• Alex Pazik liked comment of Stead Halstead on Audit Windows logon and logoff events with PowerShell and SQL Server. (So far, Stead Halstead has 1 likes for this comment.) 4 years, 4 months ago

  • Hi Stead-- I actually never thought about it that way! I suppose you could do that but what would you call the table then? I can't think of a clever/logical name but if you can I encourage you to post it.

  • Hi Elad -- First of all you are going to want to move the files excluding OptiPlex9020-A19.exe from DellOptiPlex 9020BIOS to App$Dell CCTK~Configs. Update/Redistribute the package in SCCM. For the step Lockdown BIOS - All Systems, change the file "FamilyWKS_BIOS_Config.cctk" to "multiplatform_201705251920.cctk. It should now run without any problems (hopefully). You never know with SCCM!

  • Hi Alan -- By running as a domain admin, do you mean that the task sequence step runs as a domain administrator or that you log in as a domain administrator and run the task sequence?

  • It sounds like this issue is a little more complicated than both you or I anticipated, and if you would like to email me I can help you troubleshoot this issue further.

  • In this guide, I'll go through the steps to audit user logon and logoff events using Microsoft SQL Server and Windows PowerShell.

  • You're welcome-- I am glad it is working for you! I looked up error code 6 and it seems that the error code translates to something about not being able to return the number of requested data bytes. I'm not actually sure what that means, so for stability and the sake of knowledge, I would suggest you investigate the error code further.

  • What does the log file say? And what mode reiviosion BIOS are you using? The restart must not be registering the SCCM client therefore the task sequence is not resuming. Have you checked the agent logs, too?

  • When creating roaming mandatory profiles that require a lot of steps and configurations, I recommend you use a virtual machine so you can create snapshots of your progress, and revert back if an error or issue occurs. As for installing drivers, when you run Sysprep all non-essential drivers are erased from the machine (the generalize) switch accomplishes this.

    I am not too familiar with the multipoint software you are using, but if you create the three administrator accounts before you run sysprep to copy the profile over to the template then the three administrator accounts will not get the template profile.

  • If the package is hanging and failing, check the ccmexec log file. The deployed package either is not downloading the source files to the machine (maybe the CCM cache is full?) or is failing to start the script that installs and locksdown Firefox.

  • Mandatory profiles are a little different than roaming mandatory profiles. With mandatory profiles, users do use a template user profile to generate their individual user profile, however, the changes they make to their user profile are not lost upon logoff and will persist on the machine they logged into, or if used in your environment, their roaming profile.

    With roaming mandatory profiles, users also use a template user profile to generate their individual user profile, however, their changes are lost upon logoff and their individual profile is deleted from the local machine upon logoff.

    If you store the template user profile locally, you would be using simply a local profile, as the template user profile on the machine will not be able "roam" to other machines.


  • If you wanted to do this with local storage, you would apply all customizations before syspreping the machine with the CopyProfile.xml. This would store the template profile in the image itself and would be the profile all users check-out when logging into the machine.

    The only difference is you'd have to write a script to delete the individual user's profile after a certain number of days. Otherwise, the changes users make will persist in their profile, but will not be propagated to the template user profile in the image.

  • When using the "Copy profile to" function, Windows exports a generalized profile that does not include the Local folder or any mention of a custom username. With Windows 7, I remember having to go through the process of generalizing the ntuser.dat file myself as well. I did try this with Windows 10 and was not able to successfully merge my generalized customizations nor correctly load the user profile. Since I do not use UWP in my environment, I can not speak on the process of handling those application settings.

    As for the security permissions, I was not aware of that being an issue. On the workstations that we use roaming man profiles, RDP and REGEDIT are disabled for all standard users as well as browsing the network share where we host the profiles, so this really wouldn't be a problem. Nonetheless, I suppose if the scenario mentioned in the article mimicked your environment it would be a good idea to enact some of the changes he suggests.

  • Not in the case of User Shell Folders as those registry keys use the env. variable %USERPROFILE% to point the shell folders to the local user profile:


    Modifying these values is actually how folder redirection is accomplished at the registry level. Deleting the all the keys under Shell Folders simply allows Windows to regenerate the shell folder items themselves, not determine where they point.

    Thank you for the comment; I hope this makes things a little more clear!

  • In this guide, I am going to go through the steps to build a Windows 10 roaming mandatory profile and then deploy the profile with Group Policy. I will also outline the steps to create the XML file that tells Windows how to configure the Start menu and taskbar.

  • You're welcome, David. Thank you for the feedback!

  • Hi Joe-- That was actually one of my concerns when I tested the deployment process for this article. The oldest model I tested this on was a Dell OptiPlex 780 which was released in 2009. I managed to upgrade from A02 to A16 without having to do a step-ladder upgrade process. This may be an issue with models previous to 2009, and if that is the case than those workstations will most likely be upgraded if they haven't been already-- thus eliminating the problem.

    I cannot say if this problem affects laptops or not, but if that is the case then I would create a model-specific device collection for all the workstations with an outdated BIOS revision. I would then deploy a custom task sequence that goes through and updates the BIOS one revision after the other until the workstation has the most current revision. This can be accomplished by having each task sequence step run depending on the result of a WMI query to detect the BIOS revision. If you can think of a cleaner / more efficient way to accomplish this I encourage you to comment it below!

  • In this guide, I am going to demonstrate how to write a timer in Visual Basic using Visual Studio 2015. The program allows you to configure a certain time after which the system will automatically log out users. This can be useful on kiosk computers.

  • Load More
© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account