Lab Installation and Maintenance

Overview | Making the Images | PCRdist | Configuration | Policies

 

Overview

Using PCRdist to keep a lab running is very nice. In this setup I use one main Download script, one Upload script, and one Logout script. I keep all the variables in one place using Getha, a great preprocessor directive. I am also using Reg2Prg to make sure the registry is in '.prg' format, for increased performance.

Important Note: You see the mention of ".reg" and ".prg" files throughout these docs. Please realize that a .prg file is a .reg file that was run through Reg2Prg. (I hope this takes some of the confusion out of these docs)

Making the Images

Full Image | Individual Program Images

Full Image

The full image is actually quite easy to make. All that is needed to be done is this:

1. Install windows 98
2. Tweak the configuration of Windows 98 for Lab security and speed.
3. Upload the image to the server. (Using an upload script)

Steps involved in Configuration:

• Delete the "web" directory in c:\windows

This directory contains a lot of things that slow windows 98 down, and when gone makes that sidebar that displays information about the directories/folders/files when browsing directories disappear. (Which enhances security)

• Edit the file c:\msdos.sys and add these lines (under the [Options] area):
• [Options]
• autoscan=0
• bootkeys=0

This makes it so that on bootup the students cannot press any key combo (F8, or ctrl) in order to try to boot into safe mode, and it turns off the scanning on startup. Both of these are potential security risks if not dealt with.

• Delete all files named "folder.htt"

These are the really annoying 'hypertext template' files that "nag" you when you try to enter into the 'windows', 'windows\system', and 'program files' folders. It is just best that they be gotten rid of.

• Create a file in c:\windows called "Netscape Wallpaper.bmp", make sure it is zero bytes in size, and it READ ONLY.

This makes sure that you cannot set the wallpaper through Netscape. (Keeps the pesky kids from putting any background they want on there). Netscape wants to write to this file, but when it can't it just crashes.

Individual Program Images

<< PLEASE NOTE: I HAVE STOPPED USING THIS METHOD, AND NOW USE A FULL DISTRIBUTION USING ONE UPLOAD SCRIPT (It is almost safe to just skip this) >>

You need to have these tools available:

1. Regdump.exe
2. Windiff.exe

How to make an individual program image from any machine:

1. Run Regdump to get a "master" copy of the registry. (You could alternatively export the registry using regedit.exe)
   • Usage: (at a dos prompt)
   • regdump.exe -o master.reg
2. Use an Upload Script or just copy the full file structure to some server location. (Make sure not to copy 'win386.swp', the copy will bomb out on you if you try to copy that file.
3. Install the application/s that you want to have installed on all the machines. Make sure to configure them the way you would like them to be configured on all the machines.
4. Reboot the computer to make sure the registry gets updated and everything works right.
5. Run regdump.exe again to get a '.reg' file that has all the different registry keys.
   • Usage:
   • regdump.exe master.reg -o difference.reg
6. Now you are ready to run Windiff.exe! (This is available in the MS Visual C++ tools, or the windows 98 Resource Kit tools)
7. Run windiff.exe and go to File --> Compare directories. You want to compare the local drive c:\ with the server directory that you uploaded the image to. (In our case I:\pcrdist\pcrdist\images\win981\).
8. You want to see the "different files" and either the left or right only files (depending on which one is drive C:\ ) those are going to be the files you want to keep.
9. After what seems to be too much time, it will let you "copy" files that are different. You want to copy all the files that were different AND in drive C:\. Copy them to a local directory, when it is done, you will have the whole thing. You will even have the difference.reg file in the root directory of where you copied the differing files to. *Important* --> make sure you delete the system.dat and user.dat files, including them in the regular distribution can be a DISASTER. Also, make sure the '.reg' file only has information specific the the application that was installed, and nothing more!
10. Move the directory to the server, move the '.reg' file to where you keep registry files (if you keep them separate) and make your script for it!

PCRdist

PCRdist? | Upload Script | Download Script | Logout Script | Using Getha | Using Reg2Prg

PCRDist is a product of Pyzzo Software.

The following scripts are used for the Labs:

The upload script that I used is located HERE.

This script uploads the initial image to a certain directory. I made sure to change the upload directory when I uploaded different images from different computers.

• #getha \\images\images\PCRDist\getha\getha.db
• #echo Machine Type is %IMACH%
• > I:\PCRDist\images\%IMACH% c:\ : missing size time attrib delete
  • Some important lines from the script.....
  • This uses GETHA to get the hardware address, then uses it to set %IMACH%, the machine type.
  • The image gets uploaded to the %IMACH% directory

Download Script

The download script is the most important part of this whole system. If the download script is written wrong, you can easily end up with a whole lot of non-working machines.

Here is the download script that I used.

Important notes about the download script:

1. I am merging the blocks in this script. This is usually set this way by default, but I just wanted to be sure.
   1. MERGEBLOCKS=YES
2. Make sure that if a file is replaced that was in use, the machine will reboot and replace it on reboot.
1. ;Reboot the machine if a file is in use
2. IMPLICITB=YES
3. ;Replace the file the next time the machine reboots
4. IMPLICITW=YES
3. Make sure that the user cannot break out of the process..... nobody wants students to be able to cancel the PCRdist process. This would be really bad.
   1. ;Do not allow user to break out of program
   2. CBREAK=NO
4. Kill all the programs!
   1. ; Kill all programs, and WAIT till they are DEAD
   2. ; It makes the install go a LOT cleaner if extra files are *not* open
   3. KILLHIDDEN=YES
   4. KILLTIMEOUT=10
   5. KILL=*
   6. TERMINATE=*
5. You will now notice that there is an "if" statement: #if %IMACH% != "Merritt". This statement encases the first registry and file block so that any machine that IS NOT a Merritt machine will use this distribution point. Else, it will use the next if statement, #if %IMACH% = "Merritt". This is very useful, because in the Merritt registry block I wanted to set the "delete" flag, but keep the "delete" flagg out of the Non-Merritt block. (I also changed a few other things.) The following steps refer more to the != Merritt portion of the script.
6. In the registry distribution block, make sure you use the flags "missing size crc", these three flags work really well at replacing different keys, and adding missing keys. I did not add a delete flag, due to erroneous errors that I kept getting. (I had a few different machine types..... if you have only ONE machine type, you can include the Delete flag) With the registry block, make sure to look at what I have ignored, and what I have being specifically replaced. I am ignoring "HKEY_LOCAL_MACHINE/ENUM" and "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Class" because those are the two spots that carry machine-specific registry information.
7. In the File distribution block, make sure you use the flags "missing size time delete", these flags are really good for adding missing files and replacing files that are older with newer ones. I have specifically set the flag "ic" on some of the files, that makes sure the file is replaced no matter what. It acts as if the file was never there.
8. At the end of the script I copy a few files using the "+copy" command. I am doing this because there are a few files that need to be replaced every time the script runs.

Logout Script

The logout script is used for when a user logs off a machine. This script is very useful because it will allow you to change the "username" in the login screen, and make sure that the other registry settings are correct. I have the script making sure it resets the current "username" so that a person will not know who was last logged in.

Using Getha (Get Hardware Address)

Getha is a preprocessor statement in PCRdist 2.0 that gets the Hardware address of the ethernet card, and queries a database and can set values for defined variables.

This is a great way to set different variables such as the machine name, the lab it is in, what printer it should use, and anything else you would want to set.

Here is my example of a getha database, 'getha.db'.

Using Reg2Prg.exe ('.reg' to '.prg')

I would strongly recommend that you use this utility to translate .reg files into .prg files. '.prg' files are a PCRdist binary registry format that is a LOT faster and a lot cleaner to use then just .reg files.

Summary of use:

• reg2prg.exe file1 ... fileN [/D] [/N]
• reg2prg.exe directory [/D] [/N] [/R]
• /D: Delete .reg file after conversion.
• /N: Only convert if corresponding .prg file does not exist.
• /R: Convert files located in subdirectories.

 

I use this in my Upload Script to translate the .reg file to a .prg file every time it gets uploaded, this way, I only have to export the .reg file to the c:\windows directory, and the script takes care of the rest.

Here is the line that does this:

• +exec "I:\PCRDist\reg2prg.exe c:\windows\%IMACH%.reg"
• ; Where %IMACH% is the machine type.

 

Configuration

There is always some tweaking to the images after-the-fact that needs to take place. Use your own discretion as to what you tweak. I have added a few Registry files to these images....

Some of the registry files that I have included I have here:

• Grouppol.reg

REGEDIT4


[HKEY_LOCAL_MACHINE\Network\Logon]
"PolicyHandler"="GROUPPOL.DLL,ProcessPolicies"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSNP32\NetworkProvider]
"GroupFcn"="GROUPPOL.DLL,NTGetUserGroups"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NWNP32\NetworkProvider]
"GroupFcn"="GROUPPOL.DLL,NWGetUserGroups"

• Netscape.reg

<< START MOST IMPORTANT PART >>
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Netscape\Netscape Navigator\Users]
@=""
"CurrentUser"="student"

[HKEY_LOCAL_MACHINE\SOFTWARE\Netscape\Netscape Navigator\Users\student]
"DirRoot"="C:\\Program Files\\Netscape\\Users\\student"
"UserName"="student"
"EmailAddr"="student@potsdam.edu"

[HKEY_LOCAL_MACHINE\SOFTWARE\Netscape\Netscape Navigator\Users\Floppy User]
"DirRoot"="a:\\netscape\\users\\student"
"UserName"="Floppy User"
"EmailAddr"="student@potsdam.edu"

<< END MOST IMPORTANT PART >>

• Tweaks to the Registry (Via PCRdist)
  Shown here in "key" form, not PCRdist form. (look at the download script if you want to see how to format them)

 

; This makes sure the current user in Netscape is set to "student" 
[HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator\Users]
"CurrentUser"="student"

; this ignores the time information.  (Fixes the Daylight Savings Time Issue)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation]
"ActiveTimeBias"="ignore"
"DaylightFlag"="ignore"
"DisableAutoDaylightTimeSet"="dword:00000001"
 
; This sets the Registered owner and Organization
[HKEY_LOCAL_MACHINE\Software\Software\Microsoft\Windows\CurrentVersion]
"RegisteredOwner"="Distributed Computing"
"RegisteredOrganization"="SUNY Potsdam"
  
; This sets the domain back to POTSDAM.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSNP32\NetworkProvider]
"AuthenticatingAgent"="POTSDAM"

; This key is to make sure that the security is always from the POTSDAM NT domain.  (kindof redundant)
[HKEY_LOCAL_MACHINE\Security\Provider]
"Container"="POTSDAM"

; This sets the username to be "TYPE_USERNAME_HERE" and...
; also sets the "MustBeValidated" key so that you can't log in without validating to the network.
[HKEY_LOCAL_MACHINE\Network\Logon]
"username"="TYPE_USERNAME_HERE"
"MustBeValidated"="dword:00000001"

; This will set the HostName of the machine to be equal to %STA% (Station ID).
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]
"HostName"="%STA%"

; This sets the Workgroup, ComputerName, and the Comment. (Using variables %LAB%, %STA%, and %MAKE%)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]
"Workgroup"="%LAB%"
"ComputerName"="%STA%"
"Comment"="%MAKE%"

; This sets the ComputerName to %STA%  (very redundant.... thank you M$)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\ComputerName\ComputerName] 
"ComputerName"="%STA%"

; This sets the "ProfileImagePath" to be equal to %STA%
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList\%STA%]
"ProfileImagePath"="C:\\WINDOWS\\Profiles\\%STA%"  
     

Policies

When using policies, you have to have GROUPPOL.DLL installed on the machine, and have the right registry keys also in place. (You can use Grouppol.reg to do this). You can use POLEDIT.EXE and the ADMIN.ADM template to edit the policies, Poledit comes with some of the Windows Resource kits.

The way we implemented Policies starts out on the NT domain. We set different groups of users up who will have different access rights. These are the groups we set up:

1. Domain Admins
2. DCTM Techs
3. Faculty
4. Students
5. Lab Workstations
6. Domain Users
7. No Printing

These are given "Group Priority" in this order inside of poledit. This means that if you are in both the Students group and the Domain Admins group, you will end up getting the rights of the TOP group (Domain Admins). This is very handy because there are plenty of people on campus who fit into more than one group.

These are the different levels of control (summarized between Domain Admins and Students) in poledit, using Admin.adm as the template:

Different Control Option	Domain Admins	Students
Control Panel	No Restrictions	Fully Restricted
Desktop	Has a Color Scheme	Has a Color Scheme and Wallpaper.
Network	Sharing is not disabled	Sharing IS disabled
Shell	Set of custom startup / program folders. No other restrictions	Set of custom startup / program folders. Restrictions include: Run command, Find Command, some folders in "settings".
System	No restrictions	Restricted Registry Editing Tools.

For the "Default Computer" in Poledit, make sure you set a few *very* important settings (it is up to you to fill in the proper settings).

1. Default Computer --> Network --> Access Control --> User-level Access Control
2. Default Computer --> Network --> Logon --> Require Validation by network for Windows Access.
3. Default Computer --> Network --> Microsoft Client for Windows Network --> Log On To Windows NT
4. Default Computer --> Network --> Passwords --> Hide share passwords with asterisks & Disable password caching
5. Default Computer --> Network --> Update --> Remote Update

Make sure you call your policy file Config.pol (for windows 9x machines) and you place it on the PDC (Primary Domain Controller) in a share called "netlogon". This is the default area where windows will look for policies. It takes a while to develop a set of policies that you will be comfortable with, play with poledit.exe and one of your lab machines for a while until you develop one that you really like, and trust.

Special Thanks:

Pyzzo - For making PCRdist.

There is a lot of stuff here, and even I get confused at times. If there is anything that you think I have left out please email me at thern18@potsdam.edu (Eric Thern)