Take an image without SysPrep??

[Edenost]

Hi all,

 

Possibly a bit of an odd one now. I would like to be able to take an image on SCCM WITHOUT it performing the SysPrep.

 

The reasons for this are:

 

The school I work in provides laptops to some pupils who require extra help...etc during their school day and exams, but only help with writing. Either they can't write well or their handwriting is too hard to be read (so they end up failing because the examiner cannot read what they have written).

With that, we provide them laptops which are NOT ever on the domain or the Internet.

 

As they are never on the domain, Domain GPO is not an option for them so I create local group policies for each user account in question (Since 7 (possibly vista???), you can create a local GPO per local User account rather than having to lock the whole machine down using a standard Local GPO).

When I take an image, of course it removes all of the SSID's on the accounts in question, and the local GPO which I have saved to the Admin Desktop no longer applies to the account in question. (Errors about SSIDs)

 

Prior to SCCM, I used Ghost to take images and deploy. When I deployed a laptop like this, I would not SysPrep the image, I would just literally copy and paste it if you will. This skipped SysPrep and the Local GPO's still applied when the image was deployed.

 

The only other way I can think to achieve this in a quick fix sense would be to just apply a local GPO to the machine and lock it down no matter if you were logged on as Admin or Student.

This is kind of impractical, as the Admin would be just as locked out as a student and there would be no point in even having an Admin account on the machine.

 

If anyone has any pointers, they would be much appreciated.

 

Thanks,

 

Phil

 

(I hope this all makes sense!!!).

[teamfox201]

Why don't you just exclude the local admin's from the policy?

 

http://www.sevenforums.com/tutorials/101869-local-group-policies-apply-all-users-except-administrators.html

[Edenost]

Ahh, thanks for this.

I presume that this will apply to local groups instead then, rather than a local single account?

Wouldn't that then be scrubbed the same way as an account is during SysPrep? (SSID's...etc)

[Peter33]

How do you create the local accounts during OSD? Scripted?

If so you just could retrieve the SSIDs with a script and create the registry hives under HKEY USERS, then feed them with the registry keys and values for the local policies.

[Edenost]

I have probably done it wrong, but I did it all prior to imaging.

I created the image, set the local policy for the "Student account", then took the image. Obviously taking and deploying it, it SysPreps. Therefore removing the SSID's on the account, and the local GPO is no longer applied to the account which it was assigned too, because the GPO is assigned to a SSID it seems (When I open the GPO Object which I have saved, it says it cannot find the Security for the accounts.

[teamfox201]

I was thinking more along these lines.

 

Make sure the student account is part of the built in users group (BUILTIN_USERS S-1-5-32-545) which does not change SIDS, then apply the LGPO to that group.

 

 

http://msdn.microsoft.com/en-us/library/cc980032.aspx

[Edenost]

Ahh, now that sounds good. I will give it a try.

 

Will the built in users group also contain the admin account though, or not?

[Edenost]

Ok, so I tried to make the GPO point to the built in users, this is all I can point to it seems. Am I missing something?

 

 

Should I use the group "Non-Administrators"? Or will that SID be stripped?

Thanks