Solved

Windows 7 - sysprep

Posted on 2016-08-17
5
189 Views
Last Modified: 2016-10-27
Hello experts,
I've just been introduced to one of my clients who has an onsite local engineer supporting the 50 of users/machines at this particular site
The site has been having all sorts of issues relating to roaming profiles for thier Windows 7 users, as well as machines not registering in wsus console
Found out the the way this tech is deploying machines, his essentially cloning machine without any Sys prep, and his admament this won't cause any issues, can you advise if this would be correct, what are the disadvantages of not Sys prepping a machine before capture, what sort of issues can it introduce further down the line
0
Comment
Question by:craigleenz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 12

Assisted Solution

by:Sandeep
Sandeep earned 100 total points
ID: 41759168
If sysprep is not used all the system will have similar SID which will trouble you to add in WSUS. When such cloned machines are added in WSUS they face issues. To fix WSUS issues on such Cloned machine you can try this script on those Machines.

This script you can run on all those machine or simply configure it through GPO as Start Up script until the issue is fixed.


Create a batch file named ResetSUSClientID.bat using the text below:

Rem – Batch script to delete duplicate SusClientIDs
Rem – Implement this script as a “Startup” or “Logon”  script
Rem – Script creates an output file called %Systemdrive%\SUSClientID.log
Rem – If the %Systemdrive%\SUSClientID.log is already present, then the script simply exits


@Echo off
if exist %systemdrive%\SUSClientID.log goto end
net stop wuauserv
net stop bits
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v PingID /f  > %systemdrive%\SUSClientID.log 2>&1
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v AccountDomainSid /f  >> %systemdrive%\SUSClientID.log 2>&1
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v SusClientId /f  >> %systemdrive%\SUSClientID.log 2>&1
net start wuauserv
wuauclt.exe /resetauthorization /detectnow          
:end
exit
0
 
LVL 12

Expert Comment

by:Sandeep
ID: 41759169
If you wish to run SysPrep on all those machine, you can use such Answer file and run it with SysPrep when those systems are getting built.

https://technet.microsoft.com/en-gb/library/hh824849.aspx

Hope this Helps
0
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 100 total points
ID: 41759171
An experienced administrator will say "absolutely!" and describe all sorts of scenarios in which the existence of two systems with the same SID could create a black hole that swallows up the planet. They've taken on faith what we all have accepted for years: Duplicate SIDs are the highest form of evil.

Even Mark Russinovich, a software engineer and author who works for Microsoft as a technical fellow, believed that multiple machines with the same SID on the same network would pose a security risk.

http://www.infoworld.com/article/2628004/microsoft-windows/the-sid-debate--to-sysprep-or-not-to-sysprep.html
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 200 total points
ID: 41759483
It's very simple:

Sysprep is the only supported method of cloning.  The only thing I've heard of actually being an issue is WSUS.  HOWEVER, because non-sysprep'd systems are NOT SUPPORTED by Microsoft, you never know when a patch changes something and something else is affected.  Microsoft would only TEST against sysprep'd systems, so there could be issues at any time.  Bottom line, ALWAYS SYSPREP.  Redeploy those machines properly.  You should never put your network in an unsupported state unless you absolutely have to and then you should be looking for ways back to supported ASAP.
0
 
LVL 18

Accepted Solution

by:
Mike T earned 100 total points
ID: 41761743
Hi,

The question I always have is simple: why would you NOT ever run sysprep? It's not like it's some horribly complicated act that forces you to wait until there's a blue moon on a Tuesday, and you have to sacirfice a goat.

You just double-click Or run a command line and wait 5 whole minutes.

As mentioned above:
a) the outcome of NOT running sysprep is not predictable; no-one can say it definitely breaks XYZ, but it might
b) the one and only method of imaging a system that Microsoft supports is running sysprep. They don't care what imaging tool you use (ghost, imagex, Acronis etc.) - they just mandate you run sysprep to "avoid issues".

The bottom line is you run sysprep in case it might cause unpredictable behaviour,
If you don't the risk of seeing behaviour you cannot explain is that much greater and yes, you have NO support from MS.

Given that, just run it and get on with life.
Note, when cloning you won't get "similar" SIDs you will get identical ones, which is what you want to avoid.

Finally, one thing I would add is if you forget about the SID altogether, sysprep does a lot more on top of changing the SID than you would have to do manually, which I'm guessing your admin might not do either.

Resets Windows Product Activation
clears out MRU entries e.g. so the system doesn't have your username in
Strips the computer name;
Puts the machine in a workgroup if it's not already
Uninstalls plug and play device drivers, which reduces the risk of hardware compatibility problems
Clears the eventlog (with the reseal option)
Deletes restore points
Removes the local administrator’s profile/disables the account; so you don’t accidentally copy your admin files to every PC in the company!
Boots to Audit mode so you can install third-party applications and device drivers
Runs mini-setup at first boot afterwards, so NOW you name the machine

For me, those are the real reasons to run sysprep. The duplicate SID is more of a "safer to do it than not and risk your boss standing at your desk to explain why you didn't do it" thing.

Mike
1

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An article on effective troubleshooting
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question