#	Reset Password for a OU - heineborn.com 2013-04-19
#

Import-Module ActiveDirectory

$OU = "ou=OfficeA,dc=HEINEBORN,dc=LOCAL"
$DC = "DC01.HEINEBORN.LOCAL" #Domain Controller

Function Get-RandomPassword {
    $length = 8
    $characters = 'abcdefghkmnprstuvwxyzABCDEFGHKLMNPRSTUVWXYZ'
    $nonchar = '123456789!$%&?#'
    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
    $random2 = 1..2 | ForEach-Object { Get-Random -Maximum $nonchar.length }
    $private:ofs= "" 
    $ThePassword = [String]$characters[$random] + [String]$nonchar[$random2]
    return $ThePassword
}

$Users = (Get-ADUser -server $DC -filter * -Properties * -SearchBase $OU | select DisplayName, SamAccountNamee  )
FOREACH ($User in $Users) {
    $Username = $User.SamAccountName
    $DisplayName = $User.DisplayName
    $Password = Get-RandomPassword

    Write-host $DisplayName / $Username / $Password
    #Set-ADAccountPassword -id $username -NewPassword (ConvertTo-SecureString -AsPlainText $Password -Force)
}

I have written a script which verifies that all users that should have a home folder has one, and that it has the appropriate permissions.
If you use ADUC to set a home folder it per default gives the user Full Permissions, this is not optimal because it gives the end user the ability to change the permissions on their folders. I always prefer to give them Modify instead.

And sometimes the folder has mysteriously not been created on the server, or been deleted. This script will also fix that.

#  User Home Directory Permissions - heineborn.com 2013-01-15
#
#  Created a home folder for users who does not have one and sets correct permissions.

# Loading modules
Import-Module ActiveDirectory

$DC = "MYDC.HEINEBORN.LOCAL"
$OU = "OU=PRODUCTION,DC=HEINEBORN,DC=LOCAL"

$Content = (Get-ADUser -Server $DC -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory )

FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    # Check if the user has a HomeDirectory.
    If (($User -ne "SamAccountName") -and ($Folder)) { 
        # Check if folder exists, if not it created it.
        If ((Test-Path $Folder) -ne $true) {
            Write-Host
            Write-Host $User " HomeDirectory does not exist. Creating..."
            New-Item -ItemType directory -Path $Folder
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
        }
        # Check if permissions are F (Full)
        $Icacls = icacls $Folder 
        $Match = "*" + $User + ":(F)*"
        $IcaclsResult = $Icacls -like $Match
        If ($IcaclsResult) {
            Write-Host
            Write-Host $User " HomeDirectory has incorrect permissions. Resetting..."
            icacls $Folder /remove:g $User
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
        }
    }    
}

If this helped you or if you need assistance adjusting it let me know.

Whats not so neat, or fun is to get it to work with SCCM 2012.

I downloaded the latest drivers from OCZ and imported them to SCCM and my Boot Image.

I then used DiskPart to set up the unit:

select disk 0
clean
create partition primary
select partition 1
active
format fs=ntfs quick
assign
exit

WinPE boots fine but when I select my Task Sequence the installation stops with error code 0x800700A1.

When checking SMSTS.log I find the following:

<![LOG[User did not specify local data drive]LOG]!>
<![LOG[Volume C:\ has 480023437312 bytes of free space]LOG]!>
<![LOG[Volume C:\ is not bootable]LOG]!>
<![LOG[Volume D:\ is not a fixed hard drive]LOG]!>
<![LOG[Volume E:\ is not a fixed hard drive]LOG]!>
<![LOG[Volume F:\ is not a fixed hard drive]LOG]!>
<![LOG[Volume G:\ is not a fixed hard drive]LOG]!>
<![LOG[Volume H:\ is not a fixed hard drive]LOG]!>
<![LOG[Volume X:\ is not a fixed hard drive]LOG]!>
<![LOG[TSM root drive = ]LOG]!>
<![LOG[We do not find an available volume to store the local data path]LOG]!>

The MDT scripts detect the RevoDrive as “not bootable”, I would prefer not to change any scripts in the package if possible. Is there another way to set up the hardware?

The hardware I’m trying to deploy on is a HP Z400 (which is why I have so many drive letters) with a RevoDrive 3 x2.

I will keep working to solve the issue, if you’re having the same issue or got a solution let me know.

Previously all users had Full-permissions on their home folder, which led to the users resetting permissions and removing unwanted permissions (Backup or Admin accounts) to their “private” stuff.

This script will set Modify-permissions for the user. I know it’s not the most well-written script out there, but it works! :)

#	User Home Directory Permissions - heineborn.com 2013-01-15
#
#	Creates a HomeDirectory for users who are missing one.
#	Verifies they have Modify permissions, if they have Full it replaces with Modify.

# Loading modules
Import-Module ActiveDirectory

$DC = "DC01.HEINEBORN.LOCAL"
$OU = "OU=Users,DC=heineborn,DC=local"

$Content = (Get-ADUser -server $Dc -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory)

FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    # If the user does not have a value for HomeDirectory it skips.
    If ($Folder) { 
        # If the HomeDirectory does not exist its created.
        If ((Test-Path $Folder) -ne $true) {
            New-Item -ItemType directory -Path $Folder
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
            }
        # Checking if user has Full permissions on their folder.
        $Icacls = icacls $Folder 
        $Match = "*" + $User + ":(F)*"
        $IcaclsResult = $Icacls -like $Match
        If ($IcaclsResult) {
            Write-Host $User " HomeDirectory has incorrect permissions. Resetting..."
            icacls $Folder /remove:g $User
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
        }
    }    
}

Let me know if anything is not working for you and I’ll do my best to help you out.

I have been working on simplifying the deployment routine and increasing security for a customer.
They are migrating from a Ghost-deployment to SCCM 2012, and currently security has not been considered at all.

The current policy is that Domain Users is set to be in all the clients local Administrators-group, which is just retarded.

I set up a small script which adds the username supplied during OS Deployment to the local administrators group instead, which you could run from a TS.
This way only the Primary User gets elevated privileges over their PC (instead of the entire organization.

The script looks like this,

'	Configuration Manager Set UDA Local Admin - heineborn.com 2013-01-08
'
'	Enter UDA user during UDI wizard and this script will add that user to the local administrators group.

Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment")
Set objShell = Wscript.CreateObject ("Wscript.Shell")
For Each oVar In oTSEnv.GetVariables
	If (ovar = "SMSTSUdaUsers") Then
		strCmd = "net localgroup Administrators /add " & otsenv(ovar)
		objShell.Run (strCmd)
	End If
Next

I have integrated this SCCM installation with MDT so I simply saved the script in the MDT\Scripts-folder and added a Run Command Line step to my TS.

If you need to set up User Device Affinity (prerequisite) I have written a guide how to do that aswell.

Hope this helped you.
Leave a comment and feel free to link this page on other forums.