API tools faq
paste
Advertisement
cemaranet

Untitled

cemaranet
Jul 4th, 2017
520
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.32 KB | None | 0 0
raw download clone embed print report
  1. You'll need
  2. - windows 1703 enterprise 64 bit machine (will be referred as client)
  3. - windows server 2012 r2 machine (will be referred as server)
  4. - Functional Active directory on server
  5.  
  6.  
  7. 1. Install windows 1703 enterprise, 64 bit and preferably pure not modified version
  8. 2. Ctrl shift f3 on "let's start with region" screen to enter audit mode.
  9. 3. Close system preparation tool, we're not gonna use it
  10. 4. Next up we're getting rid of metro apps. Run powershell as administrator (right click run as administrator) and run the following commands :
  11.  
  12. - Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online
  13. - Get-AppxPackage -AllUsers | Remove-AppxPackage
  14. - Rename-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  15. - Rename-Item C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy BLOCKED_ContactSupport_cw5n1h2txyewy
  16. - Rename-Item C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy BLOCKED_Microsoft.XboxGameCallableUI_cw5n1h2txyewy
  17. - Rename-Item C:\Windows\SystemApps\Microsoft.XboxIdentityProvider_cw5n1h2txyewy BLOCKED_Microsoft.XboxIdentityProvider_cw5n1h2txyewy
  18. - Rename-Item C:\Windows\SystemApps\WindowsFeedback_cw5n1h2txyewy BLOCKED_WindowsFeedback_cw5n1h2txyewy
  19. - Rename-Item C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy BLOCKED_Microsoft.PPIProjection_cw5n1h2txyewy
  20. - Rename-Item C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy BLOCKED_Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy
  21. - Rename-Item C:\Windows\SystemApps\holocamera_cw5n1h2txyewy BLOCKED_holocamera_cw5n1h2txyewy
  22. - Rename-Item C:\Windows\SystemApps\holoitemplayerapp_cw5n1h2txyewy BLOCKED_holoitemplayerapp_cw5n1h2txyewy
  23. - Rename-Item C:\Windows\SystemApps\DesktopLearning_cw5n1h2txyewy BLOCKED_DesktopLearning_cw5n1h2txyewy
  24. - Rename-Item C:\Windows\SystemApps\EnvironmentsApp_cw5n1h2txyewy BLOCKED_EnvironmentsApp_cw5n1h2txyewy
  25. - Rename-Item C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy BLOCKED_Microsoft.Windows.FileExplorer_cw5n1h2txyewy
  26. - Rename-Item C:\Windows\SystemApps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy BLOCKED_Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy
  27. - New-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe -type File
  28.  
  29. 5. Start button + run type gpedit.msc to enter local Group polict editor. We will speed up login times by removing unnecessary stuff
  30.  
  31. * Computer Configuration > Administrative Templates > System > Logon > Show first sign-in animation = Disabled
  32. * Computer Configuration > Administrative Templates > Windows Components > Search > Allow 7Cortana = Disabled
  33. * Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft consumer experience = Enabled
  34.  
  35. 6. regedit create this dword here HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SpecialRoamingOverrideAllowed REG_DWORD value 1
  36. 7. Open notepad, copy this and save it as copyprofile.xml in C:\Windows\System32\Sysprep\ folder, D is the path to your installation media, adjust it to your path.
  37.  
  38.  
  39. <?xml version="1.0" encoding="utf-8"?>
  40. <unattend xmlns="urn:schemas-microsoft-com:unattend">
  41. <settings pass="specialize">
  42. <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  43. <CopyProfile>true</CopyProfile>
  44. </component>
  45. </settings>
  46. <cpi:offlineImage cpi:source="wim:D:/sources/install.wim#Windows 10 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
  47. </unattend>
  48.  
  49.  
  50. 8. Run cmd prompt as administrator and type.
  51.  
  52.  
  53. C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /reboot /Unattend:C:\Windows\System32\Sysprep\CopyProfile.xml
  54.  
  55. Pc will begin sysprep mode, might take a while to finish
  56.  
  57. 9. Follow the region etc setup. When prompted for account Enter any username and account
  58. 10. Create shared folder on server that can be accessed on client if you haven't.
  59. 11. Create share credentials on machine from windows credential, you may have to give IP first
  60. 12. Create Active Directory on server if you havent, set dns on client as IP server
  61. 13. System Properties > Computer Name > change > enter domain name > enter server username pass
  62. 14. On win 10 go to control panel 》 system 》 advanced system properties 》 user profiles settings 》
  63. 15. Select Default Profile and press copy to, enter the shared folder address, ended with .v6
  64. 16. Below permitted to use, Press change and type "authenticated users" ,press check names. Also tick mandatory profile
  65. 17. On server, Right click on Mandatory folder we just created, Security > Edit > Add > change location to your PC's name > type ALL APPLICATION PACKAGES and check names, give it full control
  66. 18. On Security tab press advance, tick "replace all object permission entries with inheritable permission entries from this object"
  67. 19. Still On Same tab > press "change" next to owner, change location to your PC name > type administrators and check names, tick on "replace owners on subcontainers and objects"
  68. 20. Still on windows server, open regedit with administrator privilege, highlight HKEY_USERS, press file > load hive > select ntuser.dat on mandatory.v6 folder we created earlier, name it mandatory
  69. 21. Right click on that folder > permission > add user > Authenticated Users, check name and give it full control
  70. 22. Right click on that folder > permission > add user > change location to your PC name, type ALL APPLICATION PACKAGES > check name and give it full control
  71. 23. On Security tab press advance, tick "replace all object permission entries with inheritable permission entries from this object", ignore the registry error.
  72. 24. Still on regedit Create new key #Mandatory, and new text file mandatoryv6 on mandatory.v6 folder earlier
  73. 25. Delete all occurences of Administrator using right click > find, keep pressing del and f3 (next result) careful only delete occurences under mandatory folder.
  74. 26. Highlight mandatory folder, file > unload hive
  75. 27. Rename ntuser.dat into ntuser.man in mandatory.v6 folder
  76. 28. Open dsa.msc and make a new user with password never expires, then on profile tab give the network address of mandatory profile folder (without v6!)
  77. 28. Restart client PC and login as domain name\domain username.
  78. 29. Your Mandatory profile is now ready, test it by adding something on the desktop, logoff and logon, the changes should not persist anymore
  79.  
  80.  
  81. Modifying and inserting aster multiseat, use this method if you want to make changes to your client
  82.  
  83.  
  84. 1. On Client, logout the mandatory profile and login as admin you created earlier. Login as local, not domain account
  85. 2. Make all changes you need to do drivers, programs, etc. For this tutorial we're going to install aster multiseat,
  86. 3. Install aster as usual, assign keyboard mouse monitors, etc.
  87. 4. Important: do not assign account yet. Tick automatically run aster workplaces on system startup then Press enable aster and reboot pc. Login as admin.
  88. 5. Now On general settings 》account change each workplace to active directory users on the server. For this example im gonna use multi1 and multi2.
  89. 6. On server 》 dasc.msc 》 open both multi1 and multi2 and on profiles tab make sure its pointing to the mandatory folder you created earlier. You may also want to copy paste mandatory folder to create a backup in case you messed up
  90. 7. Control panel 》 Advanced system settings 》user profiles press settings 》copy the default profile to desktop. Add authenticated users in change to settings
  91. 8. Run regedit as admin on client, load the ntuser.dat from your current profile in C:\desktop\yourprofilename , name it mandatory. Its probably hidden so tick hidden items option first
  92. 9. Right click the hive you just created. Export the registry keys and name it anything, e.g mandatory.reg
  93. 10. On regedit highlight the mandatory > file > unload hive
  94. 11. load the ntuser.man from your mandatory profile folder to registry hive, name it as before e.g mandatory
  95. 12. Merge the registry keys you exported on step 4.
  96. 13. On regedit highlight the mandatory > file > unload hive
  97. 14. done, try logging as mandatory profile, the changes will be lost
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!