Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


June 2002

Deploying PCs with Sysprep


From the June 2002 Edition
of Windows IT Pro
Sean Daily
Feature
InstantDoc #24877
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Administration Tools Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    XP and Win2K Sysprep Resources

Download the Code Here

Safely clone your XP, Win2K, and NT systems with this handy utility

Editor's Note: Portions of this article were adapted from The Definitive Guide to Windows 2000 Administration (Realtimepublishers.com).

Disk-cloning software represents a major step in the evolution of OS deployment automation. With disk-cloning tools, you can configure a master system, complete with configured OS and applications, create a binary image of the system installation (i.e., create a "picture" of the disk's contents), then duplicate that image on other systems. Some utilities even let you multicast an image over the network so that multiple PCs can simultaneously receive a disk image from one or more source servers.

Although these utilities have proven handy for many IT shops, they aren't problem free. Disk-cloning utilities raise concerns about security and machine uniqueness (e.g., SID duplication). Despite these concerns, the tools' overwhelming popularity within the IT community showed Microsoft that disk-cloning products (and their potential problems) aren't about to go away. So Microsoft has embraced the technology and developed the System Preparation tool (sysprep.exe). Sysprep augments rather than replaces the functionality of disk-cloning software and makes using disk-cloning software more efficient and safer.

Disk Duplication Demons
Disk-cloning utilities have been lifesavers for network administrators who need to deploy large numbers of workstations on their networks. But disk-cloning software presents two major problems. First, these utilities require the reference machine (i.e., the machine from which you create the image) to have a virtually identical hardware configuration to the target machine (i.e., the machine that receives the image). Otherwise, you're likely to see a blue screen when you start up the cloned machine. Considering the fairly short life cycle of most PC hardware and the variety of hardware that exists in most companies, this shortcoming limits the usefulness of disk-cloning software.

Second, and more important, disk-cloning software creates a significant security problem when you use it on Windows XP, Windows 2000, and Windows NT systems. When you install these OSs, the installation process assigns the system a unique SID. Because disk-cloning software duplicates the reference machine's disk image after that machine has been assigned a SID, the target machines' SID will be identical to the reference machine's SID.

To understand why SID duplication creates a security problem, consider that each system in an XP, Win2K, or NT environment generates a unique SID that's associated with all the local user accounts. Two machines that have the same SID would assign the same SID to all new user accounts you create on those machines. In this situation, Windows will see the resulting user accounts as being the same—regardless of any differences in the usernames. For example, if you gave the shipping clerk a machine based on the same disk image as the machine you gave to the head of your Accounting department and both users created a new local administrator account on their machine, the shipping clerk would have rights to access anything that the Accounting department head's local user account could access.

Postduplication SID Switching
Disk-cloning software vendors offer a solution to the SID-duplication problem: SID-changing utilities that can modify the SID on a cloned machine. However, I've found that many of these utilities cause residual problems, and many fail to change the SID that's referenced within the registry and file system.

Also, be aware that Microsoft supports cloned machines only under limited circumstances. You need to have cloned a machine before the SID assignment or in conjunction with Sysprep for Microsoft to support that machine. For more information about Microsoft's support of cloned systems, see the Microsoft article "Do Not Disk Duplicate Installed Versions of Windows" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q162001).

Sysprep to the Rescue
Unlike postduplication SID-changing utilities (such as those that ship with most disk-cloning utilities), Sysprep restores machine uniqueness by letting you roll a reference machine back to its pre-SID state after you install all desired software. The first time you start a reference machine after running Sysprep on it, the machine will return to the last stage of the Windows setup process (i.e., the machine and network identification stage), in which the SID is assigned. (Don't run Sysprep on a production system: The utility removes critical configuration information and effectively rolls the system back to a state prior to setup completion. Run Sysprep only on reference systems that you've intentionally set up to provide a template system configuration.)

A benefit to using Sysprep with disk-cloning software is that Microsoft supports machines that you use this method to deploy, so you won't be out of luck if you need to call Microsoft Product Support Services (PSS) for help with a cloned system. I've found that systems cloned from Sysprep-prepared reference systems exhibit fewer problems than do machines created with the disk-cloning and SID-changer utility method.

If you support NT machines and want to use Sysprep, you'll find that getting the NT 4.0 version of Sysprep (Sysprep 1.0) isn't easy. Although the utility is free, Microsoft doesn't make Sysprep 1.0 available for public download from the company's Web site, forcing users to submit a special request for the utility. Furthermore, only Enterprise and Select Agreement customers are eligible to use Sysprep 1.0. If your organization is an Enterprise or Select Agreement customer, take one of the following steps to obtain Sysprep 1.0 for NT:

  • Make a request on Microsoft's Request License for System Preparation Tool Web page (http://www.microsoft.com/ntworkstation/deploy/deploytools/requestlicense.asp).
  • Fax a request to Windows Deploy Tool License Agreement Request at 206-285-4403 (United States and Canada only).
  • Leave a voicemail message with your request by calling 800-394-9621 (United States and Canada) or 206-378-5544 (international).
   Previous  [1]  2  3  Next 


Reader Comments
I have been using Sysprep on new PCs since the first of the year without using the pnp switch. We recently ran into a problem where the vendor had changed something minor and using the image was producing a blue screen when used on the PCs. I thought the pnp switch would solve this problem and was delighted to find out about it.
However, when I tested the switch on a PC I prepared for Sysprep, it caused the cloned computer to bluescreen on the first Windows reboot! Taking the switch off and Sysprep-ing again fixed the problem.
Have you seen this before and what might the problem be?
Thank you,


Jan Hall June 25, 2002

We use the XP sysprep and Norton Ghost to make a single image for multiple computer platforms. First change the bus master IDE controller in Device Manager to the Standard PC IDE Controller. Reboot to make the change effective. Then remove the IDE controller from the Device Manager. DO NOT REBOOT! We run our antivirus install program here, which modifies the "RunOnce" registry key to run the antivirus setup at next boot. Then run the Sysprep utility, do not use the "Plug and Play" option. Reboot the computer with a DOS disk and use your DOS-based imaging utility (we use Ghost) to save an image of the hard drive. When a machine is re-imaged with this image, the XP mini-setup will run, detecting any hardware specific to that machine. This requires a reboot after detection of the correct bus-master IDE driver.
Footnote: After one sysprep, if you repeat the sysprep process, sometimes a machine will have difficulty joining a Win2000 AD. We have solved that by keeping two versions of each image, the first prior to the sysprep operation, and the second after the sysprep operation. If we ned to make modifications to the image, we start with the first image.

Chris Cantwell November 25, 2002

this seems to be wrong:
add the command
sysprep -quiet
to the [GuiRunOnce] section of the sysprep.inf file.

do not add it to sysprep.inf but to unattend.txt

Thomas Dallas November 26, 2002

I'm reading through Sysprep ref.chm and find no sysprep -clean reference. Is this an undocumented switch?

Anonymous User March 24, 2005 (Article Rating: )

Unbelievable. I have yet to fine ONE article anywhere that walks you through how to use Sysprep. This article comes close, then simply does not provide step-by-step instructions for first timers.

blahblahblah March 09, 2006 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

How can I stop and start services from the command line?

...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management
Related Events Windows, Unix, Linux Interoperability

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing