Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

USMT Security

I have USMT running through Task Scheduler in Windows 7.  USMT runs and puts the .mig file in a central location and the backup software grabs that folder so I always have a backup of my settings to restore later.

One thing I noticed is that USMT grabs ALL profiles and puts them in one file. I realized a pretty big security issue where if someone gets that .mig file off of the computer, it can be expanded thus retrieving all users files which would normally be protected via windows settings built into the each profile.

Is there a way to have USMT run and have it dump only the current users' profile and secure it within their own profile?
I tried this, but not sure if it worked right:
ScanState.exe /ue:*\* /ui:%USERDOMAIN%\%USERNAME%

my USMT file path is set to c:\users\%username%\documents\
0
res00f0j2
Asked:
res00f0j2
  • 8
  • 6
1 Solution
 
Jeremy TyreCommented:
Try
scanstate.exe c:\users\%username%\documents\ /uel:0

Open in new window

The /uel:0 should only allow those that are currently logged in to migrate.  If you want to overwrite the file everytime it runs then use
scanstate.exe c:\users\%username%\documents\ /o /uel:0

Open in new window

Let me know if that works for you.  If not then we can start making logs and see where it goes wrong.
0
 
res00f0j2Author Commented:
will do.  thanks.  I'll post back with my results.
0
 
res00f0j2Author Commented:
It appears that the %username% path will work but I'm having a minor issue with my code or the way USMT runs.  I have a .cmd file that runs the scanstate that is launched by a Scheduled Task. The issue I'm facing now is what privileges to run that scheduled task.  I have it running as SYSTEM.  As you know, USMT requires admin privledges to run.  When it runs as SYSTEM, the task shows complete but nothing is written to the store path directory.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Jeremy TyreCommented:
Try making it a .bat and running it as a local admin manually.  When you can confirm that is working then try making it a task.
0
 
res00f0j2Author Commented:
I ran the CMD and a BAT as local admin (Right click RUN AS Administrator) I'm in the local admins group on my computer, but the users on the Enterprise will not be.  

The scanstate.cmd file is triggerd by a scheduled task which uses the SYSTEM account to launch.  When it runs, it appears to complete but nothing is written to the profile folder set by the storepath.  

You can try this and see it happen.  Set a scheduled task to launch a cmd or batch file and set the task to run as SYSTEM.
0
 
Jeremy TyreCommented:
Ok, I will check it this weekend and see if I can come up with a work bat for you.
0
 
res00f0j2Author Commented:
Thanks.  Really, what I'm looking for is a solution that will run USMT and create MIG file for each user and store it in their profile.  I know USMT requires admin to run, but it seems like a huge security hole because unless your store path is a server share, then anyone could get a hold of the Mig file and expand all users data normally protected by windows. I hope this makes sense.
Thanks
0
 
Jeremy TyreCommented:
You are going to need a more advanced batch script or a powershell script to do this, imo.  Let me do some research and testing and get back with you.  When do you need this by?
0
 
res00f0j2Author Commented:
There might be an option for me to do this within wics. I just a haven't done it yet. Please let me know what you find either way.
0
 
res00f0j2Author Commented:
Nothing has changed. It's still misbehaving.

Here is where I'm at now.
I have my cmd file execute the following string
scansettings.exe c:\users\%username%\documents\USMT /uel:0 (including switches for log files...)

When a regular user (no privledges) is logged on and the scheduled task runs as SYSTEM, the taske executes and actually creates a profile folder named "Computername$" and creates a MIG file for the SYSTEM.  This is caused by /uel:0  because USMT sees that SYSTEM is executing USMT and sees it as (/uel:0) the current logged on user instead of whose actually logged on.

When I run the task as Built-in\Administrators, the task fails becaus it sits there and wait for authentication.

So this goes back to my original question.  
How do I run USMT as a regular user and only capture their profile.  The quote below from the USMT site assumes that you can.

" If you do not run USMT in “Administrator” mode, only the user profile that is logged on will be included in the migration." from link: http://technet.microsoft.com/en-us/library/cc749015(v=ws.10).aspx
0
 
Jeremy TyreCommented:
Try the following in a batch script for non admins. It's dirty but should work.

Net localgroup administrators %username% /add
scanstate.exe c:\users\%username%\documents\ /o /uel:0
Net localgroup administrators %username% /delete
0
 
res00f0j2Author Commented:
Thanks. I'll run that by our local security to see if that's possible.  When I tried to select "Authenticated Users" to run the Scheduled Task I get the error below.

"An error has occured for task USMT.  Error message: The following error was reported: The Task XML contains a value which is incorrectly formatted or out of range."

What account/group should I set the task to run under?  built-in\administrators?
0
 
res00f0j2Author Commented:
Yeah....security looked at my like I was crazy.

So we're back at square one which is getting USMT to run while the user is logged on, capture their profile and put it in their
0
 
Jeremy TyreCommented:
It was a shot in the dark. This is getting out of my range of knowledge. I will keep looking into it though
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now