|
<%#
|
|
kind: finish
|
|
name: Windows default finish
|
|
model: ProvisioningTemplate
|
|
oses:
|
|
- Windows Server 2008
|
|
- Windows Server 2008 R2
|
|
- Windows Server 2012
|
|
- Windows Server 2012 R2
|
|
- Windows
|
|
description: |
|
|
A finish template executed at the end of Windows provisioning. For more information, please
|
|
see https://community.theforeman.org/t/windows-provisioning-made-easy/16756
|
|
|
|
This template accepts the following parameters:
|
|
- windowsLicenseKey: ABCDE-ABCDE-ABCDE-ABCDE-ABCDE # Valid Windows license key
|
|
- windowsLicenseOwner: Company, INC # Legal owner of the Windows license key
|
|
- localAdminAccountDisabled: false
|
|
- ntpServer: time.windows.com,other.time.server
|
|
- domainAdminAccount: joinuser@domain.com # please do not use the domain administrator
|
|
- domainAdminAccountPasswd: Password for the domain Admin account
|
|
- computerOU: OU=Computers,CN=domain,CN=com # Place the computer account in specified Organizational Unit
|
|
- computerDomain: domain.com # domain to join
|
|
- machinePassword: used for unsecure domain join. needs precrated computer object (New-ADComputer)
|
|
- foremanDebug: false
|
|
- skip-puppet-setup: boolean (default=false)
|
|
|
|
Information about unsecure domain join
|
|
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/add-computer?view=powershell-5.1#example-9--add-a-computer-to-a-domain-using-predefined-computer-credentials
|
|
-%>
|
|
<%
|
|
# safemode renderer does not support unary negation
|
|
puppet_enabled = !host_param_true?('skip-puppet-setup') && (host_puppet_server.present? || host_param_true?('force-puppet'))
|
|
salt_enabled = host_param('salt_master') ? true : false
|
|
chef_enabled = @host.respond_to?(:chef_proxy) && @host.chef_proxy
|
|
%>
|
|
|
|
@echo off
|
|
<% unless host_param('localAdminAccountDisabled') -%>
|
|
echo Activating administrator
|
|
net user administrator /active:yes
|
|
<% end -%>
|
|
|
|
<% if @host.pxe_build? %>
|
|
set ctr=0
|
|
set nettimeout=10
|
|
|
|
(echo Updating time)
|
|
(sc config w32time start= auto)
|
|
sc start w32time
|
|
::ipconfig /renew
|
|
|
|
<% if host_param('ntpServer') %>
|
|
echo setting time server
|
|
w32tm /config /manualpeerlist:<%= host_param('ntpServer') %> /syncfromflags:manual /update
|
|
<% end %>
|
|
|
|
echo sync time
|
|
w32tm /resync
|
|
w32tm /resync
|
|
|
|
<% if host_param('computerDomain') -%>
|
|
<% if host_param('domainAdminAccount').present? && host_param('domainAdminAccountPasswd').present? -%>
|
|
echo performing secure domain join
|
|
powershell.exe -OutputFormat text -command Add-Computer -DomainName '<%= host_param('computerDomain') -%>' -Credential (New-Object -TypeName System.Management.Automation.PSCredential '<%= host_param('domainAdminAccount') -%>', (ConvertTo-SecureString -String '<%= host_param('domainAdminAccountPasswd') -%>' -AsPlainText -Force)) <% if host_param('computerOU').present? -%>-OUPath '<%= host_param('computerOU') -%>'<% end -%>
|
|
<% else %>
|
|
<% if host_param('machinePassword').present? %>
|
|
echo performing unsecure domain join
|
|
powershell.exe -OutputFormat text -command Add-Computer -Domain '<%= host_param('computerDomain') -%>' -Options UnsecuredJoin,PasswordPass -Credential (New-Object -TypeName System.Management.Automation.PSCredential $null, (ConvertTo-SecureString -String '<%= host_param('machinePassword') -%>' -AsPlainText -Force))
|
|
<% end %>
|
|
<% end %>
|
|
<% end %>
|
|
|
|
<% if host_param('localAdminAccountDisabled') %>
|
|
echo Disabling %tempAdminUser%
|
|
net user %tempAdminUser% %tempAdminUser% /active:no
|
|
<% end %>
|
|
|
|
<% if host_param('ansible_port') == 5985 or host_param('ansible_winrm_scheme') == 'http' %>
|
|
cmd /c winrm set winrm/config/service @{AllowUnencrypted="true"}
|
|
<% end %>
|
|
|
|
<% if host_param('ansible_winrm_transport') == 'basic' %>
|
|
cmd /c winrm set winrm/config/client/auth @{Basic="true"}
|
|
cmd /c winrm set winrm/config/service/auth @{Basic="true"}
|
|
<% end %>
|
|
|
|
<% if host_param('ansible_winrm_transport') == 'credssp' %>
|
|
cmd /c winrm set winrm/config/client/auth @{CredSSP="true"}
|
|
cmd /c winrm set winrm/config/service/auth @{CredSSP="true"}
|
|
<% end %>
|
|
|
|
<% if host_param('ansible_winrm_transport') == 'certificate' %>
|
|
cmd /c winrm set winrm/config/client/auth @{Certificate="true"}
|
|
cmd /c winrm set winrm/config/service/auth @{Certificate="true"}
|
|
<% end %>
|
|
|
|
<%= snippet 'Windows network' %>
|
|
|
|
<% if foreman_url('user_data') %>
|
|
echo execute user data script
|
|
IF EXIST c:\deploy\user_data.ps1 powershell.exe -OutputFormat text -command c:\deploy\user_data.ps1
|
|
<% end -%>
|
|
|
|
<% if puppet_enabled %>
|
|
echo Installing puppet
|
|
start /w "" msiexec /qn /i C:\extras\puppet.msi PUPPET_AGENT_STARTUP_MODE=Manual PUPPET_MASTER_SERVER=<%= host_puppet_server -%> PUPPET_AGENT_ACCOUNT_DOMAIN=<%= @host.domain -%> PUPPET_AGENT_ACCOUNT_USER=administrator PUPPET_AGENT_ACCOUNT_PASSWORD="<%= host_param('domainAdminAccountPasswd') -%>"
|
|
echo set puppet to auto start
|
|
sc config puppet start= auto
|
|
sc query puppet
|
|
<% end%>
|
|
|
|
<% if host_param('foremanDebug') != true %>
|
|
|
|
echo reboot in 15sec
|
|
start /b shutdown /r /t 15
|
|
|
|
echo Safely remove wimaging files
|
|
sdelete.exe -accepteula -p 2 -r c:\wimaging
|
|
sdelete.exe -accepteula -p 2 -r c:\minint
|
|
sdelete.exe -accepteula -p 2 c:\Windows\Panther\unattend.xml
|
|
sdelete.exe -accepteula -p 2 C:\Windows\Setup\Scripts\SetupComplete.cmd
|
|
|
|
echo Safely remove leftover directories
|
|
sdelete.exe -accepteula -p 2 -r c:\drivers
|
|
sdelete.exe -accepteula -p 2 -r c:\updates
|
|
|
|
echo Safely removing c:\deploy
|
|
cd /
|
|
sdelete.exe -accepteula -p 2 -r c:\deploy
|
|
<% end -%>
|
|
<% end -%>
|