Allow a domain user to add some Virtual PCs

[Jordan]

I have a couple of engineers that are developing software. They need to
have a few Virtual PCs setup that they can reck and rebuild repeatedly.
They need to do this as quick as possible so I figured the fastest way was
to use what I use and that is RIS to install Windows XP and Active Directory
to deploy the standard apps we use. The problem is I don't want to give
them any more domain access than they have as a standard domain user nor do
I want them to be able to build more than the units I give them.

I know that if I build a PC once with RIS I can just use the Automatic
option to rebuild it if I blow it away so I just want to make it so they can
run a RIS install just to redo this computer (Virtual PC).

 

[Robert Moir]

I have a couple of engineers that are developing software. They need to
have a few Virtual PCs setup that they can reck and rebuild repeatedly.
They need to do this as quick as possible so I figured the fastest way was
to use what I use and that is RIS to install Windows XP and Active
Directory to deploy the standard apps we use. The problem is I don't want
to give them any more domain access than they have as a standard domain
user nor do I want them to be able to build more than the units I give
them.

So basically you want them to be able to do stuff except for when you don't
want them to be able to do stuff. That would require a telepathic system
that hasn't been invented yet.

Let's think outside that box for a moment.
The fastest way to "wreck and rebuild" a virtual machine is to save a
'snapshot' of the VMC (virtual machine settings) and VHD (virtual hard
disk) files associated with the virtual machine once you've built it how you
want, and copy those files back over the top of the old files every time you
want to rebuild. No extra rights or access to special tools required at all.
I'd just setup each person's virtual machine(s) in nice tidy seperate
folders, and train them to unzip a fresh copy of the appropriate folders
over the place of the appropriate 'old' folder each time they want to
refresh their virtual machine testbed.

Fast, Simple, Robust, also works on a laptop if they ever need to do
development or possibly a demo away from the office.

 

[Jordan]

That does not exactly work. Windows and AD have some built in safegaurds to
be sure forged computers are not coming onto the network. At irregular
intervals a computer will validate with AD/the domain and if someone had
made an exact copy from a month or so ago and tried to drop it on the
network you will get an error saying the computer account could not be found
because AD thinks it is a forged computer because all the recent checks are
not there.

Now if you use NTBackup to restore the computer, if available and
accessible, those IDs don't get wiped from what I understand. It is only
when you try to load the image of what you had from some time ago back on.

You can fix this by just logging on the PC and removing and rejoining the
domain, but that is not exactly what I want for them because they could make
a backup of something that has already gone bad. I would rather them just
reformat and allow my RIS server to deploy the setup I want and have AD
install all the apps I want and have WSUS install all the patches I approved
so they will be fresh.

I am thinking of creating an AD container and letting the Engineering Group
Manage, but I want to be sure they can only add computers to and rebuild
computers in that container and not do things like add users to the domain.