Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

[beta] User Creation Tool

- - - - -

  • Please log in to reply
201 replies to this topic

#1
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
:hello:

Although there seem to be many methods for creating users during an unattended setup I was looking for some tool that would allow the possibility to interact with the user creation process during an unattended installation, especially after burning my source on a CD/DVD. The oobe method doesn't provide this option neither does a registry hack via some batch.
Hence this little tool was created (see attached).

Posted Image

How it works:
Place the exe in the same folder with an INI file that you will create and should look like this:
NewUser.ini
[Interface]
CheckValues=0
CancelButton=1
Confirm=1
PasswordCheck=1
MACAddressOveridesSections=1
ParseUserSection=1
ParseComputerSection=1
ParseSecuritySection=1
CheckIfUserExists=1
EnableTimeOut=1
TimeOut=120000
Beep=1
BeepWarning=1
BeepFreq=500
BeepDuration=100

[UserInfo]
FirstName=John
LastName=Doe
Description=System Administrator
UserName=jdoe
Password=123
UnlimitedPass=1
AutoLogon=1
Admin=1

[ComputerInfo]
CompName=DeployedPC
CompWorkGroup=HomeNet
CompDesc=Unattended Windows XP
RegOwner=John Doe
RegOrg=Some Company, Inc.

[ComputerInfo_1]
MAC=00-90-56-C0-DD-00
CompName=DeployedPCA
CompWorkGroup=HomeNetA
CompDesc=Unattended Windows XP (A)
RegOwner=John Doe
RegOrg=Some Company, Inc.
ParseSecuritySection=1
FirstName=Jack
LastName=Doe
Description=System Administrator (A)
UserName=jdoe
Password=567
UnlimitedPass=1
AutoLogon=1
Admin=1
FakeAdmin=1
FakeGuest=1
RenameAdmin=1
RenameGuest=1
DisableAdmin=1
ForcedLogon=1
NewAdminName=rootA
NewGuestName=NewGuestA
HideNewAdmin=1

...

[ComputerInfo_n]
MAC=00-44-45-AB-D0-08
CompName=DeployedPCB
CompWorkGroup=HomeNetB
CompDesc=Unattended Windows XP (B)
RegOwner=John Doe
RegOrg=Yet Another Company, Inc.
ParseSecuritySection=0
FirstName=Jim
LastName=Doe
Description=System Administrator (B)
UserName=jimdoe
Password=567891
UnlimitedPass=1
AutoLogon=1
Admin=1
FakeAdmin=
FakeGuest=
RenameAdmin=
RenameGuest=
DisableAdmin=
ForcedLogon=
NewAdminName=
NewGuestName=
HideNewAdmin=

[SecurityInfo]
FakeAdmin=1
FakeGuest=1
RenameAdmin=1
RenameGuest=1
NewAdminName=root
NewGuestName=NewGuest
DisableAdmin=1
ForcedLogon=0
HideNewAdmin=1
The [Interface] Section contains entries that can be either 1 or 0.
CheckValues forces the program to check if the user has filled all fields.
CancelButton displays or hides the cancel button.
Confirm invokes a dialog asking if you really want to proceed with the user creation process (...)
PasswordCheck will disable password checking and will force an empty password
(new!) MACAddressOveridesSections will override all the [UserIfo] and [SecurityInfo] values and will force reading them directly from an appropriate [ComputerInfo_n] section
ParseUserSection if set to 0 the user-creation part will not get processed
ParseComputerSection if set to 0 the computer-renaming part will not get processed
ParseSecuritySection if set to 0 the security section will not be processed
CheckIfUserExists if set to 1 will force a check for the username in the local user database
EnableTimeOut if set to 0 will disable the timeout and the next parameter (TimeOut) will be ignored
TimeOut is the time that you want the program to wait before adding the user. Note that this value is in milliseconds.
Beep if set to 1 it enables a sound from the PC speaker when the progress bar is changing
BeepWarning if set to 1 will only allow the sound when the bar is at 50% or less of the TimeOut value
BeepFreq sets the frequency of the sound (50 - 5000)
BeepDuration sets the duration in ms of the sound (50 - 1000)

The first five values of the [UserInfo] section are self explanatory.
Admin can be either 1 or 0. In the first case the created user will be added to the admin group. If the value is 0 then the user will be added to the users group.
UnlimitedPass can be either 1 or 0. In the first case the password will be set not to expire.
AutoLogon can also be 1 or 0. If it is set to 1 then the user will be automatically logged to the system.

The [ComputerInfo] section controls five parameters:
CompName and CompDesc and can be used to setup the computer's name and description
CompWorkGroup is used to set the name of the workgroup for the PC and join it.
RegOwner is used to set the registered owner of the local PC
RegOrg is used to set the registered organization of the local PC

Additionally, the program looks for n [ComputerInfo_n] sections which contain similar information to the [ComputerInfo] section but they are tied to specific MAC addresses.
A [ComputerInfo_n] section contains, in addition to the above, a parameter called MAC which is used to identify the physical address of a network controller. If upon execution the MAC address of an ethernet
controller matches the value of the MAC parameter in a [ComputerInfo_n] section then all the computer parameters (Name, Workgroup etc) will be read from that section.

As of v.1.8 if the MACAddressOveridesSections flag is active in the [Interface] section then the following values can also be parsed from the [ComputerInfo_n] section that contains a matching MAC address:

ParseSecuritySection
FirstName
LastName
Description
UserName
Password
UnlimitedPass
AutoLogon
Admin
FakeAdmin
FakeGuest
RenameAdmin
RenameGuest
DisableAdmin
ForcedLogon
NewAdminName
NewGuestName
HideNewAdmin

These values will now override the ones in [UserInfo] and [SecurityInfo] sections!

If however there is no match of the MAC values from each section to the MAC address of an ethernet controller on the target PC then the values from the initial [ComputerInfo] [UserInfo] and [SecurityInfo] section will be used instead.

The [SecurityInfo] section controls the following parameters:
FakeAdmin if set to 1 the tool will create an account called 'Administrator' (or whatever the name in your localized version of windows) which will be set with a loooong MD5 password and will be locked and inactive.
FakeGuest if set to 1 the tool will generate a Fake Guest account similar to the Administrator account described above
RenameAdmin if set to 1 the tool will attempt to rename the default Administrator account
RenameGuest same as above, if set to 1 the tool will rename the Guest account
NewAdminName if you chose to rename the administrator account this field holds the new name
NewGuestName if you chose to rename the guest account this field holds the new name
DisableAdmin if set to 1 then the administrator (or the renamed administrator) account will be disabled
ForcedLogon if set to 1 will cause windows to automatically login the default user upon logoff
HideNewAdmin [Windows XP] if set to 1 this will hide the renamed administrator account from the list of users that can log on the PC

As of v1.0 setting any of the Parse[]Section parameters to 0 will result in inactivating the relevant section on the GUI. For example ParseUserSection=0 and ParseComputerSection=0 will look like this:

Posted Image

Call the exe from a script so that the new user will be created. I am running it from cmdlines using the following batch file:
user.bat
@ECHO OFF
CMDOW @ /HID
TITLE Creating Windows XP Users
%SystemDrive%
CD %SystemRoot%Scriptsusers
START /WAIT %SystemRoot%ScriptsCreateUser.exe

In the above example both files (the EXE and the INI) are in $OEM$$Scripts inside my unattended CD/DVD. The INI contains my default information for the account to be created with a non-secure password (123 or something) which will be used only for the unattended setup and should be changed after that ...

In order to read the necessary values from another ini file the tool can be started using:
CreateUser.exe /INI="<full path to INI file><inifile.ini>"
Once the program is executed it will wait for the TimeOut period and then it will parse all the enabled sections UNLESS you click on the GUI, which allows for changes of all the information needed for the process.

Finally I should mention that it is working in my hands in Windows XP but I would consider it as a beta and would appreciate any feedback

B)

CF

ChangeLog

v.1.8.5
  • Added Dutch GUI Support
  • Fixed French GUI
Download program: Attached File  NewUser.7z   155.89KB   312 downloads
Update Pack Addon (compatible with nLite/Integrator, compiled and maintained by Aserone) Thanks Aserone :)

GUI TranslationsSince I am not able to translate the messages that pop-up in every language, I am attaching here the English strings used by the program so that any interested parties can translate in their own language and re-attach the new files on this thread. The attached 7z archive contains two files, an INI with the interface strings and a TXT with the pop-up messages. Try to keep the messages as concise as possible, especially the ones in the INI file as their size will affect the layout of the GUI. It is important that you save the files as ANSI rather than Unicode, since the NSIS compiler used to make the program will not be able to read the translated characters!
It would also be very helpful if people could provide the ANSI page code of the file with their strings. You can find a list of those codes here

Download language strings: Attached File  Lang_Strings.7z   2.85KB   184 downloads(Only if you wish to translate the GUI to your language and contribute to this thread!)

ToDo
- Add support for CryptProtectData functionality
- Add multi-lingual interface/messages

Edited by cancerface, 30 November 2008 - 02:11 PM.



How to remove advertisement from MSFN

#2
RogueSpear

RogueSpear

    OS: SimplyMEPIS

  • MSFN Sponsor
  • 1,529 posts
  • Joined 18-September 04
I made a similar utility using an .hta script. I really like the clean look of your utility and the fact that it's an .exe file. Any chance you might be able to enable naming the computer from the same interface?

Here's a link to the thread where I posted.

#3
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
Nice layout on that one RogueSpear, I may have to redisign mine a bit :)
Yes it is easy to add the computer name (see new attachment).

Posted Image

Change the NewUser.ini to:
[UserInfo]
FirstName=<the user's first name>
LastName=<the user's last name>
Description=<user description>
UserName=<the username>
Password=<the password>
Admin=1
UnlimitedPass=1
AutoLogon=1
TimeOut=120000
[ComputerInfo]
CompName=DeployedPC
CompDesc=Unattended Windows XP

I am using a small tool called compname.exe to change the name and I assume that it will be located inside the System32 folder.
Note that if the computer name is left blank then the program will skip setting it up.
Let me know what you think :)

CF

[Edit]
Moved the attachment to the first post

Edited by cancerface, 22 March 2006 - 11:05 AM.


#4
RogueSpear

RogueSpear

    OS: SimplyMEPIS

  • MSFN Sponsor
  • 1,529 posts
  • Joined 18-September 04
I think you have a pretty promising little tool here. I'm not sure what you're developing your utility with, but if it's VB or C# or something from Microsoft, you could easily adapt my code to eliminate the dependance on outside utilities for renaming a computer and the user stuff too.

#5
abadaba

abadaba

    Newbie

  • Member
  • 41 posts
  • Joined 10-December 05
This is something ive been looking for! Now only if i knew how to create multiple dif users
IT Director Northland Communications Corp |BA Computer Science|BA Business Administration|MCSEx2|CCNA|AVVID|MCP+I| (_8(|)

#6
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
@RogueSpear
This is the evolution of a rather old and simple batch script into a simple exe. Unfortunately it is not in VB or C++ although I have been thinking for some time to move it to Delphi. It is a simple NSIS script. I have altered the header of the NSIS exe a bit to accommodate the changes needed in order to have a larger window etc.

I could make calls directly to the windows API or even use tools that come with windows xp, like wmic for example, in order to avoid use of external utilities but this was never an issue since it does the simple job I wanted it to do. I would be interested to see what you have in mind though :yes:

@ abadaba
Can't you use the oobeinfo method to create the users, including an admin account then run this tool at cmdlines which will create another admin account and will set the autologon option? You can then delete the oobeinfo admin account from some batch script if you don't need it (not sure if you can use oobeinfo without creating an admin account ... Also I am not sure when oobeinfo creates the accounts) ...

CF

#7
RogueSpear

RogueSpear

    OS: SimplyMEPIS

  • MSFN Sponsor
  • 1,529 posts
  • Joined 18-September 04
I was big into programming years ago. When I say years ago, I mean like 15 to 20 years ago. About 2 years ago I started to fiddle with VBscript and just this year, a little bit of AutoIt. My HTA utility, like your utility, does the job. But I've been desperately searching for the time to immerse myself in VB.NET. I know it's not C# or C++, but it should be flexible enough to allow me to make the kind of tools I want. And it has some relation to VBscript, possibly making it easier for me to master.

I'll probably look at this as one of the first projects to try in VB.NET since I have the mechanics down already. I have to say it's kind of amazing what a little bit of batch coupled with NSIS is capable of doing :D

Regarding Delphi. I know it's a well regarded development environment, but personally I'd stear clear of anything having to do with Borland. They currently have all of their development tools up for sale so they can concentrate on something else. I don't remember what the something else is at the moment. It seems odd too since developer tools is really all they're known for.

#8
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
I came across NSIS about a year ago and was impressed at the simple yet powerful code that you can generate. I have never been big into programming and I can only qualify as a noob in delphi, however I started moving all my batch scripts a while ago into NSIS. Like you said, you get an exe rather than a cmd file and you can in fact talk to the native windows API without use of external tools + as an open source tool it allows you to get answers to your questions in no time ... If only I had more time in my hands :D
CF

[Edit]
I posted a small guide for an unattended firefox deployment that created a small banner showing information about the install process a while ago in this thread, based on an NSIS script ...

Edited by cancerface, 21 March 2006 - 01:42 PM.


#9
Kelsenellenelvian

Kelsenellenelvian

    WPI Guru

  • Developer
  • 8,810 posts
  • Joined 18-September 03
  • OS:Windows 7 x64
  • Country: Country Flag
Very Cool I really like this one.

What about options for multiple user creation and a cancel option?

#10
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
@kelsenellenelvian
Glad you like it :)

The cancel button is easy to implement, although in my setup this is how I create an admin account so if I hit cancel then the default 'administrator' account will be the one active during the unattended install (a bit pointless). Also I didn't really see the point in having multiple accounts as this tool is always run at cmdlines and was needed in order to get an admin account that could potentially be different than the one hard-coded to the INI. My scenario was to have an already burned unattended XP DVD which I use for my desktop at home and my laptop at work. I use a different account for these machines due to restrictions on my work environment, but I wanted to have the ability to silently deploy all my apps and settings using the appropriate account ...

I see however the point of having a tool that would allow the creation of multiple users in a batch mode giving at the same time control to the admin to change their names/properties ... In fact I was thinking of combining the oobeinfo way with my tool if possible so that a set of standard users can be created via oobeinfo, and then their info/usernames can be edited using my approach during the unattended setup. I will post my results as soon as I test this, although I am not sure if oobeinfo runs before the system goes into cmdlines ...

The other option is to have a post-install GUI for creating multiple users. Maybe something like that already exists; I have not searched around to be honest. :whistle:

CF

[Edit] Updated first post and uploaded a version with a cancel button

Edited by cancerface, 22 March 2006 - 11:33 AM.


#11
Mikka

Mikka

    Junior

  • Member
  • Pip
  • 80 posts
  • Joined 02-March 06
  • OS:none specified
  • Country: Country Flag
Nice, however in need of improvement, I think.
Tried to create a (dummy) user foo (no surename), didn't work.
No fields are supposed to remain empty, that's why.

#12
XPero

XPero

    Father of XPize / Vize

  • Developer
  • 1,912 posts
  • Joined 08-August 04
Nice tool. NSIS is very powerful. XPize is made with NSIS ;)

#13
Dels

Dels

    X2K Project Leader

  • Member
  • PipPipPip
  • 332 posts
  • Joined 05-January 06
just quick asking, this soft support what version of windows? does it support win9x/me?
Posted Image
X2K Project
Click Me

#14
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
@All
Thanks for the feedback, I appreciate it :D

@Mikka
The purpose was to create a real account that would substitute the Administrator during the first login and this is why it is checking for all the fields being filled. However it is easy to get rid of this check and just look for a username/password ...

@XPero :hello:
I have seen you actually posting on the NSIS forum ... Good work on xpize by the way :thumbup

@Dels
I have been using it with XP and I am pretty sure it should work in 2k and 2k3, although I have not tested it ... Not sure about 9x/ME though. At this stage it makes external calls to net.exe, compname.exe and cusrmgr.exe but I have not tested either of these in Win9x/ME ...

I am working on a version that does not depend on any external utilities, as per RogueSpear's suggestion but I am stuck right now trying to make the created account not to expire. I'll post my work as soon as I figure this out :yes:

CF

Edited by cancerface, 04 April 2006 - 10:11 AM.


#15
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
Updated first post, adding an option to check/not check the user's input before execution (ie you can now leave the first three fields empty)
CF

#16
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
Updated first post, bringing this guy to v.0.4 ...
Got rid of the external applications used to set the password age and to change the computer name, and implemented WMI calls instead, added an option in the INI file to invoke the 'Confirm' dialog and finally added tooltips, for every control ...

:P
CF

[Edit]
Updated again to 0.4.1 (reverted to external tools since WMI was breaking the code at T13)
Updated yet again to 0.5 combining both WMI and external tool calls depending on the system state (at T13 the external tools are used, otherwise WMI is used)

Edited by cancerface, 08 April 2006 - 06:53 PM.


#17
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
Yet another update, check the first post

Major changes this time as I managed to figure out how to use direct API calls to netapi32 and kernell32 in order to create the user and change the computer name :w00t:

This means that there is no longer the need for any external tools or for native windows tools (such as net.exe and wmi.exe) ...

I successfully tested this in a working XP box as well as during a deployment at T13.
However the API code breaks in Windows 2k so I had removed the support for that OS until I can figure out another way to add the user to a group in 2k.

v.0.6 Changelog
- Added a check for OS type (will only run in XP/2K3)
- Added a check for admin privileges
- Added options to parse the computername/username sections
- The computername is set using a direct kernel32 API call
- The user is created using a direct netapi32 API call
- Changed the interface and added a computer Icon

:yes:
CF

#18
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
After discovering a bug in v0.6 that would not add the created user to any group, I had to release a new version ... In the process I also managed to get this little tool to work in Windows 2000! So here is the new version ...
(check first post)

v.0.7 Changelog
- Fixed nasty bug from 0.6 that wouldn't add the user to a group
- Added support for Windows 2000
- Added support for non english windows version (I hope ...)

Enjoy!

CF

#19
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
Following the discussion with DarkShadows in this thread I tried to implement the idea of securing the new administrator’s password using the LsaStorePrivateData method. It is a simple process if we want to create an account with admin privileges, since this new account will be able to access the stored encrypted password in an autologon scenario. Unfortunately this is not the case for a new, regular user, since the LsaStorePrivateData will only allow the creator of a secret and any members of the administrators group to read the secret. This means that in order to create a simple user and enable autologon without exposing his/her password as a clear text entry in the system registry then we would have to somehow create a login session for this user, impersonate him/her then encrypt and store the password.
The LsaStorePrivateData method is not however perfect, as the information stored (DefaultPassword in our case) can be found in HKLM\SECURITY\Policy\Secrets\DefaultPassword. Since there are ways to dump the content of the above key and decrypt the data, I am currently looking for another way of encrypting the password, using the CryptProtectData function of Win2k/XP.

In version v0.8 of this tool I have added support for the LsaStorePrivateData functionality. If you create a user with administrator’s privileges and enable autologon, the user’s password will not be stored in the registry as a clear text, but will be encrypted so that it will be more difficult for a non admin user to gain access to this information. In fact this is the process that TweakUI (XP) is using in order to store the DefaultPassword, used for autologon sessions, in the registry.

v0.8 Changelog
- Added support for LsaStorePrivateData functionality (password encryption for autologon)
- Fixed a bug with user enumeration at T12

Updated 1st post and uploaded the new version

:)
CF

#20
Takeshi

Takeshi

    Legitchecking...

  • Member
  • PipPipPipPipPipPip
  • 1,107 posts
  • Joined 09-September 04

In fact this is the process that TweakUI (XP) is using in order to store the DefaultPassword, used for autologon sessions, in the registry.


It looks like it's also the method the Run command control userpasswords2 uses at least in Win XP SP2. I tested this method in two machines and DefaultPassword is absent in the registry key.

Good piece of work your program!

#21
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05

Good piece of work your program!

Thanks Takeshi, glad you like it :)

I tested this method in two machines and DefaultPassword is absent in the registry key.

Well, the DefaultPassword entry from HKLM\Software\Microsoft\Windows NT\WinLogon is missing (the clear-text password), but the Default password is in fact stored in the registry, encrypted, under the HKLM\SECURITY\Policy\Secrets\DefaultPassword key, which you need to manually access using admin privileges. In other words it is more secure than the clear text method, but not perfect, yet :)

I am experimenting with another method suggested by M$ which is a bit more complicated but guarantees better encryption, as suggested in this MSDN page ...
CF

#22
ZileXa

ZileXa

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 767 posts
  • Joined 27-May 04
What is PC description for? didn't even now Windows had this... seems useless to me!
It would be great if I could set the Network name with your tool :) I use WIHU for now.

#23
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05

What is PC description for? didn't even now Windows had this... seems useless to me!

ControlPanel->System->Computer Name->Computer Description ;)
It's the description that appears when you browse a network for a certain computer ...

It would be great if I could set the Network name

Can you elaborate a bit more on that? As far as I can see here my tool changes both the Physical NetBios and DNS hostname ... I am calling SetComputerNameEx for ComputerNamePhysicalNetBIOS and ComputerNamePhysicalDnsHostname ...
Are you referring to a fully qualified domain name? Something like mypc.somewhere.com?
CF

#24
ZileXa

ZileXa

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 767 posts
  • Joined 27-May 04
No I don't mean pc name, I mean Workgroup name, if you have a (wireless) network, the network musthave a name...

right-click My computer, tab Computer Name, then the Modify button, now you can set a Workgroup name (or choose a domain name if the pc is in a domain but thats not for home users I suppose).

#25
cancerface

cancerface

    a n00b for life

  • Member
  • PipPip
  • 135 posts
  • Joined 27-February 05
@ZileXa
That's on my list of things to do :yes:
I am using NetJoinDomain to add the workstation to a workgroup. I have to test a few things in non XP systems and then I'll release a new version.

I am also working on including a list of known MACs in the INI file with references to specific computer names so that a name will be automatically picked up if a MAC address is detected ...

CF




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users