Chapter 9: Advanced Scenarios

  • Article

This section of the Handbook focuses on advanced scenarios that might fit your needs when you manage a shared computer environment. These techniques are intended for operators who have a high level of expertise managing Windows XP.

On This Page

Store Persistent User Data
Quickly Install Software for a Restricted User
Configure a User Start Menu to Not Use the All Users Profile
Restrict a Shared Administrative Account
Block ActiveX Controls in Internet Explorer
Use Simple Site Filtering to Control Internet Access
Use a Central Script for Common Client Updates
Restrict Children on a Family Computer
Automate User Restrictions Using Restrict.wsf
Create a Mandatory Profile for Multiple Users
Image or Clone a Toolkit-Secured Computer

Store Persistent User Data

On some shared computers, you may want users to be able to customize their user profile or store data, and have these changes not be discarded by Windows Disk Protection when the computer restarts. There are two ways to store persistent user data:

  • Create a partition that is separate from the Windows partition that Windows Disk Protection protects. Use this separate partition to store user profiles and other user data. The advantage of using this method is that you can create persistent user profiles while still protecting the shared computer with Windows Disk Protection.

  • Use a USB drive or network location to allow the storage of persistent user data. This method allows users to save data they create, but does not provide a good way to store persistent profiles.

Storing Persistent User Data on a Separate Partition

You can create a new partition to hold persistent data by using the Disk Management tool in Windows XP. To create a new partition in this manner requires that you have enough unallocated disk space with which to create the partition, and that the new partition not take away from the unallocated space required to use the Windows Disk Protection tool. After you create a new partition, you can use the Profile Manager tool to create user profiles on the new partition instead of in the default location on the Windows partition.

Note Note
The persistent partition can be placed on the same physical disk as the protection partition or on another disk.

Create a New Partition with the Disk Management Tool

You can use the Disk Management tool in Windows XP to create a new partition from unallocated space.

To use the Disk Management tool to create a new partition

  1. In the Disk Management window, right-click the unallocated space on the disk on which you want to create a partition, and then click New Partition.

  2. On the Welcome page of the New Partition Wizard, click Next.

  3. On the Select Partition Type page of the wizard, accept the default option for Primary partition, and then click Next.

  4. On the Specify Partition Size page of the wizard, determine the amount of unallocated space that you want to use to create the new volume. Make sure that you leave enough unallocated space to meet the minimum requirements for Windows Disk Protection (at least 10 percent of the size of the Windows partition or 1 GB—whichever is greater).

  5. On the Assign Drive Letter or Path page of the wizard, accept the default recommendation for assigning a drive letter, and then click Next.

  6. On the Format Partition page of the wizard, accept the default settings to create the new partition, click Next, and then, on the final page of the wizard, click Finish.

Create Persistent Profiles with the Profile Manager Tool

The Profile Manager tool lets you create and delete user profiles for existing user accounts. You can also create the profiles on alternative partitions.

To use the Profile Manager tool to create or delete persistent user profiles

  1. Log on as the Toolkit administrator.

  2. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click Profile Manager.

  3. In Profile Manager (shown in the following figure), click Select an Account.

  4. In the Select an Account to Manage dialog box, click the user account you want to manage.

  5. In the User Password box, type the password for the user account.

  6. Perform one of the following options:

    • To create a profile for the user account, select the drive on which you created the persistent partition from the Profile Location drop-down menu, and then click Create Profile. If you do not see this button, a user profile already exists for the user account.

    • To delete a user profile for the account, click Delete Profile. If you do not see this button, a user profile does not yet exist for the user account.

    • To open the User Accounts window to create and manage local user accounts, click Manage Users.

  7. After you finish, click Close.

    Figure 9.1 Use the Profile Manager tool to create and delete user profiles

    Figure 9.1 Use the Profile Manager tool to create and delete user profiles

Using Removable USB Drives or Network Locations

Windows XP provides the ability to redirect the My Documents folder (typically stored within a user’s profile) to a different location. If you use Windows Disk Protection, but still want to provide users with the ability to save documents, you can redirect the My Documents folders to a persistent partition, a removable drive such as a USB drive, or to a network location.

Note Note
If users share a USB drive or network location, there is no way to keep documents private. Users of the same shared account will be able to view each others files.

To redirect a user’s My Documents folder to a USB drive

  1. Restart the computer to clear recent disk changes.

  2. Log on as the Toolkit administrator.

  3. If Windows Disk Protection is turned on, start the Windows Disk Protection tool, click Save changes with next restart and then click OK.

  4. Start the User Restrictions tool.

  5. Disable restrictions for the user account for which you want to redirect the My Documents folder. This step is necessary if restrictions prevent the user from right-clicking.

  6. Log off and then log on using the user account for which you want to redirect the My Documents folder.

  7. Insert a USB drive and wait for Windows to recognize it.

  8. Click Start, right-click My Documents, and then click Properties.

  9. In the My Documents Properties dialog box, click Move.

  10. In the Select a Destination dialog box, click the USB drive or network location and then click OK.

  11. In the My Documents Properties dialog box, click OK.

  12. Windows displays a Move Documents dialog box. Click Yes to move the documents or No to leave the existing documents in the old location.

  13. Log off and then log on as the Toolkit administrator. If you disabled any restrictions in Step 1, re-enable those restrictions now.

  14. Restart the computer to allow Windows Disk Protection to save changes and revert to the default Clear changes with each restart option.

  15. Log on as the user and test the My Documents folder and any restrictions placed on the user.

Quickly Install Software for a Restricted User

Often it is necessary to install software for a user temporarily. This software might only be used for a single session, or might be something you plan to add permanently, but need to add quickly and with minimal inconvenience to your client.

Fast user switching can be used to switch quickly to the Toolkit administrator account to install a program. You can then switch back to the restricted user’s session without logging the user off.

Note Note
If you selected the Disable keyboard shortcuts that use the Windows logo key setting in User Restrictions, the Windows logo key + L keystroke combination will not work.

To use fast user switching to install software temporarily for a limited user

  1. Press Windows logo key + L to switch to the Windows Welcome screen.

  2. Log on as the Toolkit administrator.

  3. Install and configure the new software. Ensure that an icon is placed on the user’s Start menu or in the All Users Start menu.

  4. If the software requires a restart, use Windows Disk Protection and set the Restart Option to Retain changes for one restart and restart the computer.

  5. Log off the Toolkit administrator and log on as the limited user to resume the initial session.

Unless the software requires a restart to compete installation, the software should be available for the limited user’s session.

Configure a User Start Menu to Not Use the All Users Profile

One of the optional restrictions available in the User Restrictions tool allows you to prevent Windows from displaying shortcuts from the Start menu for the All Users profile in the Start menu for individual user profiles. This restriction provides optimal control over what appears on Start menus, but also requires a bit more work to configure properly. In particular, you will need to address two added concerns:

  • When you set up a user profile that will use this restriction, no shortcuts appear by default in the user’s Start menu. You must use Windows Explorer to copy the shortcuts that you want from the Start menu of the All Users profile. Steps for accessing these folders in Windows Explorer are covered in Chapter 3, “Profile Management.”

  • When you install new programs on the shared computer, the installation program will create shortcuts in the Start menu of the All Users profile. To make the shortcuts appear on the Start menus for individual users, you must copy the shortcuts from the All Users Start menu to the user's Start menu. In addition, if Windows Disk Protection is turned on, you will need to configure it to retain changes when you copy the shortcuts. For more information, see Chapter 6, “Windows Disk Protection.”

Restrict a Shared Administrative Account

Microsoft strongly recommends that you only allow users of the shared computer to log on with limited user accounts. This helps to ensure limited access to computer resources and provide the most secure environment. When using a limited user account, users will not have access to any administrative tools and privileges through which they could introduce unwanted changes to the operating system and programs.

However, there are some third-party programs that have not been designed to run properly using a limited user account and do not meet Windows XP logo requirements. Instead, a user must log on with a shared administrative account to run the programs. Although it is better to avoid such programs and use only limited user accounts, this is not always possible and you may need to allow users to log on with administrative accounts. This scenario occurs most frequently in locations such as Internet gaming cafés because many Internet-based and network-based multiplayer games require an administrative account to run. Some older educational programs experience similar problems.

Note Note
You can find a list of third-party programs that do not work with limited user accounts in the Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account article in the Microsoft Knowledge Base.

Important Important
Although the Toolkit can help restrict an administrative account, it cannot remove all security risks associated with allowing the use of such an account.

If you have software with this administrative account limitation, take the following steps:

  • Investigate if the software can be upgraded to a version that runs correctly with limited user account privileges on Windows XP.

  • Investigate if the software can be replaced with another product that runs correctly with limited user account privileges on Windows XP.

  • Investigate if the software can be removed from your environment with a limited impact on your business needs.

If you cannot accomplish all of these steps, you might find it necessary to allow some users to use a shared administrative account to use certain programs.

If your environment requires shared administrative accounts, you can use the User Restrictions tool and the Windows Disk Protection tool together to help restrict the activities of these accounts and increase the security of the computer. However no solution will provide 100 percent protection from administrative account misuse.

To restrict a shared administrative account

  1. Log on as the Toolkit administrator.

  2. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click User Restrictions.

  3. In the User Restrictions window, click Select a Profile.  

  4. In the Select a Profile to Restrict window, click the shared administrator account you want to restrict.

  5. Select the Lock this profile check box.

  6. In the User Restrictions window, in the General Settings section, click Select Drives to Restrict.

  7. In the Select Drives to Restrict window, click Restrict All. Click OK.

  8. In the User Restrictions window, select the Recommended Restrictions for Shared Accounts check box. Be sure to leave all of the restrictions selected; clearing any of the restrictions creates an opening that could be abused by a malicious person who uses the administrative account.

  9. Under Additional Start Menu Restrictions, select the Prevent Programs from the All Users menu from appearing on the Start menu check box and the Remove Help and Support icon check box.

  10. Under Additional Software Restrictions, select the Restrict Notepad and WordPad check box and the Prevent Microsoft Office Programs from running check box. This will prevent the restricted administrator from modifying critical scripts and batch files to bypass security.

  11. Click OK to apply the restrictions and close the User Restrictions tool.

Block ActiveX Controls in Internet Explorer

Internet Explorer provides a method of controlling security based on security zones, including being able to block ActiveX controls. Security zones contain lists of Web sites deemed to have similar security settings requirements. The four zones provided are as follows:

  • Internet. Contains all Web sites that you have not placed in other zones.

  • Local Intranet. Contains all Web sites that are on the local network. By default, this zone includes all sites that bypass the proxy server (if a proxy server is in use) and all local network paths.

  • Trusted Sites. Contains Web sites that are believed to be safe. There are no sites in this zone by default.

  • Restricted Sites. Contains Web sites that could potentially be harmful. There are no sites in this zone by default.

Although it is generally a good idea to leave each security zone set to its defaults, you can customize the security level for each site if the default settings are not adequate for a user. By default, the Internet security zone prevents the downloading and installation of unsigned ActiveX controls. To increase this security, you can customize the Internet security zone.

Important Important
If you block ActiveX controls it will cause problems with some Web pages.

To block ActiveX controls in Internet Explorer

  1. Log on as the Toolkit administrator.

  2. If necessary, remove restrictions from the user account for which you want to block ActiveX controls and configure Windows Disk Protection to Save changes with next restart.

  3. Log on as the user for which you want to block ActiveX controls.

  4. Start Internet Explorer.

  5. In Internet Explorer, on the Tools menu, click Internet Options.

  6. In the Internet Options dialog box, click the Security tab.

  7. Click the Internet security zone, and then click Custom Level.

  8. In the Security Settings dialog box, disable each of the settings in the ActiveX controls and plug-ins section of the list.

  9. Log on as the Toolkit administrator again, enable restrictions for the user, and then restart the computer.

Use Simple Site Filtering to Control Internet Access

The User Restrictions tool provides a way to disable Internet access. Although it might be necessary on some shared computers to enable Internet access, you can limit the sites to which a user can connect.

Use the following procedure to limit Internet access to a few selected sites. This procedure only works in environments that do not use a proxy server.

To use simple site filtering in Internet Explorer

  1. Log on as the Toolkit administrator.

  2. Open the User Restrictions tool and select the user profile you want to limit.

  3. Under Optional Restrictions, expand Additional Internet Explorer Restrictions,and then select the Prevent Internet access from Internet Explorer check box.

  4. The Proxy setting will change to NoInternetAccess, which will disable access for all sites except for those listed in the Proxy Exceptions box.

  5. In the Proxy Exceptions box, list any sites that you will allow this user to browse. Within the allowed sites list, you can use wildcard characters such as *.microsoft.com. Use a semicolon (;) as a delimiter between sites.

  6. Click OK.

  7. Log on as the restricted user and use Internet Explorer to confirm that the chosen sites are the only ones available.

  8. Log on as the Toolkit administrator.

  9. Configure Windows Disk Protection to Save changes with next restart and then restart the computer to save changes.

If more advanced site or content filtering services are required, search the Windows Marketplace for a third-party product that meets your requirements.

Use a Central Script for Common Client Updates

If you have several shared computers on a network, there may be times when you need to apply an update or perform an installation on all of those shared computers even though Windows Disk Protection is turned on. To address this issue, you can use the Other Script option in Windows Disk Protection to call a common script from a network location.

For example, you could keep a script named Sharedupdate.bat in a shared folder on the network. Generally, you would keep this script empty—a blank document. Each day during the regular update process, shared computers would execute this empty script to no effect. When you want the shared computers to run a script (for example, to install a new program), you could simply add the proper script to the Sharedupdate.bat file. After the regular update cycle, when all of the shared computers have run the script, you could return the Sharedupdate.bat file to its empty state.

Restrict Children on a Family Computer

Although not the intended purpose of the Toolkit, one exciting possibility the Toolkit offers is the ability to restrict the actions of other kinds of users in other environments. One such environment is a home computer used by children.

On a home computer, the User Restrictions tool makes it easy to control the Windows features and programs to which a child has access. For example, you could restrict a child in the following ways:

  • Prevent the child from using Internet Explorer or Windows Messenger.

  • Prevent the child from changing the profile used to log on to Windows.

  • Apply time restrictions to the child’s computer use.

  • Restrict access to Windows features that would enable the child to modify configurations or run inappropriate programs.

  • Restrict the features and programs that are available on the Start menu.

You could use the Windows Disk Protection tool to ensure children can’t make permanent changes to Windows. Be careful using Windows Disk Protection on computers on which you want to save data permanently. Without careful planning, you might inadvertently clear documents, pictures, and other important files that you and your family want to keep.

Important Important
The examples provided here are not intended as prescriptions for keeping your child safe, but as examples of how you could use the Toolkit to help implement a security and privacy plan for your child. The Online Resources for Using Public Computers Web page provides links to a number of resources that you can use to learn more about children and computers.

Example 1: Restrict a Young Child

For a young child, particularly one who is first learning to use a computer, a parent’s goal is both to protect the child from the dangers associated with online activity and to protect the computer from the fearless explorations of the child.

You could use the Toolkit to restrict a young child’s activities in the following ways:

  • User Restrictions

    • Lock the user profile so that no permanent configuration changes are allowed. If you lock the user profile, you can redirect the My Documents folder for the user profile to a folder on a persistent partition so that the child can still save documents. You could also store the user profile on the Windows partition and turn on Windows Disk Protection for additional protection.

    • Configure the Start menu so that only local games are available—not Internet-based games. You could also make games that have inappropriate content unavailable to young children.

    • Disable Internet access. Experts suggest that young children only be allowed Internet access when parents or teachers can help them, or at least only be allowed to use the Internet on a computer that is in a public family area.

    • Disable Windows Messenger. Most experts agree that instant messaging programs are not appropriate for young children.

    • Prevent disk access to all disks except the disk on which the child is allowed to store documents.

    • Set time restrictions that enforce the limits you have chosen for your family.

    • Configure User Restrictions to prevent access to areas of the operating system the child should not be involved with.

    • Configure Start menu restrictions to prevent access to operating system features and programs.

  • Windows Disk Protection

    • Turn on Windows Disk Protection so that changes a child makes are not saved. This is especially important if you allow the child to access the Internet, e-mail, Windows Messenger, or have access to configuration tools.

Example 2: Restrict a Teenager

For a teenager, you will probably want to set fewer restrictions than for a young child. In particular, teenagers will often need access to the Internet, e-mail, and Windows Messenger. They will also find it more important to be able to configure their desktop, and might even enjoy having access to other configuration tools so that they can learn more about the operating system.

You could use the Toolkit to restrict a teenager’s activities in the following ways:

  • User Restrictions

    • Do not lock the user profile. Teenagers will want to be able to configure their environment. Redirect the My Documents folder for the user profile to a folder on a persistent partition and also store the user profile on a persistent partition, such as a D: drive.

    • You may want to configure the Start menu so that some Internet games are available to your teenager. If not, you should configure the Start menu so that only local games are available.

    • Enable Internet access and Windows Messenger. You might want to use the privacy options in Internet Explorer or configure additional parental controls for Internet use.

    • Set time restrictions that enforce the limits you have chosen for your family.

    • Set restrictions to prevent access to some areas of the operating system.

    • Configure Start menu restrictions to prevent access to operating system features and programs.

  • Windows Disk Protection

    • Turn on Windows Disk Protection so that changes made to the Windows partition are not saved.

Automate User Restrictions Using Restrict.wsf

The command-line tool Restrict.wsf allows you to configure restrictions for a user profile by using restrictions stored in an XML file. Examples of ways that you can use this tool with an XML file include the following:

  • Use a preconfigured XML file to apply restrictions to users. The Toolkit includes several sample XML files in the XML folder inside the program’s folder (C:\Program Files\Microsoft Shared Computer Toolkit\xml). For example, the file Restrict.Office.XML can be used to restrict Microsoft programs and can also be customized to restrict third-party programs.

  • Use Restrict.wsf to create an XML file for a user. You could then customize the XML file to add restrictions for the user or for additional users.

  • Use Restrict.wsf to apply an XML file to a user.  

  • Use Restrict.wsf to lock or unlock a profile.

The syntax for Restrict.wsf is as follows:

Restrict.wsf [/User:username] [/Create] [/Apply] [/Accounts] [/XML:filename.xml] [/Lock] [/Unlock]

  • /User Specifies which user to configure with this tool.

  • /Create Tells the tool to create an XML file using the specified user’s settings.

  • /Apply Applies settings from an XML file to the specified user.

  • /Accounts Lists user accounts that the tool can be used to configure.

  • /XML Specifies the file name to be used to store or apply settings for the specified user.

  • /Lock Locks the specified user’s profile.

  • /Unlock Unlocks the specified user’s profile.

If you were using Restrict.wsf to copy restrictions from user Jane to file Cafe.xml, you would issue the following command:

Restrict.wsf /User:Jane /Create /XML:Cafe.xml

To use Restrict.wsf to apply restrictions to user Joe from file Cafe.xml and also lock Joe’s profile, you would issue the following command:

Restrict.wsf /User:Joe /Apply /XML:Cafe.xml /Lock

In addition to saving and applying settings for a single user, Restrict.wsf can be used to automate the application of settings to many users.

Create a Mandatory Profile for Multiple Users

Mandatory user profiles are essentially roaming profiles to which users cannot make permanent changes. Mandatory user profiles are available in Windows XP Professional, but not in Windows XP Home Edition. Mandatory user profiles are stored on a network server and are downloaded and applied each time a user logs on. The profile is not updated when the user logs off.

The advantage of using a mandatory profile is that you can make changes only to the master mandatory profile and have that profile used on any shared computer. The potential disadvantage of mandatory profiles is that the shared computer must have network access for a user to log on. If a mandatory user profile is unavailable, the user cannot log on.

To create a mandatory profile for multiple users:

  1. Create a shared folder on a network server that will hold profiles.

  2. Create a subfolder in that shared folder for each mandatory profile you want to use.

  3. On each shared computer, start the Computer Management tool. (Right-click My Computer, and then click Manage.)

  4. In the Computer Management tool, under Local Users and Groups, expand the Users folder.

  5. For each user account that will use the mandatory profile, right-click the account and then click Properties.

  6. In the Properties dialog box, on the Profile tab, in the Profile Path box, type the network path to the share where the profile is saved (for example, \\server1\profiles\user1).

  7. Create, configure, and restrict a user profile and then copy that user profile to the appropriate network share.

  8. In the network share, in the profile folder, rename the Ntuser.dat file to Ntuser.man. This changes the profile from a simple roaming profile to a mandatory profile.

For more information about how to create and use mandatory user profiles, consult the following resources:

  • For general information about roaming and mandatory profiles, see the User Profiles Overview topic in the Windows XP Professional Product Documentation.

  • For steps on how to assign a mandatory profile to a user account in Windows XP, see the How To Assign a Mandatory User Profile in Windows XP article in the Microsoft Knowledge Base.

Image or Clone a Toolkit-Secured Computer

When you install Windows XP Professional on several computers that have identical hardware configurations, the most efficient installation method to use is disk imaging—a process that is also referred to as cloning. This method involves the following actions:

  • Configure a reference computer. This is a computer that is prepared in accordance with the instructions found in Chapters 1–5 in this Handbook.

  • Use the System Preparation Tool (Sysprep.exe) to prepare the computer for imaging (optional). You can find Sysprep.exe on the Windows XP operating system CD. For more information about the use of Sysprep.exe, see the Sysprep section of the Windows XP Resource Kit.

  • Create an exact image of the reference computer’s hard disk and transfer that image to the hard disks of other computers. You can accomplish this through the use of a disk imaging program such as Symantec Norton Ghost or Acronis True Image.

  • Perform some final tasks on the cloned computer. After imaging, the cloned computer will start a mini-setup program that validates and activates Windows XP for use on the new system.

Configure a Reference Computer

You must first configure a reference computer that will be cloned. Configuring a reference computer involves the following tasks:

  • Install the operating system. Install either Windows XP Professional with SP2 or Windows XP Home Edition with SP2.

  • Prepare the hard disk for Windows Disk Protection. For more information, see Chapter 2, “Prepare the Disk for Windows Disk Protection.”

  • Install the Microsoft Shared Computer Toolkit for Windows XP. For more information, see Chapter 1, “Installation.”

  • Create local limited user accounts. For the reference computer, create a superset of all the user accounts you will need on all the shared computers. You can always remove accounts you won’t need from specific computers.

  • Create and customize the user profiles for each account. For more information, see Chapter 3, “Profile Management.”

  • Configure user restrictions on the computer. For more information, see Chapter 4, “User Restrictions.”

    Important Important
    Do not turn on Windows Disk Protection before cloning a computer. This can result in difficulty obtaining a clean disk image and problems on the destination computers.

Use the System Preparation Tool

After you configure the reference computer, your next step is to prepare the computer for imaging. Many settings on a Windows XP Professional computer must be unique, such as the Computer Name and the Security Identifier (SID), which is a number used to track an object through the Windows security subsystem. To address this need, Windows XP Professional provides a utility called the System Preparation Tool (Sysprep.exe) that removes the SID and all other user-specific and computer-specific information from the computer, and then shuts down the computer so that you can use can use a disk duplication utility to create a disk image. The disk image is simply a compressed file that contains the contents of the entire hard disk on which the operating system is installed.

Typically, when a client computer starts Windows XP Professional for the first time after loading a disk image that has been prepared with Sysprep, Windows automatically generates a unique SID, initiates Plug and Play detection, and starts the Mini Setup Wizard. The Mini Setup Wizard prompts for user-specific and computer-specific information, such as the End-User License Agreement (EULA), regional options, user name and company, product key, and so on.

Note Note
When you create a disk image, all the hardware settings of the reference computer become part of the image. Thus, the reference computer should have the same (or similar) hardware configuration as the destination computers.

You can further automate the imaging process by including with your master image a special answer file named Sysprep.inf. Sysprep.inf is an answer file that is used to automate the Mini Setup process. It uses the same INI file syntax and key names (for supported keys) as Unattend.txt. Place the Sysprep.inf file in the %systemdrive%\Sysprep folder or on a floppy disk. If you use a floppy disk, insert it into the floppy disk drive after the Windows startup screen appears. Note that if you do not include Sysprep.inf when running Sysprep, the Mini Setup Wizard requires user input at each customization screen.

To learn more about how to use the System Preparation Tool, consult the following resources:

  • For an overview of the process of imaging clients, including the use of Sysprep to prepare a system for imaging, see the TechNet Imaging Web site.

  • For information about how to customize Sysprep installations, see Customizing Sysprep Installations section in the Windows XP Professional Resource Kit.

Create and Transfer a Hard Disk Image

After you run the System Preparation Tool to prepare the reference computer for imaging, the tool shuts down the reference computer. At this point, you can use a third-party imaging tool to create an image of the computer’s hard disk. You can find recommendations for imaging tools by searching for drive copying utilities at the Windows Marketplace.

Popular imaging utilities include:

Post-Imaging Activities

Note Note
Volume-licensed Windows XP computers will not require activation or validation after cloning if the original image was activated and validated. This is one of the advantages of the Volume Licensing program.

After you transfer an image to a new computer and start the computer, Windows generates a unique SID, initiates Plug and Play detection, and starts the Mini Setup Wizard. After installation finalizes, there are several tasks you must complete. These include:

  • Activate Windows. For more information about this step, see Description of Microsoft Product Activation article in the Microsoft Knowledge Base.

  • Validate Windows XP. You can validate Windows through the Windows Genuine Advantage Web site. If you used Sysprep to prepare the computer for imaging, you will be required to validate Windows again before using the Toolkit tools.

  • Turn on Windows Disk Protection. You can turn on Windows Disk Protection by using tool directly, or you can use the DiskProtect command-line tool.