Add or remove an image group

Full control over C:RemoteInstall\Images\<ImageGroup>.

Add or remove an image

Full control over C:RemoteInstall\Images\<ImageGroup>.

Disable an image

Permission to read and write attributes for the associated image.

Add a boot image

Read and write access to the following:

• C:RemoteInstall\Boot
  
  
• C:RemoteInstall\Admin (This folder is only present if you upgrade from Windows Server 2003).
  
  
• %TEMP%
  
  

Remove a boot image

Read and write access to C:RemoteInstall\Boot.

Set properties on an image

Read and write permissions to the Res.rwm file that is located at C:RemoteInstall\Images\<ImageGroup>.

Prestage a computer

Permissions to create accounts in the domain, as well as write to the properties of a computer object.

To grant permissions to prestage a computer

1. Open Active Directory Users and Computers .
   
   
2. Right-click the organizational unit (OU) where you are creating prestaged computer accounts, and then select Delegate Control.
   
   
3. On the first screen of the wizard, click Next.
   
   
4. Add the user or group you wish to delegate control to, and then click Next.
   
   
5. Select Create a Custom task to delegate.
   
   
6. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.
   
   
7. In the Permissions box, select the Write all Properties check box, and click Finish.
   
   

Approve a pending computer

Read and write permissions to the C:RemoteInstall\MGMT folder (which contains Binlsvcdb.mdb). The actual account of an approved pending computer is created by using the server’s authentication token, not the token of the administrator who is performing the approval. Therefore, in AD DS, you must grant rights to the Windows Deployment Services server’s account (WDSSERVER$) to create computer account objects for the containers and OUs where the approved pending computers will be created.

To grant permissions to approve a pending computer

1. Open Active Directory Users and Computers.
   
   
2. Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control.
   
   
3. On the first screen of the wizard, click Next.
   
   
4. Change the object type to include computers.
   
   
5. Add the computer object of the Windows Deployment Services server, and then click Next.
   
   
6. Select Create a Custom task to delegate.
   
   
7. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next.
   
   
8. In the Permissions box, select the Write all Properties check box, and click Finish.
   
   

Prestage a computer to join a domain

The user account must have permissions to join the domain. The JoinRights registry setting determines the set of security privileges, and the User registry setting determines which users have the right to join the domain. To change the per server (per architecture) defaults, you need read and write permissions to these registry keys.

• The JoinRights setting is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\AutoApprove\<arch>
  
  Name: JoinRights
  
  Type: DWORD
  
  Value: 0 = JoinOnly.; 1 = Full.
  
  A user that has Join only rights cannot join the domain without administrator assistance (an administrator with proper permissions on the computer account object must reset the computer account before the client installation and domain join). A user that has Full rights can reset the account and join the domain without administrator assistance.
  
  
• The User setting is stored at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\AutoApprove\<arch>
  
  Name: User
  
  Type: REG_SZ
  
  Value: Name of group or user. For this setting, there are two administration models that you can use.
  
  
  • (recommended) You can associate a primary user to the account at the time the computer is approved. When the computer is approved, the computer account will grant the primary user 1) read and write permissions on all properties on the computer object (JoinRights = JoinOnly or JoinRights = Full), and 2) reset and change password rights on the computer object (JoinRights = Full).
    
    
  • You can specify server defaults for the user and JoinRights that apply to all approved clients of a given architecture. The default values grant domain administrators the Full join right. If you do not assign a primary user to the computer account at the time of approval, these default values will take effect.
    
    

    Note

    If you are creating computer accounts against a non-English domain controller and you are using the default user property, you must set the Auto-Add settings to use a different account that does not contain extended characters. If the account contains a non-standard character (any character outside [A-Z, a-z, 0-9, \, -, and so on]), such as German's "Domänen-Admins", then Auto-Add will fail. To change this value, see the help at the command prompt for WDSUTIL /set-server /AutoAddSettings.

Convert a RIPREP image

• Read and write permissions to the %TEMP% directory and destination location
  
  
• Read permissions on the original RIPREP image
  
  

Create a discover or capture image

• Read and write permission to the %TEMP% directory and destination location
  
  
• Read permissions on the original boot image
  
  

Create a multicast transmission

• Full control over the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\Multicast
  
  
• Read permissions to RemoteInstall\Images\<ImageGroup>.
  
  

Modify a multicast transmission (for example, delete, deactivate, start, stop, disconnect, and so on)

Full control over the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\Multicast

Network boot a client computer

No permissions are required to network boot a client, and no mechanism exists to secure the process of booting from the network. If security is the primary concern for you, we recommend that you use physical media (for example, that contains a discover image) to boot each computer.

Select a boot image

No permissions are required to select a boot image and no mechanism exists to secure entries that are displayed in the list. The first authentication mechanism occurs within Windows PE.

Select an install image

The credentials provided in the user interface must be those of a domain account. After a client has btween authenticated to the Windows Deployment Services server, the authenticated user must be able to read the install .wim file and Res.rwm file from the RemoteInstall folder. By default, authenticated users have permissions to do so.

Join a domain

The JoinRights registry setting determines the set of security privileges, and the User registry setting control which users have the right to join the domain. For more information about these settings, see the Prestaged a computer to join a domain section in the previous table.

If the computer is prestaged, then the user performing the installation (or the credentials in the Unattend file for the domain join) needs the appropriate JoinDomain rights. If the computer is not prestaged (meaning Windows Deployment Services will create a computer account in AD DS), the user performing the installation (or the credentials as specified in the Unattend file for the domain join) need rights to add a prestaged computer and the appropriate JoinRights.

Using /ResetBootProgram

If the ResetBootProgram functionality is enabled, the user needs read and write permissions to the netbootMachineFilePath property on the prestaged computer object. If this permission is not granted and the user's boot program is set to pxeboot.n12, Windows Deployment Services will not be able to reset the network boot program to pxeboot.com, forcing the computer into an infinite reboot loop. For more information, see Managing Network Boot Programs.

Disabling access to the command prompt during installations

By default, users can gain access to a command prompt during Windows Deployment Services installations by:

• Pressing Shift+F10 when Setup is running in Windows PE.
  
  
• Pressing Shift+F10 when the Image Capture Wizard is running in Windows PE.
  
  
• Holding down the CTRL key when Microsoft Windows Preinstallation Environment (Windows PE) is booting.
  
  
• Pressing Shift+F10 when the Out of Box Experience (OOBE) is running (OOBE is the wizard that usually runs after Setup).
  
  

  Important
  A Command Prompt window that is opened during OOBE will be running in the system context. If this window is not closed at the conclusion of Setup, the user may have access to it and therefore, system rights, even though the user is not a local administrator on the client computer.

You can disable this functionality by adding a DisableCmdRequest.tag to the image.

To disable access for boot images

1. In the Windows Deployment Services MMC snap-in, right-click the desired boot image and select Disable.
   
   
2. Mount the image for read and write access using ImageX which is provided in the Windows Automated Installation Kit (AIK).
   
   
3. Create the file %windir%\Setup\Scripts\DisableCmdRequest.tag in the mounted image.
   
   
4. Commit the changes and unmount the image.
   
   
5. In the Windows Deployment Services MMC snap-in, right-click the desired boot image and select Enable. .
   
   

To disable access for install images

1. In the Windows Deployment Services MMC snap-in, right-click the desired boot image and choose Disable.
   
   
2. Export the image to an external .wim file.
   
   
3. Mount the image for read and write access using the tools provided in the Windows AIK.
   
   
4. Create the file %windir%\Setup\Scripts\DisableCmdRequest.tag in the mounted image.
   
   
5. Commit the changes and unmount the image. .
   
   
6. In the Windows Deployment Services MMC snap-in, right-click the disabled install image and choose Replace Image.
   
   
7. Follow the instructions in the wizard to re-import the modified install image.
   
   

PXE Response Settings

• PXE response policy. This policy, which defines how to respond to client network boot requests, is stored on the server’s SCP. Configuring these settings requires read and write permissions to the SCP object.
  
  To grant permissions to the SCP object
  
  
  1. Open Active Directory Users and Computers.
     
     
  2. Click View, and then click Advanced Features (if it is not already enabled).
     
     
  3. Right click the computer account for you Windows Deployment Services server, and click Properties.
     
     
  4. On the Remote Install tab, select Advanced Settings…
     
     
  5. Select the Security tab, and click Add…
     
     
  6. Select the user, and then select Full Control on this object.
     
     
• PXE response delay . Configuring this setting requires read and write permissions to the following registry key:
  
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSSERVER\Providers\WDSPXE\Providers\BINLSVC
  
  Name: ResponseDelay
  
  Type: REG_DWORD
  
  Value: Number of seconds to wait before answering network boot requests
  
  

Directory Services (or AD DS)

• Client naming policy . This setting is stored in the SCP object on the server. The property is called: netbootNewMachineNamingPolicy
  
  
• Account location.This setting is stored in the SCP object on the server. The property is called: netbootNewMachineOU
  
  

Boot

Default boot program (or PXE boot policy)

• Server-wide: This option is controlled by the following registry key:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\BootPrograms\<arch>
  
  Name: Default
  
  Type: REG_SZ
  
  Value: Path to server-wide client default boot program for this architecture. For example: boot\x86\pxeboot.com
  
  
• Per computer: The computer account attribute is: netbootMachineFilePath
  
  

Default boot image

• Server-wide: This option is controlled by the following registry key:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC\BootImages\<arch>
  
  Name: BootImagePath
  
  Type: REG_SZ
  
  Value: Path to server-wide client default boot image for this architecture. For example: boot\x86\images\boot.wim
  
  
• Per computer: The computer account attribute is: netbootMirrorDataFile
  
  

Client

Unattend file

• Server-wide: This option is controlled by the following registry key:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WdsImgSrv\Unattend\x86
  
  Name: FilePath
  
  Type: REG_SZ
  
  Value: Path to server-wide client Unattend file relative to the RemoteInstall folder. For example: WdsClientUnattend\WdsUnattend.xml
  
  
• Per computer: The computer account attribute is netbootMirrorDataFile
  
  

Client account creation (or Joining a domain)

• This option is controlled by the following registry key:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC
  
  Name: NewMachineDomainJoin
  
  Type: DWORD
  
  Value: 0 to prevent domain joining by clients; 1 to enable it.
  
  

DHCP

• Do not listen on Port 67 . This option is controlled by the following registry key:
  
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSSERVER\Providers\WDSPXE
  
  Name: UseDhcpPorts
  
  Type: DWORD
  
  Value: 0 disabled; 1 enabled
  
  
• Configure DHCP option 60.This requires that the user is able to configure the Microsoft DHCP server running on the local computer.
  
  

Advanced

• Domain controller. These settings are stored at the following registry location:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE\Providers\BINLSVC
  
  The keys for these settings are as follows:
  
  
  • Default domain controller: Name: DefaultServer, Type: REG_SZ, Value: FQDN for default domain controller.
    
    
  • Default global catalog server: Name: DefaultGCServer, Type: REG_SZ, Value: FQDN for default global catalog server.
    
    
• DHCP authorization. Performed using DHCP APIs—you need permissions to authorize the Microsoft DHCP server.