11 Replies Latest reply on Jan 21, 2013 12:14 PM by RSteele77

    Masking a p/w in OS XML file

    Apprentice

      Greetings LD Community,

       

       

      I have been tasked to find a possible environment variable to mask our domain password in the XML file used to deploy a particular template.  We are using LD v9.0, and Windows 7(64 bit).

       

      Is there something I can add to the XML that LANDesk will recognize and mask out the password?  The idea is to prevent anyone from reading this info if for some reason the XML is left behind post-deployment.

       

      Thanks,

      Rick S

        • 1. Re: Masking a p/w in OS XML file
          Frank Wils ITSMMVPGroup

          Hi!

           

          If you make sure you inject your unattend.xml to c:\windows\panther Windows itself will replace all passwords with *SENSITIVE-DATA* as soon as it picks up the unattend file. Combine this with a variable in your unattend for the password that Provisioning will replace during the inject and the time the password is readable is reduced to its minimum.

           

          Frank

          1 of 1 people found this helpful
          • 2. Re: Masking a p/w in OS XML file
            Apprentice

            Hi Frank,

             

            Thanks for the reply.  I will try that in a bit.  I'm new to LANDesk and scripting, but have done imaging/deployment for years using ghost.  This is certainly much more to grasp than a simple ghost process, but I like how much can be controlled using LD.

             

            I don't write the XML, nor manage the initial sysprepping or WAIK setup, so I have to sort of relay what I find someone else.  Little by little I'm doing more of the process, so I'll catch up eventually.

            • 3. Re: Masking a p/w in OS XML file
              Apprentice

              Ok, so I tried those steps and the template went through, but it never joined the domain.  I tried editing the target location of the script from C:\unattend.xml, to, C:\windows\panther\unattend.xml.  LANDesk reports the template was successful, but as mentioned there was no domain joining.  It just dropped the image, loaded drivers, then left it in a workgroup.

               

              Not sure where to go from here..  any other suggesstions?

               

              thx

              rs

              • 4. Re: Masking a p/w in OS XML file
                Frank Wils ITSMMVPGroup

                Can you post your xml? Minus the passwords, of course :) Also, if you look after deployment in the xml in panther, can you see the sensitive data deleted (this also indicated that windows really processed this xml).

                 

                Frank

                • 5. Re: Masking a p/w in OS XML file
                  Apprentice

                  The way the setup has been explained to me is that LANDesk must drop the unattend.xml file at the root of C:\.  I tried adding the panther path, but I believe that's where it failed.  I will get the XML prepped and posted in a few minutes.  Just need to scour it for other P/W's. 

                   

                  thx

                  rs

                  • 6. Re: Masking a p/w in OS XML file
                    Frank Wils ITSMMVPGroup

                    No, LANDesk basically doesn't care where you drop the XML. It has to be dropped in a place where windows setup expects it, which can be any of 3 or 4 locations. Even if you drop it in c:\, windows setup will still copy it to the panther map to process it.

                     

                    The XML can contain several phases. Which and in which order those are executed also depends on the command parameters used to sysprep it.

                     

                    Also check the log files in the panther map. It will tell you which XML is processed and how.

                     

                    Frank

                    • 7. Re: Masking a p/w in OS XML file
                      Apprentice

                      Ok, so it did drop the XML in the C:\Windows\Panther as I told it to.  Just trying to figure out why it never joined the domain.  I attached a copy of the XML file, and it also did mask the passwords with the *Sensitive*Data*Deleted* text, where the passwords should be.

                       

                      thx\

                      rs

                       

                      p.s.  Last post of day for me, it's closing time here.  Thanks for the responses, will reply in the A.M. our local time.

                      • 8. Re: Masking a p/w in OS XML file
                        Frank Wils ITSMMVPGroup

                        As you can see, the Specialize Phase was processed : +<settings wasPassProcessed="true" pass="specialize">

                         

                        I assume your image was Sysprepped with /generalize, because there is no Generalize Phase configured in your XML. This will mean the first phase to run after reboot will be the Specialize Phase. It might very well be that at that moment the system doesn't have any active NIC drivers. They get installed only later, so if they are not native in Windows... You could check this in the setupact.log and netsetup.log (search for your domain name).

                         

                        As it seems you don't use custom OU to place your new computer in the AD, I also suggest you to take out the Domain Join action from the XML and configure a Provisioning Action Join Domain. This will run later in the deployment process when all drivers are installed and is easier to maintain than in the XML file.

                         

                        Frank

                        • 9. Re: Masking a p/w in OS XML file
                          Apprentice

                          Ok, so I have taken the Domain Joining info out of the XML, and replaced it with a Join Domain action as part of the template provisioning.  Issue now is that it always fails to join the domain, so template stops right there.  I'm not sure what is causing it to fail either.  I used two different names fro the domain,, (Old NT, and new .org name), and double checked the username and password supplied to LANDesk to complete the Join Domain action, but it still fails.

                           

                          My boss is starting to think this won't work no matter what we try...  But I'm sure there has got to be a way to make it happen, just not sure which direction to look...

                          • 10. Re: Masking a p/w in OS XML file
                            Frank Wils ITSMMVPGroup

                            Do you use variables in your template? Try running the template without variables but with the values written out.

                             

                            Frank

                            • 11. Re: Masking a p/w in OS XML file
                              Apprentice

                              Originally, no.  There were no variables being used for this purpose.  We eventually used a variable to mask the password on the original XML document being passed through LANDesk, and then went with removing the Join Domain from the XML, in lieu of a Join Domain function in the provisioning process.  A few trial and error runs, and we got that to work as well. 

                               

                              So it looks like our issue has been solved, at least for now until the boss wants to try something new again. 

                               

                              Thank you for your help on this Frank.  I have marked one of your responses aboce as the correct answer.