FBReseal, reduced priveledges and multiple user accounts



William Sullivan
07-09-2005, 10:24 PM
Stemming from my previous post... I realized (more like smacked myself in
the head) that the way my system is set up may have an effect on fbreseal.
The machine is set up to boot into a user account with reduced priveledges
(Power User) with a custom shell. The administrator account boots into
windows shell. In a case like this, how should fbreseal be executed? Should
I run it from the reduced priveledge account? Will that effect how the first
boot after reseal (where it boots into the reduced priv account with a custom
shell) behaves? What should I do in this case?

Brad Combs
07-09-2005, 10:24 PM
William,

I read your previous post and replies. If I were in your situation I would
run fbreseal from the admin account. Not becuase I know of any specific
errors that may come from running it as a power user, just that every system
I've worked on over the past three years I've run it from the admin account.
:-)

As for the apparent hang after reseal. I have seen this take a very long
time to complete. About a month or two ago someone stated they waited for
10+ minutes for it to complete. You may be able to hook a kernel debugger to
the system to see where it's hanging.

I noticed that you are using -keepdomain so I would also suggest that if you
are connecting to a domain, make sure that the domain is available after
reseal.

Try letting it sit for a bit longer or connect windbg to see what the
problem is.

Brad

"William Sullivan" <WilliamSullivan@discussions.microsoft.com> wrote in
message news:2476CF62-DFB4-4F7E-AF57-59BAFAF6AA4F@microsoft.com...
> Stemming from my previous post... I realized (more like smacked myself in
> the head) that the way my system is set up may have an effect on fbreseal.
> The machine is set up to boot into a user account with reduced priveledges
> (Power User) with a custom shell. The administrator account boots into
> windows shell. In a case like this, how should fbreseal be executed?
> Should
> I run it from the reduced priveledge account? Will that effect how the
> first
> boot after reseal (where it boots into the reduced priv account with a
> custom
> shell) behaves? What should I do in this case?

William Sullivan
07-09-2005, 10:24 PM
Well, I've run it from the admin account, but when the machine boots, I'm in
the power user account. I don't know if there is anything that happens after
reboot that requires elevated priveledges. After reboot, the machine appears
to boot as normal, but after the progress bar, it sits at the blue background
(cursor showing) for a time. After a couple minutes it does continue as
normal and everything appears to be correct (new computer name, everything is
saved, etc).

"Brad Combs" wrote:

> William,
>
> I read your previous post and replies. If I were in your situation I would
> run fbreseal from the admin account. Not becuase I know of any specific
> errors that may come from running it as a power user, just that every system
> I've worked on over the past three years I've run it from the admin account.
> :-)
>
> As for the apparent hang after reseal. I have seen this take a very long
> time to complete. About a month or two ago someone stated they waited for
> 10+ minutes for it to complete. You may be able to hook a kernel debugger to
> the system to see where it's hanging.
>
> I noticed that you are using -keepdomain so I would also suggest that if you
> are connecting to a domain, make sure that the domain is available after
> reseal.
>
> Try letting it sit for a bit longer or connect windbg to see what the
> problem is.
>
> Brad
>
> "William Sullivan" <WilliamSullivan@discussions.microsoft.com> wrote in
> message news:2476CF62-DFB4-4F7E-AF57-59BAFAF6AA4F@microsoft.com...
> > Stemming from my previous post... I realized (more like smacked myself in
> > the head) that the way my system is set up may have an effect on fbreseal.
> > The machine is set up to boot into a user account with reduced priveledges
> > (Power User) with a custom shell. The administrator account boots into
> > windows shell. In a case like this, how should fbreseal be executed?
> > Should
> > I run it from the reduced priveledge account? Will that effect how the
> > first
> > boot after reseal (where it boots into the reduced priv account with a
> > custom
> > shell) behaves? What should I do in this case?
>
>
>

KM
07-09-2005, 10:24 PM
William,

> Well, I've run it from the admin account, but when the machine boots, I'm
> in
> the power user account.

FBA (which is triggered by fbreseal on next boot) runs under Local System
account anyway. So it won't matter what user account you [auto-]log in on
next boot after fbreseal launch.

> I don't know if there is anything that happens after
> reboot that requires elevated priveledges. After reboot, the machine
> appears
> to boot as normal, but after the progress bar, it sits at the blue
> background

It sounds like a normal behaviour of image cloning beside that it usually
goes a bit faster (on my images I've seen it happens from 10 sec to 1-1.5
min) and, more important, it shows the cloning progress bar ("FBA is
preparing the system for first boot" or something like that).

What storage media you use on target?
How long is the regular FBA process there?

> (cursor showing) for a time. After a couple minutes it does continue as
> normal and everything appears to be correct (new computer name, everything
> is saved, etc).

KM

> "Brad Combs" wrote:
>
>> William,
>>
>> I read your previous post and replies. If I were in your situation I
>> would
>> run fbreseal from the admin account. Not becuase I know of any specific
>> errors that may come from running it as a power user, just that every
>> system
>> I've worked on over the past three years I've run it from the admin
>> account.
>> :-)
>>
>> As for the apparent hang after reseal. I have seen this take a very long
>> time to complete. About a month or two ago someone stated they waited for
>> 10+ minutes for it to complete. You may be able to hook a kernel debugger
>> to
>> the system to see where it's hanging.
>>
>> I noticed that you are using -keepdomain so I would also suggest that if
>> you
>> are connecting to a domain, make sure that the domain is available after
>> reseal.
>>
>> Try letting it sit for a bit longer or connect windbg to see what the
>> problem is.
>>
>> Brad
>>
>> "William Sullivan" <WilliamSullivan@discussions.microsoft.com> wrote in
>> message news:2476CF62-DFB4-4F7E-AF57-59BAFAF6AA4F@microsoft.com...
>> > Stemming from my previous post... I realized (more like smacked myself
>> > in
>> > the head) that the way my system is set up may have an effect on
>> > fbreseal.
>> > The machine is set up to boot into a user account with reduced
>> > priveledges
>> > (Power User) with a custom shell. The administrator account boots into
>> > windows shell. In a case like this, how should fbreseal be executed?
>> > Should
>> > I run it from the reduced priveledge account? Will that effect how the
>> > first
>> > boot after reseal (where it boots into the reduced priv account with a
>> > custom
>> > shell) behaves? What should I do in this case?
>>
>>
>>

William Sullivan
07-09-2005, 10:24 PM
> It sounds like a normal behaviour of image cloning beside that it usually
> goes a bit faster (on my images I've seen it happens from 10 sec to 1-1.5
> min) and, more important, it shows the cloning progress bar ("FBA is
> preparing the system for first boot" or something like that).

that's the kicker--no cloning progress bar and no message. Just blue until
the system logs on the default user.

> What storage media you use on target?
> How long is the regular FBA process there?

2.5" drive; I don't know exactly--doesn't seem overly long as far as I can
tell.


> > (cursor showing) for a time. After a couple minutes it does continue as
> > normal and everything appears to be correct (new computer name, everything
> > is saved, etc).
>
> KM
>
> > "Brad Combs" wrote:
> >
> >> William,
> >>
> >> I read your previous post and replies. If I were in your situation I
> >> would
> >> run fbreseal from the admin account. Not becuase I know of any specific
> >> errors that may come from running it as a power user, just that every
> >> system
> >> I've worked on over the past three years I've run it from the admin
> >> account.
> >> :-)
> >>
> >> As for the apparent hang after reseal. I have seen this take a very long
> >> time to complete. About a month or two ago someone stated they waited for
> >> 10+ minutes for it to complete. You may be able to hook a kernel debugger
> >> to
> >> the system to see where it's hanging.
> >>
> >> I noticed that you are using -keepdomain so I would also suggest that if
> >> you
> >> are connecting to a domain, make sure that the domain is available after
> >> reseal.
> >>
> >> Try letting it sit for a bit longer or connect windbg to see what the
> >> problem is.
> >>
> >> Brad
> >>
> >> "William Sullivan" <WilliamSullivan@discussions.microsoft.com> wrote in
> >> message news:2476CF62-DFB4-4F7E-AF57-59BAFAF6AA4F@microsoft.com...
> >> > Stemming from my previous post... I realized (more like smacked myself
> >> > in
> >> > the head) that the way my system is set up may have an effect on
> >> > fbreseal.
> >> > The machine is set up to boot into a user account with reduced
> >> > priveledges
> >> > (Power User) with a custom shell. The administrator account boots into
> >> > windows shell. In a case like this, how should fbreseal be executed?
> >> > Should
> >> > I run it from the reduced priveledge account? Will that effect how the
> >> > first
> >> > boot after reseal (where it boots into the reduced priv account with a
> >> > custom
> >> > shell) behaves? What should I do in this case?
> >>
> >>
> >>
>
>
>


FBReseal, reduced priveledges and multiple user accounts