Create a “Capture” organizational unit and policy
To complete a successful capture, it is recommended that a “Capture” organizational unit be created. This organizational unit should block other Group Policy Objects in the domain so that they cannot interfere with the capture process. You should also create a Group Policy Object within the “Capture” organizational unit that enables the following connections through the Windows Firewall.
- Remote Registry service
- Remote Procedure Call (RPC)
- Windows Management Instrumentation (WMI)
- Internet Control Message Protocol (ICMP), also known as Ping
Client computers should be added to the organizational unit to ensure a clean image after capture. It is important to use a virtual machine, as opposed to a physical machine, when completing the below steps.
- In the GPMC, right-click your domain node, and click New Organizational Unit.
- In the text field, enter a name for the organizational unit (eg. “Specops_Deploy_Capture_Settings”).
- Click OK.
- Right-click on the organizational unit, and click Block Inheritance.
- Right-click on the organizational unit, and click Create a GPO in this domain and Link it here.
- In the text field, enter a name for the GPO, and click OK.
- Right-click on the newly created GPO, and click Edit.
- You will need to edit the GPO with the following settings:
Option
Enable Remote Registry
- In the Group Policy Management Editor expand Computer Configuration, Policies, Windows Settings, Security Settings, and click System Services.
- In the Service Name tab, right-click Remote Registry and select Properties.
- Enable Define this policy setting.
- Enable Automatic.
- Click OK.
OptionEnable Remote Registry
- In the Group Policy Management Editor expand Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security.
- Right click Inbound Rules and select New Rule…
- Enable Predefined.
- From the drop-down menu, select Remote Service Management, and click Next.
- Verify that all the rules are enabled, and click Next.
- Verify that Allow the Connection is enabled and click Finish.
OptionEnable Remote Registry
- In the Group Policy Management Editor expand Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security.
- Right click on Inbound Rules and select New Rule…
- Enable Predefined.
- From the drop-down menu, select Windows Management Instrumentation, and click Next.
- Verify that all the rules are enabled, and click Next.
- Verify that Allow the Connection is enabled and click Finish.
OptionEnable Remote Registry
- In the Group Policy Management Editor expand Computer Configuration, Policies, Administrative Templates, Control Panel, Network, Network Connections, Windows Firewall, and click Domain Profile.
- In the Settings tab, right-click Windows Firewall: Allow ICMP exception and select Edit.
- Select the Enabled checkbox, and click OK.