Automating Wireless SSID transition
I was involved once in transition an enterprise around 300+ users using wireless access-points to connect to the corporate network, it was a bit of a challenge but it was a very good experience nevertheless, I’ve used a mix of Active Directory GPO’s and scripts to accomplish this and here are the steps (I’ve done this on Windows 7 and Windows 8):
Note: this must be done before you move the PCs/laptops to their new destination!
Grabbing the SSID configuration:
- First from any laptop with the desired SSID saved on it run this command:
- netsh wlan export profile name=”SSIDNAME” folder=”C:\”
- The above will dump an XML file named “Wireless Network Connection-SSIDNAME.xml.
Preparing the SSID import script:
- Put the XML file in an accessible shared location on the network (could be the domain controller or wherever you put your scripts) with read permissions.
- Create a new batch file with the following commands in it:
- net use w: /delete > C:\Log.txt
- net use w: \\sharedlocation_for_xml >> C:\Log.txt
- netsh wlan add profile filename=”W:\Wireless Network Connection-SSIDNAME.xml” user=all >> C:\Log.txt
- net use w: /delete >> C:\Log.txt (this is optional).
- You noticed I added a redirection of output to Log.txt, this I added in case for some reason on any of the PCs your deploying to you faced issues it will show you where the script stopped.
- Save the batch in machine startup scripts on your PDC
- \\domain.tlds\SysVol\domain.tlds\Policies\{GUID}\Machine\Scripts\Startup
Preparing the GPO:
- Create a new GPO:
- Computer Configuration -> Policies -> Windows Settings -> Scripts
- Add the newly created batch to the startup scripts.
- Upon the start of any PC joined the domain in HO it will get the new SSID installed along with its network key saved, also the network key is encrypted.
Preventing the nifty users from getting the key o_0 (So Mr. Admin you’re in the 0 trust nebula!):
To prevent users from showing the network key (this is not possible by design) on the other hand I’ve come up with a configuration which will do the trick:
- Create a new group policy:
- User Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
- Right-click and create a new software restriction policy.
- Software Restriction Policies -> Enforcement: All software files and all users.
- Software Restriction Policies -> Security Levels -> Leave as is.
- Software Restriction Policies -> Additional rules:
- Delete all existing rules.
- Right-click add new path rule:
- Path: C:\Windows\System32\wlanui.dll
- Security Level: Disallowed
- Click OK
- Right-click add new path rule.
- Path: C:\Windows\SysWOW64\wlanui.dll
- Security Level: Disallowed.
- Click OK.
- On the same group policy, go to:
- Computer Configuration\Policies\Administrative Templates\System\Group Policy
- Set the “User Group Policy loopback processing mode” to Enabled
- Select Replace which will override any other policies this software policy will take precedence.
Now verify both the script and the group policies and apply them to the Computers and Users needed and you’re done, if you require any further assistance in testing and implementing the up above I’d be more than glad to assist you.