Solved

USMT Security

Posted on 2014-04-03
14
380 Views
Last Modified: 2014-04-29
I have USMT running through Task Scheduler in Windows 7.  USMT runs and puts the .mig file in a central location and the backup software grabs that folder so I always have a backup of my settings to restore later.

One thing I noticed is that USMT grabs ALL profiles and puts them in one file. I realized a pretty big security issue where if someone gets that .mig file off of the computer, it can be expanded thus retrieving all users files which would normally be protected via windows settings built into the each profile.

Is there a way to have USMT run and have it dump only the current users' profile and secure it within their own profile?
I tried this, but not sure if it worked right:
ScanState.exe /ue:*\* /ui:%USERDOMAIN%\%USERNAME%

my USMT file path is set to c:\users\%username%\documents\
0
Comment
Question by:res00f0j2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 3

Accepted Solution

by:
Jeremy Tyre earned 500 total points
ID: 39982844
Try
scanstate.exe c:\users\%username%\documents\ /uel:0

Open in new window

The /uel:0 should only allow those that are currently logged in to migrate.  If you want to overwrite the file everytime it runs then use
scanstate.exe c:\users\%username%\documents\ /o /uel:0

Open in new window

Let me know if that works for you.  If not then we can start making logs and see where it goes wrong.
0
 

Author Comment

by:res00f0j2
ID: 39983177
will do.  thanks.  I'll post back with my results.
0
 

Author Comment

by:res00f0j2
ID: 39989889
It appears that the %username% path will work but I'm having a minor issue with my code or the way USMT runs.  I have a .cmd file that runs the scanstate that is launched by a Scheduled Task. The issue I'm facing now is what privileges to run that scheduled task.  I have it running as SYSTEM.  As you know, USMT requires admin privledges to run.  When it runs as SYSTEM, the task shows complete but nothing is written to the store path directory.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39990054
Try making it a .bat and running it as a local admin manually.  When you can confirm that is working then try making it a task.
0
 

Author Comment

by:res00f0j2
ID: 39994965
I ran the CMD and a BAT as local admin (Right click RUN AS Administrator) I'm in the local admins group on my computer, but the users on the Enterprise will not be.  

The scanstate.cmd file is triggerd by a scheduled task which uses the SYSTEM account to launch.  When it runs, it appears to complete but nothing is written to the profile folder set by the storepath.  

You can try this and see it happen.  Set a scheduled task to launch a cmd or batch file and set the task to run as SYSTEM.
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39994977
Ok, I will check it this weekend and see if I can come up with a work bat for you.
0
 

Author Comment

by:res00f0j2
ID: 39995291
Thanks.  Really, what I'm looking for is a solution that will run USMT and create MIG file for each user and store it in their profile.  I know USMT requires admin to run, but it seems like a huge security hole because unless your store path is a server share, then anyone could get a hold of the Mig file and expand all users data normally protected by windows. I hope this makes sense.
Thanks
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 39998021
You are going to need a more advanced batch script or a powershell script to do this, imo.  Let me do some research and testing and get back with you.  When do you need this by?
0
 

Author Comment

by:res00f0j2
ID: 39998181
There might be an option for me to do this within wics. I just a haven't done it yet. Please let me know what you find either way.
0
 

Author Comment

by:res00f0j2
ID: 40006795
Nothing has changed. It's still misbehaving.

Here is where I'm at now.
I have my cmd file execute the following string
scansettings.exe c:\users\%username%\documents\USMT /uel:0 (including switches for log files...)

When a regular user (no privledges) is logged on and the scheduled task runs as SYSTEM, the taske executes and actually creates a profile folder named "Computername$" and creates a MIG file for the SYSTEM.  This is caused by /uel:0  because USMT sees that SYSTEM is executing USMT and sees it as (/uel:0) the current logged on user instead of whose actually logged on.

When I run the task as Built-in\Administrators, the task fails becaus it sits there and wait for authentication.

So this goes back to my original question.  
How do I run USMT as a regular user and only capture their profile.  The quote below from the USMT site assumes that you can.

" If you do not run USMT in “Administrator” mode, only the user profile that is logged on will be included in the migration." from link: http://technet.microsoft.com/en-us/library/cc749015(v=ws.10).aspx
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40006874
Try the following in a batch script for non admins. It's dirty but should work.

Net localgroup administrators %username% /add
scanstate.exe c:\users\%username%\documents\ /o /uel:0
Net localgroup administrators %username% /delete
0
 

Author Comment

by:res00f0j2
ID: 40006992
Thanks. I'll run that by our local security to see if that's possible.  When I tried to select "Authenticated Users" to run the Scheduled Task I get the error below.

"An error has occured for task USMT.  Error message: The following error was reported: The Task XML contains a value which is incorrectly formatted or out of range."

What account/group should I set the task to run under?  built-in\administrators?
0
 

Author Comment

by:res00f0j2
ID: 40009090
Yeah....security looked at my like I was crazy.

So we're back at square one which is getting USMT to run while the user is logged on, capture their profile and put it in their
0
 
LVL 3

Expert Comment

by:Jeremy Tyre
ID: 40019175
It was a shot in the dark. This is getting out of my range of knowledge. I will keep looking into it though
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question