Microsoft Virtual PC 2007 - and the new MSc lab
Tuesday, August 12th, 2008Overview
Ok, so the scenario goes like this
- Our hero, the Sys Admin, finds out that a whole new microlab is due online in 4 weeks. He has two weeks leave booked before then.
- Physical PCs have a delivery time of 6 weeks after ordering (the Uni deal, no way around this), so a virtualised solution is the only way forward.
- A student microlab exists that would act as a supply of host PCs. The lab runs Windows XP, the NetWare client (to NetWare 6.0 servers) and hopefully has 2Gb RAM per host.
- Previous tests have shown that the version of the NetWare client in use is incompatible with VMware Player software (it works on every PC I’ve tried, but on these lab PCs the VMware software disables the NetWare Client, which is somewhat out of date but can’t be updated).
- Discussion with the uber-lab supervisor reveals that the Microsoft Virtual PC software is compatible with the lab computers, so Virtual PC 2007 it is.
Obtaining the Software
Google found it on the Microsoft site quite easily - here. It was downloaded locally to N:schoolinstallMicrosoft_ProductsVirtual_PC_2007 where N: maps to \SOMFS2. The software was installed on my work PC which doesn’t have any VMware software installed, simply a later version of the Novell Client (probably 4.92SP2).
About Virtual PC 2007
Let’s gather some information, as I’ve very little time to get this working.
- The Sean Blog - Virtual PC 2007 Released - great introduction
- Doesn’t support USB devices apart from keyboards and mice
- One can change the location of My Virtual Machines folder by creating an environmental variable (see KB 831506) - at least in VPC 2004, will this apply to VPC 2007?
The Plan
- Create a VM with a Guest OS of Windows 2000 SP4 - this takes very little RAM to run and the current lab uses this OS and 512Mb physical RAM per computer. Assign a 5Gb virtual HDD - the physical lab uses about 4Gb real disk space and each student has a 600Mb network drive quota, so 5Gb should be fine.
- Incorporate NewSid.exe (SysInternals) to allow the SID of the VM to be changed.
- Install Microsoft Office 2003 with all the usual languages (German, French, Arabic) and spell-checkers.
- Install Trados, MultiTerm, Systran and Catalyst and check that they can find the FlexLM licence server. The latter part is crucial to the success of this plan.
Making it Work
Ok, the above was accomplished. The Virtual PC files are held locally on a Buffalo USB drive and copied, manually, to the T: drive as a backup, where T: maps to Novell server \SOMFS1:HOME1
Office 2003, McAfee 8.5i, Trados 6.5, MultiTerm, Multiterm Extract, Systran 4.0 Premium and Catalyst 7.0 were installed. Utils included Notepad++ and FastStone Image Viewer.
The following steps were also taken:
1) Resize the Virtual Hard Disk - from 5Gb to 8Gb as it was getting short on space. Used the free VHDResizer from VMTools package which includes the VHDResize.exe, which was saved locally to N:SchoolINSTALLMicrosoft_ProductsVirtual_PC_2007_SP2VMToolsVhdResize-1.0.42
The new HDD was created on a separate physical drive, the original then named .old, and new HDD copied back and given the orginal name.
Diskpart
The VPC was restarted and the Microsoft Diskpart.exe utility [download] was used to expand the partition from the CMD line. Diskpart.exe is locally stored in folder N:SchoolINSTALLMicrosoft_ProductsVirtual_PC_2007_SP2Microsoft_Diskpart
To get Diskpart into the VPC, a shared folder was created under C:temp of the host PC and a permanent share, mapped as drive F: in the VPC, was created to point to the C: drive of the host. Using Diskpart is very easy. The commands are:
c:diskpart.exe
DISKPART> select disk 1
DISKPART> select volume 1DISKPART> select partition 1
DISKPART> extend
DISKPART> exit
That’s it!
Securing the VPC
There are three accounts:
- administrator - with the SML admin password
- cencal - with the PC Caledonia password, admin-equivalent.
- msc - the student login, with a password known only to me :o)
Login as administrator. Using the Control Panel, the student account, once configured, was changed to be a restricted user, unable to install software.
Group Policy Editor
Group Policy is well documented by Wikipedia. As all accounts are local (non-domain), using Group Policy Editor (gpedit.msc) will apply settings to ALL local accounts (HKLM), including Administrator accounts. So it’s important to backup clean, unresticted settings before using gpedit.msc to enforce security from the following locations:
%WINDIR%system32GroupPolicyuserregistry.pol
%WINDIR%system32GroupPolicymachineregistry.pol
A batch file was written to handle copying across the clean Registry.pol files and secure versions (personal reminder; on work PC under C:vpc2007gposystem.bat). Once backed up, lots of restrictions were applied, a notable exception being the ability to change screen resolution which is required.
Expiring the VPC
In case of loss, theft, copying, etc. we want the VPC to disable itself after a certain time. A Kix script was written which checks the current date against a set expiry date and shuts down the PC if the date is too old. The Kix script was packaged as an executable using Kix2Exe and named expchk.exe (expiry-check), stored under %windor%system32 and secured to be ‘read and execute’ only by non-administrative users.
This was added as a service using the srvany package from Microsoft, which permits any executable to be run as a service.
The source code of this script - which logs successful and unsuccessful logins to %windir%system32expchk.log - is as follows:
;<kix2exe>;<version>1.3.0.0</version>;<settings>; <package>expchk.exe</package>; <icon></icon>; <kix>Wkix32</kix>; <consolehide></consolehide>; <consolesize></consolesize>; <consoletitle></consoletitle>; <keepconsoleopen></keepconsoleopen>; <include></include>; <runasuser></runasuser>; <runaspassword></runaspassword>; <runasinteractive></runasinteractive>; <runasnoprofile></runasnoprofile>; <uaclevel>User</uaclevel>; <branding-name>Expiry Check</branding-name>; <branding-desc>Shutdown PC beyond 01-09-2009</branding-desc>; <branding-company>Heriot-Watt University</branding-company>; <branding-version>1</branding-version>; <branding-vernum>1.0.0.2</branding-vernum>; <branding-copyright>Dr Duncan J Potter</branding-copyright>; <balloontips></balloontips>; <kixforms></kixforms>;</settings>;</kix2exe>
; Script: shutdown.kix; Function: Shutdown PC if date is later than a pre-specified date.; Author: Duncan J. Potter; Date: Sept 4th 2008;
$ret=setconsole("HIDE")
; Set date beyond which PC will be shutdown.$expirydate='2009/09/01'
; Log the script resultsGlobal $LOGFILE$LOGFILE = %windir% + "system32expchk.log"Del $LOGFILE ; always start with a fresh log file
;-------------------------------------------------------------------------------:INTRO
; Check of date is later than 3rd Sept 2008if @DATE > $expirydate
LogMsg("Login denied to " + @WUserIDon + ". Expiry Date of " + $expirydate + " exceeded on " + @DATE + " at " + @TIME +".") $reg =Messagebox("Virtual PC expiry date @DATE exceeded.Shutdown ...","SML Virtual PC Expiry",64,3)
; Wait a while, so PC is fully started before we try and shut it down, if exceeds expiry date:sleep(5)
$rc=fnWMIShutdown(@WKSTA,5)endif
;Display validation with Information Symbol (64) plus 2 seconds for timeout (64+2=66)if @DATE < $expirydate LogMsg("Login permitted to " + @WUserIDon + " on " + @DATE + " at " + @TIME +". Expiry Date is " + $expirydate +".") $reg =Messagebox("Virtual PC is valid :o)
Expires $expirydate.","SML Virtual PC Validation",64,2)
endif
;----------------------------;SYNTAX fnWMIShutdown([$sComputerName ,$iMode, $sUserName, $sPassword);;PARAMETERS $SCOMPUTERNAME; Optional string containing the target computers name, defaults to local computer;; $IMODE; Optional integer denoting the logoff/shutdown mode, defaults to logoff; 0 - Logoff; 1 - Shutdown; 2 - Reboot; 4 - Force Logoff; 5 - Force Shutdown; 6 - Force Reboot; 8 - Powerdown; 12 - Force Powerdown;; $SUSERNAME; optional username when connection to a remote system;; $SPASSWORD; optional password when connecting to a remote system;;RETURNS 0 if successful, otherwise error code;;REMARKS Using "Force" causes all open programs to close without the option to save
Function fnWMIShutdown(optional $sComputerName, optional $iMode, optional $sUserName, optional $sPassword) dim $objLocator, $objWBEM, $objShutdown, $objOpSys dim $iSuccess, $sNameSpace
$iMode=val($iMode)
$sNameSpace = 'rootCIMV2'
; check to see whether we're connecting to a local or remote computer $sComputerName=trim($sComputerName) select case $sComputerName=@WKSTA $sComputerName='.' case $sComputerName case 1 $sComputerName='.' endselect
select case $sUserName and $sComputerName<>'.' ; create locator object for connection to a remote computer $objLocator = CreateObject('WbemScripting.SWbemLocator') if @ERROR exit @ERROR endif ; create an credentialed (username/password provided) connection to a remote computer $objWBEM=$objLocator.ConnectServer($sComputerName,$sNameSpace,$sUserName,$sPassword) if @ERROR exit @ERROR endif ; set the impersonation level $objWBEM.Security_.ImpersonationLevel = 3 if @ERROR exit @ERROR endif case 1 ;set the impersonation level and make sure we have shutdown permissions $objWBEM=GetObject('winmgmts:{impersonationLevel=impersonate, (Shutdown)}!\'+$sComputerName+''+$sNameSpace) if @ERROR exit @ERROR endif endselect
$objShutdown = $objWBEM.ExecQuery('Select * from Win32_OperatingSystem where Primary=true') if $objShutdown.count For Each $objOpSys in $objShutdown $iSuccess=$objOpSys.Win32Shutdown($iMode) Next endif
$objShutdown=0 $objWBEM=0 $objLocator=0
$fnWMIShutdown=$iSuccess
EndFunction
; This goes at the end of your scriptFunction LogMsg($_Msg)
Dim $_ $_ = RedirectOutput($LOGFILE) $_Msg ? $_ = RedirectOutput('')
Exit 0
EndFunction
Updating the Expiry Date
The Virtual PC will shutdown immediately after the service has started if the date exceeds the expiry date. To re-enable the VPC, if required, login in safe mode and delete the expchk.exe file. In safe mode, the shared folder F: - which maps to C: of the host PC - is not available so one can only delete the file, login normally as an administrator, and then copy back a new version. Remember to secure the file with NTFS permissions against user deletion.
Mass Roll-out
Stage 1.
From my own machine, copy the gold Virtual Machine to the external USB drives, one at a time.
Stage 2.
Start each Virtual Machine and run c:tempnewsidnewsid.exe, changing the name of the computer as appropriate.
To speed things up in stage 1, a little script was written, as below:
@echo off
echo -- Transcend USB Drive - Preparation
(Need to fix the text above)