Task Sequence AD Protect: Protect a TS with an AD account
https://www.systanddeploy.com/2019/12/task-sequece-ad-protect-protect-ts-with.html
In this post I will show you a PowerShell GUI I created for SCCM or MDT that allows you to protect a Task Sequence with an AD account.
Context
You don't want anyone can run a TS and install a computer, for instance by mistake.
For that you want that only people from a specific AD group are allowed to deploy a computer.
On the GUI, ad username and password are prompted.
If 5 bad credentials have been typed, then the TS will exit and the computer will reboot.
If not the TS will continue to the next step.
In this post I will explain both SCCM and MDT way.
Prerequisites
- Add PowerShell and .NET components in your boot image
- Check the the WinPE and WPF bug is fixed, see here.
- Add AD module in your boot image, for that check links below:
https://mickitblog.blogspot.com/2016/04/import-active-directory-module-into.html
http://www.osdnerd.com/?p=170
https://daviddawsonsblog.wordpress.com/2017/03/03/powershell-active-directory-module-in-winpe-10/
How to get it ?
How it looks like ?
The GUI looks like as below:
1. Type the AD user name
2. Type the AD password
3. Click on Run the TS
4. If bad account has been typed the lock icon will become red.
An icon in the tool bar allows you to change the main theme: Dark or Light.
See it in action from MDT
How it works ?
The downloaded folder contains two scrips:
- TS_password.ps1: Script that run the GUI
- Run_PS_Wizard.ps1: Script that call the first script
Some parameters have to be added to the script TS_password.ps1
- AD_Server: add the AD server in order to query AD using the module
- Group: add the group containing user that are allowed to run TS
For that, open the script Run_PS_Wizard.ps1 and add those parameters as below:
What's next ?
Multi language
Allows you to customize all text from an XML file. This way you will be able to customize it easily with your own language.
Active Directory part
1. In my Active Directory lab I created a group TS_Deploy
2. Add user that are allowed to deploy computer in this group
3. In my case I added user dvr-adm
Create the GUI content
1. Download the wizard
2. Copy the folder to your server
3. Go to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64
4. Copy the file ServiceUI.exe in the wizard folder:
So far we have seen how to create the wizard content and how to customize it. Now let's see how to implement it in our SCCM environment.
Create the SCCM package
1. Go to Software Library
2. Go to Application Management then Packages
3. Do a right click and select Create Package
4. Type a name like TS Password Protect GUI
5. Check This package contains source files
6. Click on Browse, then select the folder containing the wizard
7. Click on Next
8. Select Do not create a program
9. Click on Next
10. Click on Next
11. Click on Close
Distribute the package
1. Do a right-click on your package
2. Select Distribute Content
3. Click on Next
4. Click on Add and select Distribution Point
5. Select your DP and click on OK
6. Click on Next
7. Click on Next
8. Click on Close
Task Sequence implementation
In this method we will create two Run command Line steps that will work as below:
- Run the TS Password Protect GUI
1. Edit your TS
2. Click on Add, General then Run Command Line
3. Type a name like Run TS Password Protect
4. In the command line part, configure as below:
5. Check package and select the previously created package.
6. See below how looks like the step:
Do it for MDT
In this part I will explain how to use it with MDT.
1. Edit your TS
2. Click on Add, General then Run PowerShell script
3. Type a name like Run TS Password Protect
4. Copy the GUI folder in the Deploy folder, for instance
5. Type the below command line
2 commentaires
Hi ! Thank you for the Job !
I got a problem : When I start the OSD Task Sequence, I always Have the prompt : "Please Specify the AS Server parameter: AD_Server"
In my Run_PS_Wizard.ps1 i have put : powershell.exe -sta -executionpolicy Bypass -file TS_Password.ps1 -AD_Server "Ip adress" -Group "My user group".
Why isn't work ?
Thank you very Much
Enregistrer un commentaire