smbpasswd.

Configuring Users and Groups for SAMBA

The first step is creating the users and groups that will be accessing the SAMBA share. In this example, we will use local Linux accounts and groups, then activate the user account in SAMBA. The group will be used to assign permissions to the directory in the Linux file system.

Because my set up is small, I have only a few accounts and one group that I use for SAMBA shares. The group has all SAMBA users in it and is named “dtusers”. Let’s work with my configuration as the example.

First, if you dare, switch to the root account (or best practice is to use sudo for every command):

root@server:/# sudo su

To create a new system group, use the following:

root@server:/# groupadd -r dtusers

Now that we have the group created, we should create some users as well. As we create the users, we will assign the group we just created as a supplemental group.

root@server:/# useradd -G dtusers -p P@ssW0rd aaron

Use the above command as many times as needed for your users. “aaron” is the username, by the way. Additional thought, “P@ssW0rd” is not a secure password, and even though SAMBA is configured to synchronize passwords (see “unix password sync” setting in the smb.conf file), we want to ensure a password is set prior to SAMBA configuration.

Finally, we need to enable these accounts using the SAMBA smbpasswd password tool.

root@server:/# smbpasswd -a aaron

When you are prompted for a password, use the same password as you did when you created the user. Use the above command as many times as needed for your users.

Configuring Directories for SAMBA Sharing

The next step is figuring out which directories you want to share through SAMBA. In my case, I created all of my shares under /datastore/. For the example, lets copy my configuration.

Create the /datastore/ root directory. Then create a directory named aaron, a directory named music, a directory named pictures and a directory named downloads.

root@server:/# mkdir /datastore
root@server:/# cd /datastore
root@server:/datastore# mkdir aaron
root@server:/datastore# mkdir music
root@server:/datastore# mkdir pictures
root@server:/datastore# mkdir downloads

Now that we have our directories created, we need to ensure owners and  permissions are set correctly for each of the directories.

First, we need to change the user and group owners. I recommend root as the main user for any “shared” directories:

root@server:/datastore# chown aaron:dtusers aaron
root@server:/datastore# chown root:dtusers music
root@server:/datastore# chown root:dtusers pictures
root@server:/datastore# chown root:dtusers downloads

Last, we need to change the permissions. I recommend 775 (see Unix Permissions at the bottom of this article for more info on 775) for any of the “shared” directories and 750 or 700 for the user specific directories.

root@server:/datastore# chmod 700 aaron
root@server:/datastore# chmod 775 music
root@server:/datastore# chmod 775 pictures
root@server:/datastore# chmod 775 downloads

Now, have a look at your directories to make sure they have the appropriate permissions:

Configuring SAMBA

The final step in configuring SAMBA is, well, configuring SAMBA. The SAMBA configuration file, smb.conf, that comes with the SAMBA install is rather large. We’ll go through it and change only some of the settings and add some of our own.

Using your favorite text editor (mine is actually vi, but if you are new to Linux, you’ll like nano better) and open the SAMBA configuration file:

root@server:/# vi /etc/samba/smb.conf

Scroll through the configuration file and review the various options. Once you have looked around, start changing variables. First if you have a DNS domain defined, I would change the following:

workgroup = dt.local

Next, scroll to the bottom of the configuration file and add your SAMBA share definitions. In this example, I have also configured a “create mask” which forces certain permission types for all new files, “directory mask” which forces certain permission types for all new directories, and “force group” to ensure the group is always my dtusers group:

[aaron]
path = /datastore/aaron
valid users = aaron
writable = yes
browseable = yes
read only = no
create mask = 0700
directory mask = 0700
guest ok = no
force group = dtusers

[music]
path = /datastore/music
valid users = @dtusers
writable = yes
browseable = yes
read only = no
create mask = 0775
directory mask = 0775
guest ok = no
force group = dtusers

[pictures]
path = /datastore/pictures
valid users = @dtusers
writable = yes
browseable = yes
read only = no
create mask = 0775
directory mask = 0775
guest ok = no
force group = dtusers

[downloads]
path = /datastore/downloads
valid users = @dtusers
writable = yes
browseable = yes
read only = no
create mask = 0775
directory mask = 0775
guest ok = no
force group = dtusers

You’ll notice that the [aaron] share contains “valid users” of only aaron, while the other “shared” shares contain “valid users” of @dtusers. The @ sign defines a group. If you have more than one group or users, separate them with a space.

Save the configuration file and then restart the SAMBA service:

root@server:/# /etc/init.d/samba restart

Using SAMBA

Now that you have SAMBA configured with some shares, give it a whirl from your Windows machine. If the user that you sign into on your Windows machine is the same, with the same password, as the Linux/SAMBA user you will not be prompted to authenticate.

Click Start > Run and then type in the UNC path to your Linux server. If you have a DNS host (A) record for your server it could be \\server\share_name, otherwise just use the IP address, \\192.168.0.1\share_name.

That’s it. Enjoy Linux!

Unix Permissions

764 defines the permissions for User (the 7)/Group (the 6)/Everyone (the 4). As another example, if you wanted only the User to have full permissions, assign 700, which is User (the 7)/Group (the 0)/Everyone (the 0).

The number represents the collective of permission types: 4 is Read, 2 is Write, 1 is Execute. So a 7 would be 4 + 2 + 1, which means that when assigned to the User, it will have all three permission types, or full control. A zero means no permission types, and therefore no permissions.

Links

http://www.samba.org/
http://support.quickbooks.intuit.com/support/Articles/HOW12300

-Aaron

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

-or- if you feel like being different:

DevilMode.{ED7BA470-8E54-465E-825C-99712043E01C}

http://www.microsoftnow.com/2010/01/windows-7-godmode-not-really.html

-Aaron

Microsoft DreamSpark

While looking around for Microsoft Visual Basic 2008 Express Edition, I came across a site at Microsoft.com that states its sole purpose is: “It’s about giving students Microsoft professional tools at no charge.”

Wow. I’ve been a student for many years, taking one class here and there at local community colleges and have never heard of this offering.

If you have a TechNet subscription, then some of these products are already available to you, such as the Server Operating Systems; however, even my TechNet (standard for $199/yr) doesn’t provide tools like Microsoft Visual Studio 2010 Professional or Microsoft Robotics Developer Studio 2008 R3 or even Microsoft Windows Embedded Standard 7!!

So sign up if you have a student email address at your college/university and start programming in Visual Studio 2010 Professional!

As a final benefit, you get a free Microsoft exam voucher. That alone is worth the sign up.

-Aaron

When I first started the project, I was hoping that my script would run prior to showing the desktop. This is important because if it runs while the user has access to the desktop, that user may start using files that would prevent the script from running correctly (file locks). I had no luck; if anyone has an idea on how to do this, let me know. Otherwise, I created a .NET application that covers the entire screen on the primary monitor (if more than 1 monitor, then the second one is still visible).

BlankScreen

The BlankScreen application is written in VisualStudio .NET 2008 using .NET Framework 2.0 if I remember correctly. There are some changes you may want to make on this application to tailor it for your environment. The first change would be to put your logo on the application form. The second change, and really the more important change, is to change the ProcessPath variable to point to the UNC path of where you plan on putting the desktop.vbs file. This application just runs the VBScript.

So you might be thinking, why would you have an application that is capable of much more advanced programming run a VBScript? Well, I wrote the script first and didn’t feel like porting it to VB.NET. If you feel like spending the time, go for it.

desktop.vbs

Enough chatter about the other stuff, on to the real product of this blog post, the VBScript.

The VBScript has four basic functions that it completes one after the other based on the success of the previous function. Step 1 is to get the username of the logged in user. Step 2 is to create the folders in the user’s My Documents location and copy the files into that new folders (nothing is moved). Step 3 is to update the registry for the Desktop and Favorites locations to the newly created folders. Step 4 renames the old folders in the C:\Documents and Settings\[user]\ folder to DesktopOLD and FavoritesOLD. I feared losing user files, so I did not make the script perform anything that couldn’t be reversed.

Just as you had to change a string variable in the BlankScreen application for your specific server, you also have to change the location of your user’s folder on the network. In my case it was \\fileserver\users\.

The migration will change the registry keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Favorites
HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Desktop
HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Favorites
HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Desktop

The new locations will look something like this:

Desktop: \\[server]\[share]\[username]\Desktop-[username]
Favorites: \\[server]\[share]\[username]\Favorites-[username]
e.g. \\fileserver\users\aaron\Desktop-aaron\ would be my desktop folder.

Conclusion

Implementing this solution is fairly easy. First modify the VB.NET application and compile it. Place the .exe file in a shared location that your login script for users has permissions. Place the VBScript file in a similar location, as you specified in the VB.NET application, and modify the serverpath variable and email variables. Test with your user account in your login script batch file using something similar to below:

if %USERNAME% == yourusername (
 rem lets make sure the user has a my documents folder prior to trying to migrate their desktop
 if exist "\\[server]\Users\%USERNAME%" (
  if exist "C:\Documents and Settings\%USERNAME%\Desktop" (
   rem lets make sure they have the 2.0 Framework installed.
   if exist "C:\Windows\Microsoft.Net\Framework\v2.0*" (
    start "Desktop Migration" "\\[server]\[share]\blankscreen.exe"
   )
  )
 )
)

As a disclaimer, the application AND script are provided without any warranty and is only for educational / informational purposes. If you choose to use it in your environment, production or not, the outcome is your responsibility.

desktop.vbs Code

On Error Resume Next

'alert user of what is happening...
MsgBox "Please click OK to begin the backup process for your Desktop and Internet Explorer Favorites.  This process could take a few minutes, please be patient and Do NOT Cancel anything, otherwise data could be lost!" & vbCrLf & vbCrLf & "If you have Administrator privileges, your computer will restart after all of your files have been copied!"

'get the current user
user = getUser()
'set the server location, the following \ is required!
serverpath = "\\[server]\Users\"
'if you have a helpdesk solution with email capability:
useemailnotify = 0
smtpfrom = "email@domain.com"
smtpto = "email@domain.com"
smtpserver = "smtp.domain.com"

'create folders
m_cf = createFolderscopyFiles(user)
If m_cf <> 1 Then
	'update the registry and reboot
	m_ur = updateRegistry(user)
	If m_ur <> 1 Then
		'rename the old folders so it does not use them anymore!
		m_rof = renameOldFolders(user)
		'reboot
		Set WSHShell = WScript.CreateObject("WScript.Shell")
		WshShell.Run "C:\WINDOWS\system32\shutdown.exe -r -t 0"
	End If
End If

Function getUser()
	'get the current user environment variable.
	Set oShell = CreateObject( "WScript.Shell" )
	user = oShell.ExpandEnvironmentStrings("%UserName%")

	If Err.Number <> 0 Then
		'we have failure!
		getUser = 1
		Err.Clear
	Else
		getUser = user
	End If
End Function

Function createFolderscopyFiles(user)
	Set objFSO = CreateObject("Scripting.FileSystemObject")

	'lets only do the folder create and file copy if that folder doesn't already exist. Otherwise, its just gonna set the registry and reboot.
	If Not objFSO.FolderExists(serverpath & user & "\Desktop-" & user) Then
		'Create the new Desktop and the Favorites folder.
		objFSO.CreateFolder(serverpath & user & "\Desktop-" & user)
		objFSO.CreateFolder(serverpath & user & "\Favorites-" & user)

		Set oSHApp = CreateObject("Shell.Application")

		'Copy the Desktop files
		Set fromDFolder = oSHApp.Namespace("C:\Documents and Settings\" & user & "\Desktop")
		Set toDFolder = oSHApp.Namespace(serverpath & user & "\Desktop-" & user)
		toDFolder.CopyHere fromDFolder.Items, 16+512

		'Copy the Favorites files
		Set fromFFolder = oSHApp.Namespace("C:\Documents and Settings\" & user & "\Favorites")
		Set toFFolder = oSHApp.Namespace(serverpath & user & "\Favorites-" & user)
		toFFolder.CopyHere fromFFolder.Items, 16+512
	End If

	If Err.Number <> 0 Then
		'we have failure!
		SendEmail user,"failed at createFolderscopyFiles",Err.Description
		createFolderscopyFiles = 1
		Err.Clear
	Else
		createFolderscopyFiles = 0
	End If
End Function

Function updateRegistry(user)
	'lets work on the registry now
	Const HKEY_CURRENT_USER = &H80000001
	Const HKEY_LOCAL_MACHINE = &H80000002

	'update the registry for Desktop and Favorites (User Shell Folders)
	'set Favorites
	Set oFReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv")
	strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
	strValueName = "Favorites"
	strValue = serverpath & user & "\Favorites-" & user
	oFReg.SetExpandedStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
	'set Desktop
	Set oDReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv")
	strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
	strValueName = "Desktop"
	strValue = serverpath & user & "\Desktop-" & user
	oDReg.SetExpandedStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

	'update the registry for Desktop and Favorites (Shell Folders)
	'set Favorites
	Set otFReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv")
	strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
	strValueName = "Favorites"
	strValue = serverpath & user & "\Favorites-" & user
	otFReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
	'set Desktop
	Set otDReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv")
	strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
	strValueName = "Desktop"
	strValue = serverpath & user & "\Desktop-" & user
	otDReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

	If Err.Number <> 0 Then
		'we have failure!
		SendEmail user,"failed at updating registry",Err.Description
		updateRegistry = 1
		Err.Clear
	Else
		updateRegistry = 0
	End If
End Function

Function renameOldFolders(user)
	Set objFSO = CreateObject("Scripting.FileSystemObject")
	objFSO.MoveFolder "C:\Documents and Settings\" & user & "\Desktop", "C:\Documents and Settings\" & user & "\DesktopOLD"
	objFSO.MoveFolder "C:\Documents and Settings\" & user & "\Favorites", "C:\Documents and Settings\" & user & "\FavoritesOLD"

	If Err.Number <> 0 Then
		'we have failure!
		SendEmail user,"failed at renaming old folders",Err.Description
		renameOldFolders = 1
		Err.Clear
	Else
		renameOldFolders = 0
	End If
End Function

Sub SendEmail(user,contnt,contntB)
	'if the setting is to send an email, then do it, otherwise...nada.
	If useemailnotify = 1 Then
		'send an email!!
		Set objEmail = CreateObject("CDO.Message")
		objEmail.From = smtpfrom
		objEmail.To = smtpto
		objEmail.Subject = "Desktop and Favorites Migration Issue for " & user
		objEmail.Textbody = "User had a Desktop files migration error." & vbCrLf & vbCrLf & contnt & vbCrLf & vbCrLf & contntB
		objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
		objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = smtpserver
		objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
		objEmail.Configuration.Fields.Update
		objEmail.Send

		If Err.Number <> 0 Then
			'we have failure!
			MsgBox "Your Desktop migration didn't go very well."
			Err.Clear
		Else
			'YAY!
		End If
	End If
End Sub

Downloads

BlankScreen.zip – VB.NET application

desktop.zip – VBScript

So, why write this article? Well, we wanted to make sure that user data was not accessible by anyone in the organization except that user and the backup process. This required custom permissions for the user folder, permissions that are not typical.

We used the GPO settings for My Documents redirection, setting the My Documents location to %HOMEPATH%. Obviously this required that the home path must be set for each and every user in Active Directory. The common way to accomplish this is to modify the users and set the home path to the desired server path. This would create the folder automatically for each user and assign full permissions to the user. It also sets Administrators with full permission. Bah.

PowerShell is, well, powerful

The solution that we came up with was to write a PowerShell script that would accomplish the same task as adding a home path in Active Directory. The only difference is that the script sets the folder permissions that we wanted.

The script accomplishes three tasks based on only providing it an Active Directory account, such as domain\user. The first task is to create the user folder on the server defined in the script. The second sets the permissions on that folder, removing Administrators and then adding SYSTEM and the user as Full Control. It also adds the user as the Owner of the folder. Third, it updates Active Directory, modifying the user’s home path to the newly created folder on the server.

The Script

Before I share the script, it comes with a disclaimer. Use at your own risk, the script is merely for informational purposes. You are responsible for your own server and the files and folders on it, and therefore I am not responsible if this script causes any harm.

##################################################################################
#
#
#  Script name: SetHomeFolder.ps1
#  Author:      Aaron and John
#
#
##################################################################################

param ([string]$User, [switch]$help)

function GetHelp()
{
$HelpText = @"

DESCRIPTION:
NAME: SetHomeFolder.ps1
Creates folder and sets permissions for the specified user.
Creates folder if it does not exist. Removes "Administrators" default permission.

PARAMETERS:
-User            User to create folder for and who should have access (Required)
-help            Prints the HelpFile (Optional)

SYNTAX:
./SetHomeFolder.ps1 -User Domain\UserName

Creates \\[server]\Users\[UserName] and sets new permissions for that folder.

"@
$HelpText

[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])
}

function CreateFolder ([string]$Path)
{
#check if the folder Exists
Write-Host "$Path..." -Foregroundcolor Green

if (Test-Path $Path) {
Write-Host "...Already Exists" -ForeGroundColor Yellow
} else {
Write-Host "...Created"
New-Item -Path $Path -type directory | Out-Null
}
}

function SetAcl ([string]$Path, [string]$User, [string]$Permission)
{
#this trap prevents ugly errors on the screen when attempting to update the ACL for the user.
trap [Exception]
{
write-host "  ERROR: $($_.Exception.Message)" -ForeGroundColor Magenta
continue
}

Write-Host "Setting Permissions..." -ForeGroundColor Green

#get ACL on folder and assign as object
$GetACL = Get-Acl $Path

#set up the access rules
$Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Allpropagation = [system.security.accesscontrol.PropagationFlags]"None"
$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($User, $Permission, $AllInherit, $Allpropagation, "Allow")
$SystemAccessRule = New-Object system.security.AccessControl.FileSystemAccessRule("SYSTEM", "FullControl", $AllInherit, $Allpropagation, "Allow")
$AdminAccessRule = New-Object system.security.AccessControl.FileSystemAccessRule("Administrators", "ReadAndExecute", $AllInherit, $Allpropagation, "Allow")

#check if Access for Administrators already exists - and REMOVE
Write-Host "...Removing Permission For: Administrators" -ForeGroundColor DarkGray
$GetACL.RemoveAccessRuleAll($AdminAccessRule) | Out-Null
#end of Administrators permissions

#check if Access for User Already Exists - and ADD
if ($GetACL.Access | Where { $_.IdentityReference -eq $User}) {
Write-Host "...Modifying Permissions For: $User" -ForeGroundColor Yellow

$AccessModification = New-Object system.security.AccessControl.AccessControlModification
$AccessModification.value__ = 2
$Modification = $False
#modify the ACL rule
$GetACL.ModifyAccessRule($AccessModification, $AccessRule, [ref]$Modification) | Out-Null
} else {
Write-Host "...Adding Permission: $Permission For: $User"
# add the ACL rule
$GetACL.AddAccessRule($AccessRule)
}
#end of User permissions

#check if Access for SYSTEM already exists - and ADD
if ($GetACL.Access | Where { $_.IdentityReference -eq "SYSTEM"}) {
Write-Host "...Modifying Permissions For: SYSTEM" -ForeGroundColor Yellow

$SystemAccessModification = New-Object system.security.AccessControl.AccessControlModification
$SystemAccessModification.value__ = 2
$SystemModification = $False
# modify the ACL rule
$GetACL.ModifyAccessRule($SystemAccessModification, $SystemAccessRule, [ref]$SystemModification) | Out-Null
} else {
Write-Host "...Adding Permission: FullControl For: SYSTEM"
#add the ACL rule
$GetACL.AddAccessRule($SystemAccessRule)
}
#end of SYSTEM permissions

#set the owner of the folder to the specified user
$GetACL.SetOwner((new-object System.Security.Principal.NTAccount("$User")))

#this command performs the actual update using the objects as defined above
Set-Acl -aclobject $GetACL -Path $Path
}

function Get-ADUser( [string]$samid=$env:username)
{
#find the user object in active directory and returns the user object to the calling line
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(objectcategory=person)(objectclass=user)(sAMAccountname=$samid))"
$aduser=$searcher.FindOne()

if ($aduser -ne $null )
{
$aduser.getdirectoryentry()
}
}

if ($help)
{
#the user requested help, so let us display that help.
GetHelp
}

#set some global variables per our environment.
$Permission = "FullControl"
$username = $User.substring($User.indexof("\") + 1)
$Path = "\\[server]\Users\$username"

#LET'S BEGIN (sub Main()) - Process folder creation and security changes
if ($Path -AND $User -AND $Permission)
{
#1. create the folder
CreateFolder $Path

#2. set the ACL permissions and ownership for that folder
SetAcl $Path $User $Permission

#3. update active directory with the new path location
Write-Host "Updating Active Directory Home Folder..."
$aduser = Get-ADUser $username
$aduser.homeDirectory = "$Path"
$aduser.homeDrive = "P:"
$aduser.SetInfo()
Write-Host "...$username Updated with: $Path" -ForeGroundColor Green
}

So what is the solution? How about staging the files on the local hard drive prior to starting the installation? Your first thought might be a batch file or command script that uses xcopy – at least that was my first thought. However, xcopy assumes that your connection will not drop and that it is fairly fast. What happens when the user is remote and while copying the files the user disconnects from the Internet and Virtual Private Network (VPN)? The file copy process has to start over…

With robocopy, a Microsoft product, you can configure it to copy with resume capabilities. In addition, if you show the installation process to your users (different discussion), each file in the copy process displays its current transferred status (0-100%).

Getting RoboCopy

Robocopy is available for free from Microsoft as part of the Microsoft Windows Server 2003 Resource Kit Tools. The command line options are somewhat daunting, something you’d expect to see from the “grep –help” command in Linux. In this article we only use a small amount of the power that is Robocopy. For those that dislike command line tools, but still need the functionality of Robocopy, have a look at the GUI tools available for Robocopy.

• Utility Spotlight Robocopy GUI
• Utility Spotlight RichCopy

Simple Deployment Script (Adobe Reader)

Below is an example for deploying Adobe Reader to clients utilizing the Robocopy tool.

@ECHO OFF

rem Create log folder, just in case it does not exist
md C:\installer
md C:\installer\logs
md C:\installer\AdobeReader9.3.0

rem Bring down the files to the local drive
"\\installer\dist$\robocopy.exe" "\\installer\dist$\AdobeReader" "c:\installer\AdobeReader9.3.0" *.* /E /Z

rem begin installation
msiexec.exe /i c:\installer\AdobeReader9.3.0\AcroRead.msi TRANSFORMS=c:\installer\AdobeReader9.3.0\AcroRead.mst /qn /l*v C:\installer\logs\AdobeReader9.3.0.log

Robocopy Command Line Options

C:\>robocopy /?

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows     ::     Version XP010
-------------------------------------------------------------------------------

  Started : Fri Feb 05 10:30:35 2010

              Usage :: ROBOCOPY source destination [file [file]...] [options]

             source :: Source Directory (drive:\path or \\server\share\path).
        destination :: Destination Dir  (drive:\path or \\server\share\path).
               file :: File(s) to copy  (names/wildcards: default is "*.*").

::
:: Copy options :
::
                 /S :: copy Subdirectories, but not empty ones.
                 /E :: copy subdirectories, including Empty ones.
             /LEV:n :: only copy the top n LEVels of the source directory tree.

                 /Z :: copy files in restartable mode.
                 /B :: copy files in Backup mode.
                /ZB :: use restartable mode; if access denied use Backup mode.

  /COPY:copyflag[s] :: what to COPY (default is /COPY:DAT).
                       (copyflags : D=Data, A=Attributes, T=Timestamps).
                       (S=Security=NTFS ACLs, O=Owner info, U=aUditing info).

               /SEC :: copy files with SECurity (equivalent to /COPY:DATS).
           /COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).
            /NOCOPY :: COPY NO file info (useful with /PURGE).

             /PURGE :: delete dest files/dirs that no longer exist in source.
               /MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).

               /MOV :: MOVe files (delete from source after copying).
              /MOVE :: MOVE files AND dirs (delete from source after copying).

       /A+:[RASHNT] :: add the given Attributes to copied files.
       /A-:[RASHNT] :: remove the given Attributes from copied files.

            /CREATE :: CREATE directory tree and zero-length files only.
               /FAT :: create destination files using 8.3 FAT file names only.
               /FFT :: assume FAT File Times (2-second granularity).
               /256 :: turn off very long path (> 256 characters) support.

             /MON:n :: MONitor source; run again when more than n changes seen.
             /MOT:m :: MOnitor source; run again in m minutes Time, if changed.

      /RH:hhmm-hhmm :: Run Hours - times when new copies may be started.
                /PF :: check run hours on a Per File (not per pass) basis.

             /IPG:n :: Inter-Packet Gap (ms), to free bandwidth on slow lines.

::
:: File Selection Options :
::
                 /A :: copy only files with the Archive attribute set.
                 /M :: copy only files with the Archive attribute and reset it.
    /IA:[RASHCNETO] :: Include only files with any of the given Attributes set.
    /XA:[RASHCNETO] :: eXclude files with any of the given Attributes set.

 /XF file [file]... :: eXclude Files matching given names/paths/wildcards.
 /XD dirs [dirs]... :: eXclude Directories matching given names/paths.

                /XC :: eXclude Changed files.
                /XN :: eXclude Newer files.
                /XO :: eXclude Older files.
                /XX :: eXclude eXtra files and directories.
                /XL :: eXclude Lonely files and directories.
                /IS :: Include Same files.
                /IT :: Include Tweaked files.

             /MAX:n :: MAXimum file size - exclude files bigger than n bytes.
             /MIN:n :: MINimum file size - exclude files smaller than n bytes.

          /MAXAGE:n :: MAXimum file AGE - exclude files older than n days/date.
          /MINAGE:n :: MINimum file AGE - exclude files newer than n days/date.
          /MAXLAD:n :: MAXimum Last Access Date - exclude files unused since n.
          /MINLAD:n :: MINimum Last Access Date - exclude files used since n.
                       (If n < 1900 then n = n days, else n = YYYYMMDD date).

                /XJ :: eXclude Junction points. (normally included by default).

::
:: Retry Options :
::
               /R:n :: number of Retries on failed copies: default 1 million.
               /W:n :: Wait time between retries: default is 30 seconds.

               /REG :: Save /R:n and /W:n in the Registry as default settings.

               /TBD :: wait for sharenames To Be Defined (retry error 67).

::
:: Logging Options :
::
                 /L :: List only - don't copy, timestamp or delete any files.
                 /X :: report all eXtra files, not just those selected.
                 /V :: produce Verbose output, showing skipped files.
                /TS :: include source file Time Stamps in the output.
                /FP :: include Full Pathname of files in the output.

                /NS :: No Size - don't log file sizes.
                /NC :: No Class - don't log file classes.
               /NFL :: No File List - don't log file names.
               /NDL :: No Directory List - don't log directory names.

                /NP :: No Progress - don't display % copied.
               /ETA :: show Estimated Time of Arrival of copied files.

          /LOG:file :: output status to LOG file (overwrite existing log).
         /LOG+:file :: output status to LOG file (append to existing log).

               /TEE :: output to console window, as well as the log file.

               /NJH :: No Job Header.
               /NJS :: No Job Summary.

::
:: Job Options :
::
       /JOB:jobname :: take parameters from the named JOB file.
      /SAVE:jobname :: SAVE parameters to the named job file
              /QUIT :: QUIT after processing command line (to view parameters).

              /NOSD :: NO Source Directory is specified.
              /NODD :: NO Destination Directory is specified.
                /IF :: Include the following Files.

Regardless, the 1.44MB limitation is irritating at minimum. Working with 1.44MB floppies today is almost as bad as working with old DOS programs in Windows 95 that can’t figure out how to use extended memory (above 640KB). It seems that many firmware updates are larger than a floppy, and if you try to fit it along with the bootable files, MSDOS.SYS et cetera, you’ll be quite unsuccessful. So, screw DOS boot disks – let’s make a Windows LiveCD!

BartPE

To ensure that everyone knows, Bart Lagerweij is the master mind, I am merely shareing my experiences with his exceptional work.

Go ahead and review Bart’s PE page. Download and install the latest PEBuilder application from that link. You should also review the licensing notice.

In this example we are going to create a Windows XP PE LiveCD. To get started you will need a Windows XP Professional non-OEM CD, which Bart’s pebuilder application will use to create the bootable LiveCD, and a blank CD for the final product.

Note: unless you have two CD drives, I would recommend copying the contents of your Windows XP cd to your hard drive.

Open Bart’s PE Builder and set the source to the location where the Windows XP files reside. Under media output, choose “Burn to CD/DVD”. Click on the Builder menu and choose “Build ISO/CD (F5)”.

Assuming you receive no errors during the build and burn process, you should now have a bootable Windows XP LiveCD.

-Aaron Gilbert

There are a few pieces to the puzzle for any kiosk:

1. computer hardware, preferably equipment that can be physically locked down.
2. user interface restriction software, including Internet access restriction.
3. operating system state lock down.

Piece 1

For piece 1, I have used machines such as a Dell Optiplex and an Intel-based Apple Mac Mini. The Mini was a much better because of the size of the case and limited drives (one CD). For some public areas, I would recommend a physical enclosure for the computer case to prevent any physical access.

Piece 2 and 3

In some cases, the Microsoft SteadyState product can handle 2 and 3. Prior to SteadyState, step 3 would require an additional product such as DeepFreeze to “lock” the operating system state. You might be thinking, can SteadyState stand up to the 13 year old hacker that is going to break into your Kiosk? Unfortunately, I do not have the answer – however, a quick Google search might help you determine that because DeepFreeze is more popular there are more articles towards cracking it versus SteadyState.

Besides the disk “freezing”, SteadyState locks down the operating system using Windows policy configuration. Obviously if the computer is joined to a domain, the group policy objects (GPO) will override similar SteadyState configuration.

More on Piece 3

Controlling web access has been a problem in enterprises for years and a Kiosk is no exception. From a legal standpoint, you can’t fire outside users of a Kiosk if they do something inappropriate. This means that control of Internet has to be even more restricted, which can be quite difficult.

I would recommend the combination of two applications: (a) using a product such as NetNanny to lock down inappropriate categories; and (b) build a custom web browser such as shown in my article, creating your own custom web browser using Microsoft Visual Studio Express 2008. The custom web browser will allow you to control functionality of Internet Explorer programmatically, such as a minimal interface, predefined control bar, et cetera.

As a final note, SteadyState allows the administrator to lock Internet Explorer down to specific web URLs. To save space on domain name restriction, (there is a character limit), use the following format to get the entire domain, *devtrends.com.

Have fun and do your research before you put a Kiosk out for everyone to use! As with all of my other posts, I am not responsible for your failures and guarantee nothing. Article is for educational purposes only.

-Aaron Gilbert

As a quick overview to help you understand the problem, each session configuration is kept in individual files located in the \scripts\ folder within the application folder. The session files were not a standard format, such as an INI or XML, and appeared as though the application developer(s) used some proprietary data component for saving session configuration to the hard drive. While reviewing the session files with UltraEdit, I noticed that the data values were in standard text format amongst a fog of extended ASCII characters.

Ah ha! Concatenation is the solution…will it be batch file or .NET application?

Gluing the Pieces Together

Runner up, the batch file. I took the session configuration file and cut it right down the middle (where the user name value was), saving one half as session.p1 and the other half as session.p2. The next trick was to glue these files back together with the current Windows user name in between. I grew up using DOS so I thought that this would be easy; I could just echo %USERNAME% to a file, such as:

echo %USERNAME% > session.nam

Unfortunately, the echo command puts a CR/LF at the end of the file, even though %USERNAME% contains no such characters. Logic would state that since echo is typically used for screen output, it assumes that you want a line feed after your statement. Well, a line feed is going to break my batch file concatenation solution; I can’t have line feeds in a proprietary configuration file!

Solution

After much research, I pieced together a batch file line that echo’s a statement without line feeds! This is a golden nugget for anyone that is trying to solve this problem and it worked quite well in my batch file concatenation solution!

for %%a in (%USERNAME%) do (
echo/|set /p ="%%a"
) > session.nam

Obviously, you can replace %USERNAME% with any environment variable or text that you want – no quotes required.

Remember that where there is a will to do so, there is a way to accomplish any task.

Aaron Gilbert

Windows 7 US Online Store – Student Registration

On to the first step…

Acquiring oscdimg

Creating an ISO from the downloaded student Windows 7 package requires the oscdimg.exe tool that is included with the Windows Automated Installation Kit (AIK). Although there is the AIK for Windows 7, the one for Vista will work fine.

Windows AIK (Vista) – works with XP too

If you want to extract the file on your own from Microsoft’s web site, you will need to burn a DVD of the Windows AIK .img file. I am unfamiliar with any Microsoft provided tools, unless you have Windows 7, that are capable of burning an .img file…makes you wonder why Microsoft didn’t just use an ISO. I used ImgBurn to burn the AIK to DVD. Once you have the AIK installed, the oscdimg.exe tool will be located in C:\Program Files\Windows AIK\Tools\PETools\.

Extracting the student Windows 7 installation files

After successfully downloading Windows 7, the first stage installer (such as Win7-P-Retail-en-us-x64.exe, setup1.box and setup2.box) will extract the files to the same location as themselves. All of the files should be uncompressed from the “box” and placed in \expandedSetup. After extraction, you should move the folder \expandedSetup to your C:\.

Note: you may receive the following error while extracting: “We are unable to create or save new files in the folder in which this application was downloaded. Please check the folder properties to make sure that you have security permission on the folder to write files and that the folder is not read-only.” Don’t worry about it, continue with this article regardless.

Creating the ISO

Using the oscdimg tool from an elevated command prompt, see my article, run the following command. Make sure you have the appropriate disk space available.

oscdimg -bC:\expandedSetup\boot\etfsboot.com -h -u2 -m -lWIN7_DVD C:\expandedSetup\ C:\7.iso

If you want to understand what the command line options do, review Microsoft’s Oscdimg Command-Line Options page.

Burn the ISO

The final step is to burn the ISO to a blank DVD-R disc. You can use your program of choice – mine is CDBurnerXP.

That’s it…you now have a Windows 7 bootable DVD.

Aaron Gilbert