Setup Multiple computers with Win10

Topic

New Reply

I manage about a dozen small businesses in my area. I’m upgrading them all to Windows 10 (they are currently on Windows 7), because of insurance and liability they cannot stay on Windows 7.

I’m planning on using the same approach as I did when I installed Windows 7. These businesses have 3-10 computers each, all are running peer-to-peer using a standalone Windows 7 acting as the server. It’s never been clean or easy to change the name on a user account, so to save a lot of installation time I came up with this process.

All desktops are exactly the same – model, hardware, etc.

All Laptops are exactly the same.

I will be installing Windows 10 with a local account NOT a Microsoft Account.

Below where I refer to one system – I actually mean 2 – one desktop and one laptop.

1. What I do is setup a system: I create a standard user called “USER” and install all appropriate apps, updates, drivers, etc. I then make an MASTER image of the disk.
2. I use that image to create a new system and configure that for a particular business – special software, printers, etc. I make another image – BUSINESS MASTER.
3. I use this second image to create each user’s computer. I change the computer name and activate and license the software for each user (yes they are in compliance with licenses). Each computer has the same user name: USER, but since this is a peer-to-peer, it’s never been a problem in the past. Each computer will end up with a different password. I do assign the individual’s name to an environmental variable so I can track things like backing up data from a workstation (most is stored on the pseudo server). I make an INDIVIDUAL image .

All these images (Master, Business-Master, and Individual) get stored on duplicated external HDs.

Now it may seem a little strange to have all user accounts with the same name, but being a peer-to-peer network, this hasn’t caused any problems.

The questions I have are:

1. Will this work with Windows 10?
2. Are there any changes I should make to my process?

Thanks,

Marc

 

Reply | Quote

Replies

Am I understanding correctly that you do not have an Administrator user account at all? (pardon me if I have not understood this).

Reply | Quote

As mentioned in today’s newsletter, it’s not possible to not have an admin account on any Windows version:

Every Windows installation must have at least one administrator account; if there’s only one such account on a machine, Windows won’t let you remove or demote it.

WINDOWS: Working outside an admin account: Safe but annoying

Reply | Quote

Actually, well, slightly more complicated than that.

The “Administrator” account on desktop versions of Windows, by default, does exist but is disabled. Deleting this account isn’t supported but you don’t have to enable it.

During normal interactive install you get to create an account, this can be named anything you like – doesn’t have to be “Administrator” – and it becomes a member of the Administrators local group.

It is indeed possible for this account to become disabled as well, such as due to running into the “too many wrong passwords” limit.

Also you can for example join the system into a domain and then remove the “User” account from local Administrators group. It is allowed that the only enabled admin accounts be through domain authentication.

There are all kinds of ways you can lock a computer so that no one can get in normally, messing with this without knowing what you’re doing is a good way to get there. Like requiring domain auth for admins and then requiring fresh enough domain credentials before being allowed to authenticate to domain, and allowing them to time out once. (Or as it may happen, failing an update and getting pulled back to a restore point…) Actually, I even know people who do that on purpose.

Reply | Quote

mn– wrote:

Actually, well, slightly more complicated than that.

Hmm, well, not really!

Unless you know of a method to remove or disable the last local admin account on any version of Windows? (And some magic to replace or re-enable it?)

mn– wrote:

It is indeed possible for this account to become disabled as well, such as due to running into the “too many wrong passwords” limit.

What’s the default local account lockout threshold for any version of Windows?

Reply | Quote

b wrote:

Unless you know of a method to remove or disable the last local admin account on any version of Windows? (And some magic to replace or re-enable it?)

Go in with a domain-granted admin account and set it as disabled? Worked last time I tried. As in 5 or so minutes ago.

Wasn’t all that long ago that I last had to fix a server where all accounts had gotten disabled due to excessive bad passwords. (As to how it got that way, that’s a long story … also a bit of a distance as the local help they got couldn’t get it open.)

Booted a Linux live-usb and used chntpw to re-enable… easier to get write access to the RAID array contents that way than building a suitable Windows-based recovery setup would’ve been. Yes, hardware-specific issues too.

(For the curious – yes, if you have the recovery key, there’s a Linux tool to open BitLocker too)

b wrote:

What’s the default local account lockout threshold for any version of Windows?

Default is 0, as in don’t do it. Also MS documentation recommends setting a reset timer for that so it’ll re-enable automatically after a given time.

Well, on that one server, someone had set a max attempts number but left the re-enable at 0.

Wasn’t the first time I’d seen that, either….

Reply | Quote

mn– wrote:

Go in with a domain-granted admin account and set it as disabled? Worked last time I tried. As in 5 or so minutes ago.

Can’t you just disconnect it from the  network and use cached credentials?

Reply | Quote

Yes. For the accounts that are still enabled. Local now-disabled admin account isn’t cached because it’s local.

Then by default you need to have …25? non-admin domain users log in to rotate the cached admin credentials out.

That number can be changed, or caching disabled altogether.
Or you could just go and delete the cached credentials with regedit if you’re sure you know how.

Or you could revoke the user’s membership in the domain group that confers admin rights and log in again with a server connection. Cache updated, admin rights lost.

Really, Windows authentication does have ways to shoot yourself in the foot if you REALLY want to.

Yes, some security-paranoid people do set them up that way on purpose. Don’t ask.

Reply | Quote

I left out a lot of details as I was looking for suggestions about my overall approach or one that doesn’t require me to set up each person’s account individually. I know I could use Sysprep, but it doesn’t save all the settings, so there is still more work to do on each computer.  Yes of course I have an Admin account, it’s been enabled and password protected. I then create the USER account for the end-user as another Admin account and will demote it to standard when all is done.

Reply | Quote

I seem to remember that you could in one version of windows copy an account profile. Did this disappear after XP? I see in my W10 one can only copy the default to another profile.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

major4579 wrote:

All desktops are exactly the same – model, hardware, etc. All Laptops are exactly the same.

The easy way would be to use one of each type and do a straight upgrade with Win 10 (generic image) and (either boot from USB or run from the Desktop) see what problems develop.
Big caveat with this approach there have been problems in the past, settings not migrated, software installed not working correctly but at least you will know what your dealing with before rolling out on other machines.
As for SYSPREP well I have never installed a prepared Win10 image over an existing installation with like software already installed, albeit installed on Win 7, so not sure if or what problems that will bring. Another reason maybe try this out in a test environment.
Creating a SYSPREPed image of Win 10 is a real pain, its not as easy as Win 7 or Win 8.1, since the advent of UWP and Metro Apps you have to stop them updating otherwise it’ll stop the shutdown (OOBE) and generalise process in a never ending run mode.
Basically you have to stop the Apps updating, and remove them, not a biggie as they are “Staged” and will or should come back.
Maybe one or two can suggest another way here but it may mean serendipity or “Trial and error” on your part, and a lot of legwork alas.
Hopefully your licensing will allow you to get Professional and above, its my long time assertion that networking reliably has been broken on the Win10 Home version since M$ removed Home Groups with 1709.

Reply | Quote

1. This is a workgroup situation – there is no domain.
2. I am NOT upgrading from W7 to W10, I’m installing a new clean version of W10 PRO and then re-installing ALL the software, printer drivers, etc.
3. Yes in XP you could copy a profile to a new user with all the programs and settings getting copied, but references to the old user name would still exist. There was a useful free utility called COA (Change of Address) that would go through the new profile changing all references for the old user name to the new user name, including the user directory name. It would search the registry, shortcuts and win.ini if I remember correctly. There is a way to manually do this in Windows 7 and that did work (actually the COA utility worked on Win7-32). I don’t know if this would work in Windows 10.

So back to my original question, which I can express a little more clearly. What is the easiest/fastest/cleanest way to deploy a new copy of Windows 10 with programs, printers, and other customizations to a number of identical computers in a NON-Domain, i.e., Workgroup environment? I know there will always have to be some work on each computer, entering licenses and activating programs – but I want to keep it at a minimum.

Thanks,

Marc

Reply | Quote

Sysprep is the best method IMO as it allows all the user / machine setup / licensing.
It does take time to set up but well worth it.

cheers, Paul

Reply | Quote

Paul,

The problem I’ve had with Sysprep is that I set up Windows 10 to look as much like Windows 7 as possible (my clients prefer this), and all that work personalizing the UI gets lost with Sysprep. So it still takes a lot more of my time. The main advantage of Sysprep is it works with different hardware – I don’t have that issue. Restoring an image outs me 10 steps closer to finishing, it seems to me.

Thanks,

Marc

 

Reply | Quote

Surely you can script the last bit at the end of the install?

cheers, Paul

Reply | Quote

I really dont understand why you are making that all.

You don’t have Active Directory? Correct?

 

Why dont you:

a) Install one computer 100% ready

b) copy that to all other computer. (1:1 image)

c) rename and its ready

Reply | Quote

[major4579]

Meitzi wrote:

I really dont understand why you are making that all.

You don’t have Active Directory? Correct?

 

Why dont you:

a) Install one computer 100% ready

b) copy that to all other computer. (1:1 image)

c) rename and its ready

No I don’t have AD, and yes that’s what I’m planning on doing. I won’t be able to get to 100% on my clones because my clients do NOT have volume licenses (they are too small) and they don’t all use the same software. Also some programs may not install without a valid license, but I may be able to change the license later.

So I have to do some work on individual computers (installing odd programs) and entering individual licenses. I’ve always expected to have to do that. I was just seeking reassurance that Windows 10 will not have an issue with these clones (all with legit licenses) in a peer-to-peer network.

The discussion just got a little off-track.

-Marc

 

• This reply was modified 5 years ago by major4579.

Reply | Quote

For what you are describing, meaning you want to clone a single image and roll it out, I recently tested Macrium’s software, Reflect 7 to deploy an image to all machines. Worked great, but we ended up starting with Sysprep.

Buy a disk duplicator. Image Sysprep. When done, duplicate the disks that came with each desktop.

Or check out Macrium, but it might be too expensive for your needs. However, if you build the cost across all machines evenly, you might be able to license it for that.

We have tried a number of small volume ways to image the disks where I’m working. It all came back to Sysprep as the best way to roll out an image in Windows 10, barring stepping up to something like Macrium.

Also remember, there are low cost tools to migrate user profiles Check them out and use them! (I migrated 12 users from 7 to 10 in a similar situation to you last fall and migrated their profiles with no problem). Currently I’m in the middle of migrating 120 W7 machines. That’s just enough to not really be the sweet spot of Sysprep, and not really cost effective for many of the tools that are targeted at ‘large’ corporations. So what’s our best way of doing this rollout?

We purchased a disk duplicator. (it also bulk erases old drives).

We sysprep a master. This master is kept on the shelf in the future for similar machines that may be ordered in a few months. We buy all machines from one vendor (i.e. HP, Dell, Lenovo, whatever).

Once Sysprepped, we duplicate the master as needed, swap out the drives and bulk erase the old/new one. Yes, there is work to be done to ‘finish’ the sysprep operation, but much less than doing it by checklist from the ground up (yes, we have a checklist to do just that).

Another way to do it, is to spend a lot of time on batch files. Yes, we have USB keys with full workflow batch files to setup specific machine types. But we are moving towards sysprep in the future.

For my other clients, all machines have an admin account of WSADMIN (workstation admin), just so they can’t have a virus or ransomware mess with installing a program (easily). A [pain] but it works effectively. I even give the user the password to it if they want to install a piece of software for a specific job related task. This is only an easy way to keep bad guys a bit more removed from direct access.

 
Laptops are a problem because many of them don’t have swappable hard drives anymore. So pick your laptops with an eye on maintanence. (i.e. Lenovo uses replaceable SSD sticks).

Ultimately, doing what you want to do, at the scale you do it, is a [pain]. There are a few small utilities out there that setup machines the way you want, turning on and off features. I’ll see, when I get a chance, if I can give you a few good ones.

1 user thanked author for this post.

wavy

Reply | Quote