Excluding Users using USMT 4.0 in SCCM SP2

When it comes to backing up user data with USMT 4.0 [hardlinking] in SCCM, there are a few things that most people will want to do.  Such as excluding local computer accounts and excluding domain user profiles older than XX days.  It took a couple of days to get this figured out since there was no one blog post or forum topic which seemingly discussed both of these options. 

First things first, read this excellent blog post on How to use USMT 4 hardlinking in a Configuration Manager 2007 Task Sequence

Now, USMT uses Scanstate.exe and Loadstate.exe to backup and restore users [respectively].  Local users can be excluded using switch /ue and old domain user profiles can be excluded using switch /uel.  However, both of these switches cannot be used at the same time because of a precedence order.  For more information, read Understanding USMT 4.0 Behavior with UEL and UE.   So, to exclude local users and old domain users, set task sequence variables

• OSDMigrateAdditionalCaptureOptions = /nocompress /hardlink /uel:30 (or however many days you want it to be)
• OSDMigrateAdditionalRestoreOptions = /nocompress /hardlink /ue:%computername%\*

But there is also an undocumented problem.  SCCM adds to the Scanstate/Loadstate parameters, specifically adding the /all switch which says to backup/restore ALL USERS.  This completely goes against being able to use the /ue and/or the /uel switches and will cause scanstate/loadstate to fail!!  So what must be done to fix the problem is to

1. Select the step to Capture User Files and Settings
2. Select option “Customize how user profiles are captured”
3. Click the Files… button
4. Add files MigUser.xml, MigApp.xml
5. Repeat the above steps for Restore User Files and Settings

Updated 8/16 – USMT Best Practices states to not use MigUser.xml and MigDocs.xml together, so I’ve removed MigDocs from step 4.

Setting HKCU Array Values

This was a request from someone on an example for creating array registry values for all users on a computer.  I hope it us useful to others!

'==========================================================================
' NAME: HKCU_array.vbs
' VERSION: 1.0
' AUTHOR: Nick Moseley, http://t3chn1ck.wordpress.com
' DATE  : 8/10/2010
' COMMENT: This script will parse all User profiles on the computer, load their
'     HKCU hive, then set the sample array values in the sample keys
'==========================================================================
Const ForAppending = 8
Const HKLM = &H80000002
Dim oReg, oFSO, oFile, oUserSubkey, aUserProfiles
Dim sProfileLCase, sValue, sRegExe, sRegLoad, sRegUnload, sHiveName, sSubPath, sProfile, sValueName, sKeyPathUserProfiles, sSampleKeyPath1, sSampleKeyPath2 
Dim aRegKey1, aRegKey2, sRegValue1, sRegValue2
Set oReg = GetObject("winmgmts:\\.\root\default:StdRegProv")
Set oShell = CreateObject("WScript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")
' First array sample
sRegValue1 = "Sample1"
aRegKey1 = Array(&H27,&H00,&H00,&H00)
' Second array sample
sRegValue2 = "Sample2"
aRegKey2 = Array(&H77,&H00,&H65,&H00,&H62,&H00,&H6d)
sValueName = "ProfileImagePath"
sKeyPathUserProfiles = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
sRegExe = "C:\Windows\system32\reg.exe"
sSampleKeyPath1 = "Software\Sample1"
sSampleKeyPath2 = "Software\Sample2"
' Begin log file entries
If Not oFSO.FileExists("C:\SampleLog.txt") Then
    oFSO.CreateTextFile "C:\SampleLog.txt"
End If
Set oFile = oFSO.OpenTextFile ("C:\SampleLog.txt", ForAppending, True)
oFile.WriteLine "Sample set HKCU array registry values"
oFile.WriteLine "  => Install began at " & Date & " " & Time
oFile.WriteLine "  => HKCU registry key modified: " & sSampleKeyPath1 & " and " & sSampleKeyPath2 
oFile.WriteLine "     Set value " & sRegValue1 & " (binary) to 27:00:00:00"
oFile.WriteLine "     Set value " & sRegValue2 & " (binary) to 77:00:65:00:62:00:6d"
oReg.EnumKey HKLM, sKeyPathUserProfiles, aUserProfiles
For Each oUserSubkey In aUserProfiles
    sSubPath = sKeyPathUserProfiles & "\" & oUserSubkey
   oReg.GetExpandedStringValue HKLM,sSubPath,sValueName,sValue
   sProfile = Split(sValue, "\")
   sProfileLCase = LCase(sProfile(2))
   
   If sProfileLCase = "administrator" Then 
       oFile.WriteLine "  => Skipping profile: administrator"
   ElseIf sProfileLCase = "system32" Then 
       oFile.WriteLine "  => Skipping profile: system32"
   ElseIf sProfileLCase = "localservice" Then 
       oFile.WriteLine "  => Skipping profile: localservice"
   ElseIf sProfileLCase = "networkservice" Then 
       oFile.WriteLine "  => Skipping profile: networkservice"
   ElseIf sProfileLCase = "serviceprofiles" Then 
       oFile.WriteLine "  => Skipping profile: serviceprofiles"
   Else
       sHiveName = "TempHive_" & sProfileLCase
       
       ' Load user's profile hive into a temp location
       sRegLoad = " LOAD HKLM\" & sHiveName & " """ & sValue & "\ntuser.dat"""
       oShell.Run sRegExe & sRegLoad, 0, True
       oFile.WriteLine "  => User: " & sProfileLCase
       
        ' Delete the old values
        oReg.DeleteValue HKLM, sSampleKeyPath1, sRegValue1
        oReg.DeleteValue HKLM, sSampleKeyPath2, sRegValue2
        
        ' Create/set the new values
        oReg.SetBinaryValue HKLM, sSampleKeyPath1, sRegValue1, aRegKey1
        oReg.SetBinaryValue HKLM, sSampleKeyPath2, sRegValue2, aRegKey2
       
       ' Unload user's profile hive
       sRegUnload = " UNLOAD HKLM\" & sHiveName
       oShell.Run sRegExe & sRegUnload, 0, True
       
       
   End If    
Next
' End logging
oFile.WriteLine "  => Install completed at " & Date & " " & Time
WScript.Quit (oFile.Close)

WinXP Configurations

These are a few things I have done on my WinXP images

System Settings

• Configured Windows XP Tour to Disabled = Set value RunCount (dword) to 0 in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour
• Disabled System Restore for the image build process = Set value DisableSR (dword) to 1 in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
• Configured Automatic Updates to Off = Set value NoAutoUpdate (dword) to 1 in HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\
• Configured Event Viewer log files to “Overwrite as necessary” = Set value Retention (dword) to 0 in HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\[Application, Security, System]
• Configured “Wait for network at logon” = Set value SyncForegroundPolicy (dword) to 1 in HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\CurrentVersion\Winlogon\
• Configured Offline Files to be disabled = Set value Enabled (dword) to 0 in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache
• Uninstalled the language bar using command “regsvr32 /u /s /msutb.dll”
• Set WinXP to use Microsoft Update (instead of Windows Update)
• Disabled automatic restart on system failure (BSOD) = Set value AutoReboot (dword) to 0 in HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\

User Settings (see Scripting HKCU Settings for more info)

• Configured task bar to “unlocked” = Set value TaskbarGlomming (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ and set value TaskbarSizeMove (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
• Configured highlight newly installed programs to “disabled” = Set value Start_NotifyNewApps (dword) to 0 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
• Configured Desktop Cleanup Wizard to be disabled = Set value NoRun (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz\
• Configured IE icon on desktop to be hidden = Set value NoInternetIcon (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
• Configured Outlook 2003 Navigation Pane order to be Mail, Calendar, Contacts, then Folder List = Set value ModuleOrder (string) to “1,2,3,6,5,4,7,8″ in HKCU\Software\Microsoft\Office\11.0\Outlook\Preferences\

Settings accomplished via Unattend.txt during the XP image build

• [Shell]
  CustomDefaultThemeFile = “C:\Windows\Resources\Themes\CompanyCustom.theme”
• [Unattended]
  hibernation = No
• [Components]
  msnexplr = Off
  OEAccess = Off
  rootautoupdate = On
  zonegames = Off
  deskpaper = Off
• [Display]
  Xresolution = 1024
  Yresolution = 768
• [TerminalServices]
  AllowConnections = 1
• [PCHealth]
  RA_AllowToGetHelp = 0
• [WindowsFirewall]
  Profiles = WindowsFirewall.TurnOffFirewall
• [WindowsFirewall.TurnOffFirewall]
  Mode = 0