Solved

USMT Security

Posted on 2014-04-03
14
369 Views
Last Modified: 2014-04-29
I have USMT running through Task Scheduler in Windows 7.  USMT runs and puts the .mig file in a central location and the backup software grabs that folder so I always have a backup of my settings to restore later.

One thing I noticed is that USMT grabs ALL profiles and puts them in one file. I realized a pretty big security issue where if someone gets that .mig file off of the computer, it can be expanded thus retrieving all users files which would normally be protected via windows settings built into the each profile.

Is there a way to have USMT run and have it dump only the current users' profile and secure it within their own profile?
I tried this, but not sure if it worked right:
ScanState.exe /ue:*\* /ui:%USERDOMAIN%\%USERNAME%

my USMT file path is set to c:\users\%username%\documents\
0
Comment
Question by:res00f0j2
  • 8
  • 6
14 Comments
 
LVL 3

Accepted Solution

by:
Jeremy Tyre earned 500 total points
ID: 39982844
Try
scanstate.exe c:\users\%username%\documents\ /uel:0

Open in new window

The /uel:0 should only allow those that are currently logged in to migrate.  If you want to overwrite the file everytime it runs then use
scanstate.exe c:\users\%username%\documents\ /o /uel:0

Open in new window

Let me know if that works for you.  If not then we can start making logs and see where it goes wrong.
0
 

Author Comment

by:res00f0j2
ID: 39983177
will do.  thanks.  I'll post back with my results.
0
 

Author Comment

by:res00f0j2
ID: 39989889
It appears that the %username% path will work but I'm having a minor issue with my code or the way USMT runs.  I have a .cmd file that runs the scanstate that is launched by a Scheduled Task. The issue I'm facing now is what privileges to run that scheduled task.  I have it running as SYSTEM.  As you know, USMT requires admin privledges to run.  When it runs as SYSTEM, the task shows complete but nothing is written to the store path directory.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39990054
Try making it a .bat and running it as a local admin manually.  When you can confirm that is working then try making it a task.
0
 

Author Comment

by:res00f0j2
ID: 39994965
I ran the CMD and a BAT as local admin (Right click RUN AS Administrator) I'm in the local admins group on my computer, but the users on the Enterprise will not be.  

The scanstate.cmd file is triggerd by a scheduled task which uses the SYSTEM account to launch.  When it runs, it appears to complete but nothing is written to the profile folder set by the storepath.  

You can try this and see it happen.  Set a scheduled task to launch a cmd or batch file and set the task to run as SYSTEM.
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39994977
Ok, I will check it this weekend and see if I can come up with a work bat for you.
0
 

Author Comment

by:res00f0j2
ID: 39995291
Thanks.  Really, what I'm looking for is a solution that will run USMT and create MIG file for each user and store it in their profile.  I know USMT requires admin to run, but it seems like a huge security hole because unless your store path is a server share, then anyone could get a hold of the Mig file and expand all users data normally protected by windows. I hope this makes sense.
Thanks
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39998021
You are going to need a more advanced batch script or a powershell script to do this, imo.  Let me do some research and testing and get back with you.  When do you need this by?
0
 

Author Comment

by:res00f0j2
ID: 39998181
There might be an option for me to do this within wics. I just a haven't done it yet. Please let me know what you find either way.
0
 

Author Comment

by:res00f0j2
ID: 40006795
Nothing has changed. It's still misbehaving.

Here is where I'm at now.
I have my cmd file execute the following string
scansettings.exe c:\users\%username%\documents\USMT /uel:0 (including switches for log files...)

When a regular user (no privledges) is logged on and the scheduled task runs as SYSTEM, the taske executes and actually creates a profile folder named "Computername$" and creates a MIG file for the SYSTEM.  This is caused by /uel:0  because USMT sees that SYSTEM is executing USMT and sees it as (/uel:0) the current logged on user instead of whose actually logged on.

When I run the task as Built-in\Administrators, the task fails becaus it sits there and wait for authentication.

So this goes back to my original question.  
How do I run USMT as a regular user and only capture their profile.  The quote below from the USMT site assumes that you can.

" If you do not run USMT in “Administrator” mode, only the user profile that is logged on will be included in the migration." from link: http://technet.microsoft.com/en-us/library/cc749015(v=ws.10).aspx
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40006874
Try the following in a batch script for non admins. It's dirty but should work.

Net localgroup administrators %username% /add
scanstate.exe c:\users\%username%\documents\ /o /uel:0
Net localgroup administrators %username% /delete
0
 

Author Comment

by:res00f0j2
ID: 40006992
Thanks. I'll run that by our local security to see if that's possible.  When I tried to select "Authenticated Users" to run the Scheduled Task I get the error below.

"An error has occured for task USMT.  Error message: The following error was reported: The Task XML contains a value which is incorrectly formatted or out of range."

What account/group should I set the task to run under?  built-in\administrators?
0
 

Author Comment

by:res00f0j2
ID: 40009090
Yeah....security looked at my like I was crazy.

So we're back at square one which is getting USMT to run while the user is logged on, capture their profile and put it in their
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40019175
It was a shot in the dark. This is getting out of my range of knowledge. I will keep looking into it though
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So many times I have seen the words written in a question "if only I could show you" or " I know how hard it is for you since you can't see it" in any zone. That has inspired me to write about this tool in windows 7 called "Problem Steps Recorder…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question