I need to know exactly what the /generalize options of sysprep does to a Windows 7 system. I am working with WDS to deploy custom images to my workgroup environment.
I work with the government and they require very strict security settings configured via the local group policy / registry / NTFS / Services / Ect.. There are about 300+ setting i must configure for each box. Hence the use of WDS to deploy a preconfigured image to each system.
My problem is when running Sysprep to capture a Windows 7 (32bit) image. Everything ive read says the use the /Generalize option. When i re-deploy the image via my WDS server - it clears most of my preconfigured security settings. It seems that the /Generalize option sets things back to the factory defaults.
That is not what i want to do.
What exactly will happen if i DO NOT use the /Generalize option? (My boxes are in a workgroup in this setup)
My questions are:
1. What exactly does the /Generalize option do?
2. What will happen if i DO NOT use the /Generalize option ?
This links speaks to sysprep options including generalize.
Sysprep /generalize is required to be in a supported configuration
Also see this article, it contains a list as well
314828 The Microsoft policy for disk duplication of Windows installations
Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. VAMT - Volume Activation Management Tool - Download link http://www.microsoft.com/downloads/details.aspx?FamilyID=ec7156d2-2864-49ee-bfcb-777b898ad582&displaylang=en
Just to follow up. If you run Sysprep WITHOUT the /Generalize option and try to capture the image with a WDS - it will not recognize the hard drive and will not allow you to upload the image to the WDS server. So if your using WDS to deploy your Sysprep images you MUST use /Generalize.
With that said, how exactly am i supposed to apply all my security settings post install? FirstLogonCommands do not allow you to perform administrative tasks. You have to elevate for that and that prevents you from automating the installation of security policies. (Im using GPO packs for that)
So how is everyone applying security policies to a WDS image (that has been /generalized) in a workgroup environment?
Yes i have.
I am using a Microsoft program called LocalGPO. It allows you to capture all your GPO settings (STIGs,Retina,ect..) and generate a GPO Pack. This GPO pack can then be deployed to other systems by running .WSF script it generates.
I have generated a GPO pack for Windows 7 and it is applied post WDS build using the unattend.xml. I think its the first logon command i have pointing to a share like: \\server\share\gpopacks\.wsf
That will allow you to use the required Sysprep /generalize option, and still apply all your GPO settings after the image has been built. LocalGPO will capture about 90% of whats needed to be STIG compliant. It missing some local user account settings that are not configured through GPEDIT.MSC
in reply to KB 314828, creating new computer SID is not required at all,
its only required if you plan to instal domain controllers.
See art http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx?PageIndex=4
local computer SID is not used external, and it doesn't circumvent the normal logon process if someone or program needs access.
What you say is simply not correct. The KB article is authoritative, and Mark Rusinovich's blog is not.
Mark Rusinovich is very respected member of Windows developers community and he wrote a very usefull utility called newsid.exe.
However, since he got employed by Microsoft, he removed his utility from Sysinternals web site (now under Technet umbrella).
Anyways, if you choose to ignore sysprep requirement, you're on your own, ie. unsupported.
Besides what is in the KB article, people have reported SID related problems with WSUS, KMS and System Center.
- Edited by Les52 Monday, May 13, 2013 1:12 PM
Those are not SID related problems--WSUS uses a machine-state ID when configured, KMS uses a client machine ID (CMI) which has nothing to do with the SID, and System Center uses a GUID. Using the sysprep /generalize option eliminates these headaches. Reread what Mark wrote and you'll understand.
Old thread, but I would like to backup the SID question. I know by trial and error that you must renew the SID on a domain computer or it will lose domain trust. I created an image and deployed it without sysprep in order to keep my GPO's. I ended up having to keep sid renew tool on a USB and renew all computers with a new Sid. All is good now, but it was a headache and embarrassment from upper management when it is your image that is the problem. Hope this helps as far as SIDs goes. As for GPOs I deploy that with a server now instead. Kind regards, Jeff
- Edited by Jeff_BD Tuesday, May 24, 2016 4:21 PM