Sysprep is one of those things that seems to have a certain mystique that surrounds it. My experience is that administrators either don't run it because they don't understand it or because they don't know how. Urban legend is also that it’s just not necessary to run Sysprep in some scenarios. The bottom line is that when making an image for duplicating Windows installs Sysprep is absolutely necessary as part of the imaging process. I'm not going to cover what Sysprep does here since that's not the focus, but the summary version is that Sysprep removes all identifying information about the source machine when it's executed (e.g. Computer name, SID, Product key, etc.). The rest of this post is geared primarily towards desktop imaging, but everything still applies for building server images.
Sysprep is on the Windows CD and the service pack CDs in the support folder in a file called deploy.cab. It's also available online:
If you need a version that isn't linked above either grab it from the CD or just search www.microsoft.com/downloads for Sysprep. There's a utility called setupmgr.exe in the archive which is what we can use to build the majority of the answer file for us. Most of it is self explanatory, I've included screenshots and explanations of steps that require some planning/thought.
The first question of note is what type of answer file to build. For this procedure we want a Sysprep setup:
The next important question is when we're asked about the license agreement and if we want to fully automate the installation (we do):
After telling the wizard you wish to fully automate the installation you'll get a screen with a tree view on the left and a set of Back/Next buttons. Most of this stuff is very self explanatory. The product key is an important one. You need to have a volume license key or you'll be activating each machine (and you'll run out of activations). Imaging without volume license keys is a recipe for disaster; I've seen it happen:
Computer name is another step that depends on a few factors. If you're doing mass imaging with a product like Ghost or Altiris, set it to Automatically Generate. If you're going to be doing one off imaging without something to automate the naming for you, leave it to Automatically Generate and we'll come back later to set Sysprep to prompt for this information.
Unfortunately, the wizard doesn't seem to support setting the Administrator Password by default, so just put something temporary in for now and we'll get rid of it later. You also get the option to automatically log on as the administrator some N number times. This is useful for running post imaging scripts. A word of caution is that the username and password for the administrator account is stored in the registry in plain text when this option is used, and it is not cleaned up at the end, so make sure your script does this cleanup step when it finishes!
I leave Networking Components set as-is as it defaults to DHCP. Make sure your image machine is set to DHCP when it shuts down to be imaged or it may not come up that way!
Workgroup or domain is another option which depends on the imaging/duplication mechanism you employ. For one off imaging, it can be helpful to setup Sysprep to automatically join the machine to your domain. This is especially nice if you delegate the imaging process to a junior admin who may not have rights to do this themselves as the wizard will take care of it all. The account specified should have rights to create and delete computer objects and write access to all properties for Computer objects. It also needs the Add Computers to the Domain right delegated at the domain level. Don't be cheap and add the account to the Domain Admins group and forget about it. There is an additional option which can be specified in the Sysprep.inf file that will be generated which tells Sysprep to put the machine in a specific OU (this is not supported in Windows 2000). If you use this option the account only needs rights over that OU.
If you're using something like the Ghost Agent to automate the post imaging process, just choose the workgroup option and let Ghost manage joining the domain.
The rest of the wizard is pretty straight forward and I just fill it out even if some of the prompts aren’t really necessary. Install Printers is something I generally do via Group Policy, so I don't typically use that feature. Additional Commands can be used to specify post imaging tasks (e.g. scripts). Identification String has no functional value out of the box. It's just a string that's stored in the registry. I typically set it to something that identifies each image e.g. "Dell GX260 XP Pro BCD v1.1". This tells me that this machine is built with version 1.1 of my XP Pro image for the Dell GX260. I can then use scripts/inventory tools to report on what images are on PCs in my domain. The Identification String page has the Finish button which saves the Sysprep.inf file.
At this point you're done, or you can customize the process more by editing the resultant INF file manually. The two CHM files that come with Sysprep fully document every option available and are worth skimming just to know the format if nothing else.
As an example, I'm going to edit the Sysprep.inf file and setup a few additional settings:
- Using the administrator password configuration in my image rather than setting a new one;
- Extending the C partition to fill the hard disk;
- Prompting for the computer name;
- Joining the domain and putting the computer in a specific Organizational Unit.
Fresh out of the wizard the Sysprep.inf file should look something like this:
;SetupMgrTag
[Unattended]
OemSkipEula=Yes
InstallFilesPath=C:\sysprep\i386
[GuiUnattended]
AdminPassword="password1"
EncryptedAdminPassword=NO
TimeZone=35
OEMSkipRegional=1
OemSkipWelcome=1
[UserData]
ProductKey=ABCDE-ABCDE-ABCDE-ABCDE-ABCDE
FullName="Brian Desmond"
OrgName="Brian Desmond Consulting, LLC"
ComputerName=*
[SetupMgr]
DistFolder=C:\sysprep\i386
DistShare=windist
[Identification]
JoinDomain=DOMAIN
DomainAdmin=sysprepadmin
DomainAdminPassword=password
[Networking]
InstallDefaultComponents=Yes
To use the administrator password in the image, set AdminPassword=*. Also remove the EncryptedAdminPassword=NO line.
Extending the C partition to fill the hard disk is something I often do for desktop images depending upon the environment. To do this, add a line in the [Unattended] section called ExtendOEMPartition=1.
To prompt for the computer name, delete everything behind the =, such that ComputerName= is the whole line
To put the computer in a specific Organizational Unit in the Active Directory domain, add a line under the [Identification] section called similar to this: MachineObjectOU="OU=Desktops,OU=Machines,DC=Domain,DC=local". Obviously you’ll need to customize this string for your environment.
With all these additions the Sysprep.inf file now looks like this:
;SetupMgrTag
[Unattended]
OemSkipEula=Yes
InstallFilesPath=C:\sysprep\i386
ExtendOEMPartition=1
[GuiUnattended]
AdminPassword="!Password1"
EncryptedAdminPassword=NO
OEMSkipRegional=1
OemSkipWelcome=1
[UserData]
ProductKey=ABCDE-ABCDE-ABCDE-ABCDE-ABCDE
FullName="Brian Desmond"
OrgName="Brian Desmond Consulting, LLC"
ComputerName=*
[SetupMgr]
DistFolder=C:\sysprep\i386
DistShare=windist
[Identification]
JoinDomain=DOMAIN
DomainAdmin=sysprepadmin
DomainAdminPassword=password
MachineObjectOU="OU=Desktops,OU=Machines,DC=Domain,DC=local"
[Networking]
InstallDefaultComponents=Yes
To run the Sysprep utility, copy everything from the deploy.cab or the download to a folder called c:\sysprep and launch sysprep.exe. Choose the Reseal option and make sure the option to run mini-setup is checked. Everything will take care of itself from here. The machine will shutdown and be ready to have an image captured. My suggestion is to boot the machine back up and test the Sysprep process to make sure things go as planned.
That's it. I keep a folder called Syspreps on the imaging server which I then create subfolders of for each configuration. I copy the entire contents of the deploy.cab as well as the Sysprep.inf for each configuration to this folder so I have it available anytime an image is going to get updated.