1 2 Previous Next 14 Replies Latest reply on Dec 10, 2010 1:16 PM by aga1793

    Autoboot and SBAdmCl.exe

      I am new to SafeBoot in the last week about and have been tapped with the job of trying to figure out if there's a way to deploy software/patches to our workstations, but not have our workstations get 'stuck' at the SafeBoot login screen, but rather proceed to the Windows login so they are all back on the network after the deployment happens.

      I have been seeing a lot of talk about the SBAdmCl.exe, and have tried this method to the best of my abilities, which is what brought me to this posing. We are currently on SafeBoot v5.12 and at this point, i must say i really know enough about this product to be dangerous.

      First of all, this is my understanding of the SBAdmCl.exe program:
      I can push a script to run on the workstation that basically says sbadmcl.exe -command:DisableSecurity, and then deploy my patches/software, then reboot, and upon reboot the workstation will boot normally into windows, bypassing the SafeBoot login screen...

      If that is wrong, please correct me.

      Next are the steps i have taken to try this:
      1. tried to run this file on a test workstation locally... I was told the program doesn't exist.
      2. Checked the SafeBoot folder under Program Files, and sure enough, there was no sbadmcl.exe file
      3. Found the file on our SafeBoot server copied to the directory on the workstation, and it said it needed SbAdmDll.dll, so i found that on the server as well.
      4. Ran the command and it errored telling me something about Policy restricted it.
      5. After more digging around, i found that i had to go to that specific computer (could've done the whole group, but wanted to test just this one computer) properites in the SafeBoot Administrator program
      6. I set the following under General to the left: Went to Miscellaneous, and checked the Allow Autoboot to be managed locally, and also made sure Disable checking for Autoboot was checked
      7. After saving those changes I went back to that workstation and ran the command... it said it completed successfully, so i rebooted
      8. I was still prompted with the safeboot login and still had to login to safeboot.

      My first question obviously is what do I need to do to make this work?
      and second...
      Why do the SBAdmCl.exe and the .dll file not exist on my clients?? How do i make this happen?

      Like i said, i just started this job about a week ago and got thrown into this task knowing absolutely nothing about it... I would appreciate it if anyone could maybe tell me a good step-by-step method to help make this work for me.

        • 1. RE: Autoboot and SBAdmCl.exe
          If your machine synced after you used the command, it will undo it - you can check this in the client log.

          Also, if disable checking for autoboot is checked, then it won't check for autoboot, thus autboot won't work.

          You need that option UNchecked.

          The API doesnt exist on the clients because it's not needed unless you're doing scripting. You can of course put those files in a new file group and assign the file group to the machines (then they will get deployed automatically). You need sbadmcl.dll always, and either sbadmcl.exe or sbadmcom.dll depending if you want to use batch or COM (VBScript etc) interfaces.

          • 2. RE: Autoboot and SBAdmCl.exe
            That makes sense... Thanks!!!

            I noticed from a previous posting that you mentioned this:


            disablesecurity creates a fake local $autoboot$ user, so of course, when you sync if this account is not allocated to the machine for real, the policy system will remove it from the local machine.

            if you want it to stick, set the real $autoboot$ user to the machine.

            Would I want to add that $autoboot$ user to the SafeBoot Administrator? Or will that ALWAYS allow the clients skip the safeboot screen??

            Thanks again!
            • 3. RE: Autoboot and SBAdmCl.exe
              exactly - if you add it as a legal user of a machine, the machine will keep autobooting until you take it away (setuser/removeuser commands in the API).

              if you want it to stick until the next sync, you can use the local disablesecurty/reenablesecurity commands - just remember though to set it prior to each reboot (just in case).

              you may want to think about disabling sync while you are working on the machine if a few reboots are required.

              lots of options and cases I know, but there are a lot of situations to consider.

              finally, for those using the API, the COM object is MUCH more efficient if you're going to be running more than one command. If you're just doing one thing though it makes little difference. Personally I prefer VBS over BAT nowadays, but both are valid environments
              (I just like error and case handling better in VBS).

              • 4. RE: Autoboot and SBAdmCl.exe
                If I could add a couple of things...

                You mentioned that you were disabling the security and then pushing down the patch. If possible, you might want to do this in reverse. As SafeBoot said, once you synch you lose the AutoBoot user that you create using DisableSecurity (unless of course you're doing it by adding the $autoboot$ user).

                A comment I posted here also suggests that it might be good practice to ForceSync before you DisableSecurity, which which reset the next sync to whatever internal you have setup for that computer - since of course there is the chance that between your DisableSecurity and the actual reboot that a timed sync would occur (messing up your login).

                Also, you asked how to deploy these files. You can actually add them as a fileset in the SafeBoot Administrators Console, and then enable that fileset for all your groups. The next time a sync occurs, the files will downloaded.
                • 5. RE: Autoboot and SBAdmCl.exe
                  Christopher - I your idea about adding the files in the console and having them automatically be downloaded at the next sync.. This makes a lot of sense to me since our clients are set to sync every hour.

                  However... I'm not sure i know how to do this...

                  I went to the Administrators Console, and to the System Tab, I created a SafeBoot File Group called "DE51 SBAdmCl Files", and added 3 files to it... SBAdmCl.exe, SBAdmDll.dll, and SBAdmCom.dll. After that i really don't know what to do. Thanks for any additional help you can provide.

                  SafeBoot - I too would rather use VBScript when possible, and i did see some documentation about the COM object in the SBAdmCl User Guide, however... that didn't make much sense to me... is there another resource that I could look into that would explain what i need to do or maybe a sample script that i can base some scripts off of?

                  I really appreciate everyone's input and all your help since i am such a noob.
                  • 6. RE: Autoboot and SBAdmCl.exe
                    For the File Group properties, go to Content. Then check "Client Files". You may now add that file group to a machine or group. If adding to a group, make sure you reset the machines to group config and uncheck "Exclude File Groups".

                    It was mentioned in the other post, but it is a BAD IDEA to permanently set $autoboot$ on any machine, as it will always bypass the pre-boot authentication (negating the security of even having encryption). If you want disk encryption with pretend security, just run Vista BitLocker in TPM only mode.
                    • 7. RE: Autoboot and SBAdmCl.exe
                      as to why files are not syncing, make sure for each of the new files you added that you set which OS's that file should be copied to. As the previous poster mentioned, make sure the file group is assigned to the machines.

                      for COM scripting examples, there's a bunch of them on the SafeBoot Tools CD, which you should be able to download from the same place as you got the product CD.

                      I can't post attachments here and all my scripts are thousands of lines long so unfortunately there's nothing I can just drop in here.

                      why is it that scripts have a habit of growing out of all proportion?
                      • 8. RE: Autoboot and SBAdmCl.exe
                        Well.. i've got another issue i guess all the sudden -

                        I just imaged a new laptop to try all this work on (to see if the files would update and the sbadmcl would work) and no go... well.. half a no go.

                        I installed the Safeboot software from my software set that was already created before i got here.. it installed, the computer account in the administrators console got created, as it did a sync the new files got copied down. I let it do it's thing all night to encrypt the drive and this morning i even rebooted for safe measure, Got the SafeBoot login screen, logged in fine, it auto logged me into windows, and then i opened a cmd prompt and navigated to the C:\programfiles\safeboot directory, and ran sbadmcl -command:disablesecurity

                        this is the result i got back...

                        C:\Program Files\SafeBoot>sbadmcl -Command:DisableSecurity

                        SafeBoot Administration Command Line Utility
                        (C) 2007 SafeBoot N.V.

                        Executable version :
                        DLL version :

                        Command result:

                        Command = DisableSecurity
                        ResultCode = 0xe0020021
                        ResultDescription = Access to driver not permitted

                        Not sure where the issue is here....
                        • 9. RE: Autoboot and SBAdmCl.exe
                          My Bad... i figured it out... I was doing it under a non-administrator account...

                          I can run this under an administrator account on the local machine AND push the script using administrator credentials and it works fine!

                          Thanks to everyone who helped me out!
                          1 2 Previous Next