Solved

USMT Security

Posted on 2014-04-03
14
354 Views
Last Modified: 2014-04-29
I have USMT running through Task Scheduler in Windows 7.  USMT runs and puts the .mig file in a central location and the backup software grabs that folder so I always have a backup of my settings to restore later.

One thing I noticed is that USMT grabs ALL profiles and puts them in one file. I realized a pretty big security issue where if someone gets that .mig file off of the computer, it can be expanded thus retrieving all users files which would normally be protected via windows settings built into the each profile.

Is there a way to have USMT run and have it dump only the current users' profile and secure it within their own profile?
I tried this, but not sure if it worked right:
ScanState.exe /ue:*\* /ui:%USERDOMAIN%\%USERNAME%

my USMT file path is set to c:\users\%username%\documents\
0
Comment
Question by:res00f0j2
  • 8
  • 6
14 Comments
 
LVL 3

Accepted Solution

by:
Jeremy Tyre earned 500 total points
ID: 39982844
Try
scanstate.exe c:\users\%username%\documents\ /uel:0

Open in new window

The /uel:0 should only allow those that are currently logged in to migrate.  If you want to overwrite the file everytime it runs then use
scanstate.exe c:\users\%username%\documents\ /o /uel:0

Open in new window

Let me know if that works for you.  If not then we can start making logs and see where it goes wrong.
0
 

Author Comment

by:res00f0j2
ID: 39983177
will do.  thanks.  I'll post back with my results.
0
 

Author Comment

by:res00f0j2
ID: 39989889
It appears that the %username% path will work but I'm having a minor issue with my code or the way USMT runs.  I have a .cmd file that runs the scanstate that is launched by a Scheduled Task. The issue I'm facing now is what privileges to run that scheduled task.  I have it running as SYSTEM.  As you know, USMT requires admin privledges to run.  When it runs as SYSTEM, the task shows complete but nothing is written to the store path directory.
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39990054
Try making it a .bat and running it as a local admin manually.  When you can confirm that is working then try making it a task.
0
 

Author Comment

by:res00f0j2
ID: 39994965
I ran the CMD and a BAT as local admin (Right click RUN AS Administrator) I'm in the local admins group on my computer, but the users on the Enterprise will not be.  

The scanstate.cmd file is triggerd by a scheduled task which uses the SYSTEM account to launch.  When it runs, it appears to complete but nothing is written to the profile folder set by the storepath.  

You can try this and see it happen.  Set a scheduled task to launch a cmd or batch file and set the task to run as SYSTEM.
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39994977
Ok, I will check it this weekend and see if I can come up with a work bat for you.
0
 

Author Comment

by:res00f0j2
ID: 39995291
Thanks.  Really, what I'm looking for is a solution that will run USMT and create MIG file for each user and store it in their profile.  I know USMT requires admin to run, but it seems like a huge security hole because unless your store path is a server share, then anyone could get a hold of the Mig file and expand all users data normally protected by windows. I hope this makes sense.
Thanks
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39998021
You are going to need a more advanced batch script or a powershell script to do this, imo.  Let me do some research and testing and get back with you.  When do you need this by?
0
 

Author Comment

by:res00f0j2
ID: 39998181
There might be an option for me to do this within wics. I just a haven't done it yet. Please let me know what you find either way.
0
 

Author Comment

by:res00f0j2
ID: 40006795
Nothing has changed. It's still misbehaving.

Here is where I'm at now.
I have my cmd file execute the following string
scansettings.exe c:\users\%username%\documents\USMT /uel:0 (including switches for log files...)

When a regular user (no privledges) is logged on and the scheduled task runs as SYSTEM, the taske executes and actually creates a profile folder named "Computername$" and creates a MIG file for the SYSTEM.  This is caused by /uel:0  because USMT sees that SYSTEM is executing USMT and sees it as (/uel:0) the current logged on user instead of whose actually logged on.

When I run the task as Built-in\Administrators, the task fails becaus it sits there and wait for authentication.

So this goes back to my original question.  
How do I run USMT as a regular user and only capture their profile.  The quote below from the USMT site assumes that you can.

" If you do not run USMT in “Administrator” mode, only the user profile that is logged on will be included in the migration." from link: http://technet.microsoft.com/en-us/library/cc749015(v=ws.10).aspx
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40006874
Try the following in a batch script for non admins. It's dirty but should work.

Net localgroup administrators %username% /add
scanstate.exe c:\users\%username%\documents\ /o /uel:0
Net localgroup administrators %username% /delete
0
 

Author Comment

by:res00f0j2
ID: 40006992
Thanks. I'll run that by our local security to see if that's possible.  When I tried to select "Authenticated Users" to run the Scheduled Task I get the error below.

"An error has occured for task USMT.  Error message: The following error was reported: The Task XML contains a value which is incorrectly formatted or out of range."

What account/group should I set the task to run under?  built-in\administrators?
0
 

Author Comment

by:res00f0j2
ID: 40009090
Yeah....security looked at my like I was crazy.

So we're back at square one which is getting USMT to run while the user is logged on, capture their profile and put it in their
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40019175
It was a shot in the dark. This is getting out of my range of knowledge. I will keep looking into it though
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently purchased an HP EliteBook 2540p notebook/laptop. It has two video ports on it – VGA and DisplayPort. HP offers an optional docking station for the 2540p that also has both a VGA port and a DisplayPort. There are numerous online reports do…
Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now