Solved

USMT Security

Posted on 2014-04-03
14
376 Views
Last Modified: 2014-04-29
I have USMT running through Task Scheduler in Windows 7.  USMT runs and puts the .mig file in a central location and the backup software grabs that folder so I always have a backup of my settings to restore later.

One thing I noticed is that USMT grabs ALL profiles and puts them in one file. I realized a pretty big security issue where if someone gets that .mig file off of the computer, it can be expanded thus retrieving all users files which would normally be protected via windows settings built into the each profile.

Is there a way to have USMT run and have it dump only the current users' profile and secure it within their own profile?
I tried this, but not sure if it worked right:
ScanState.exe /ue:*\* /ui:%USERDOMAIN%\%USERNAME%

my USMT file path is set to c:\users\%username%\documents\
0
Comment
Question by:res00f0j2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 3

Accepted Solution

by:
Jeremy Tyre earned 500 total points
ID: 39982844
Try
scanstate.exe c:\users\%username%\documents\ /uel:0

Open in new window

The /uel:0 should only allow those that are currently logged in to migrate.  If you want to overwrite the file everytime it runs then use
scanstate.exe c:\users\%username%\documents\ /o /uel:0

Open in new window

Let me know if that works for you.  If not then we can start making logs and see where it goes wrong.
0
 

Author Comment

by:res00f0j2
ID: 39983177
will do.  thanks.  I'll post back with my results.
0
 

Author Comment

by:res00f0j2
ID: 39989889
It appears that the %username% path will work but I'm having a minor issue with my code or the way USMT runs.  I have a .cmd file that runs the scanstate that is launched by a Scheduled Task. The issue I'm facing now is what privileges to run that scheduled task.  I have it running as SYSTEM.  As you know, USMT requires admin privledges to run.  When it runs as SYSTEM, the task shows complete but nothing is written to the store path directory.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39990054
Try making it a .bat and running it as a local admin manually.  When you can confirm that is working then try making it a task.
0
 

Author Comment

by:res00f0j2
ID: 39994965
I ran the CMD and a BAT as local admin (Right click RUN AS Administrator) I'm in the local admins group on my computer, but the users on the Enterprise will not be.  

The scanstate.cmd file is triggerd by a scheduled task which uses the SYSTEM account to launch.  When it runs, it appears to complete but nothing is written to the profile folder set by the storepath.  

You can try this and see it happen.  Set a scheduled task to launch a cmd or batch file and set the task to run as SYSTEM.
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39994977
Ok, I will check it this weekend and see if I can come up with a work bat for you.
0
 

Author Comment

by:res00f0j2
ID: 39995291
Thanks.  Really, what I'm looking for is a solution that will run USMT and create MIG file for each user and store it in their profile.  I know USMT requires admin to run, but it seems like a huge security hole because unless your store path is a server share, then anyone could get a hold of the Mig file and expand all users data normally protected by windows. I hope this makes sense.
Thanks
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39998021
You are going to need a more advanced batch script or a powershell script to do this, imo.  Let me do some research and testing and get back with you.  When do you need this by?
0
 

Author Comment

by:res00f0j2
ID: 39998181
There might be an option for me to do this within wics. I just a haven't done it yet. Please let me know what you find either way.
0
 

Author Comment

by:res00f0j2
ID: 40006795
Nothing has changed. It's still misbehaving.

Here is where I'm at now.
I have my cmd file execute the following string
scansettings.exe c:\users\%username%\documents\USMT /uel:0 (including switches for log files...)

When a regular user (no privledges) is logged on and the scheduled task runs as SYSTEM, the taske executes and actually creates a profile folder named "Computername$" and creates a MIG file for the SYSTEM.  This is caused by /uel:0  because USMT sees that SYSTEM is executing USMT and sees it as (/uel:0) the current logged on user instead of whose actually logged on.

When I run the task as Built-in\Administrators, the task fails becaus it sits there and wait for authentication.

So this goes back to my original question.  
How do I run USMT as a regular user and only capture their profile.  The quote below from the USMT site assumes that you can.

" If you do not run USMT in “Administrator” mode, only the user profile that is logged on will be included in the migration." from link: http://technet.microsoft.com/en-us/library/cc749015(v=ws.10).aspx
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40006874
Try the following in a batch script for non admins. It's dirty but should work.

Net localgroup administrators %username% /add
scanstate.exe c:\users\%username%\documents\ /o /uel:0
Net localgroup administrators %username% /delete
0
 

Author Comment

by:res00f0j2
ID: 40006992
Thanks. I'll run that by our local security to see if that's possible.  When I tried to select "Authenticated Users" to run the Scheduled Task I get the error below.

"An error has occured for task USMT.  Error message: The following error was reported: The Task XML contains a value which is incorrectly formatted or out of range."

What account/group should I set the task to run under?  built-in\administrators?
0
 

Author Comment

by:res00f0j2
ID: 40009090
Yeah....security looked at my like I was crazy.

So we're back at square one which is getting USMT to run while the user is logged on, capture their profile and put it in their
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40019175
It was a shot in the dark. This is getting out of my range of knowledge. I will keep looking into it though
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question