Safeboot or its successor End-Point Encryption from Mcafee is widely used in corporate businesses. Therefore I will add this software to my wiki just in case anybody is looking for automation in Safeboot. I have worked with both Endpoint Encryption as safeboot and it is a very good program but can be cumbersome when you make a tiny mistake.
To automate things you can write some batchfiles like e.g. when you want to add a specific group to a number of computers in a particular group. Here I will describe how to make this batch file
When you need a list of computers from a particular group you will use the following command:
D:\SafeBoot\SBAdmin\sbadmcl -adminuser:user@companyxyz.com -adminpwd:"passw0rd" -command:DumpMachinesByGroup -Group:GroupNameInSafeboot -File:OutputFileName.txt
Once you have the list of computers you can use these names to add a group to these computers with:
FOR /F %%a IN (list.txt) DO D:\SafeBoot\SBAdmin\sbadmcl -adminuser:user@companyxyz.com -adminpwd:"passw0rd" -command:SetUser -Machine:%%a -Group:GroupNameToAdd -OutputFile:OutPutFileName.txt >> displayOutputFileName.txt
You also want to take into account all the computers that haven't been connected to the network for 365 day or users that are not active
you would run the following scripts to find those computers or users:
D:\SafeBoot\SBAdmin\sbadmcl -adminuser:userswithadminrights -adminpwd:"P@ssw0rd" -command:ShowOldMachines -CheckForSeq:No -Group:* -DaysOld:365 -OutputFile:Machines_not_active_for_365_days.txt >> Complete_run_oldmachines.txt
or Users
D:\SafeBoot\SBAdmin\sbadmcl -adminuser:userwithadminrights -adminpwd:"P@ssw0rd" -command:ShowOldUsers -Group:* -DaysOld:365 -OutputFile:Users_not_active_for_365_days.txt >> Complete_run_oldUsers.txt
Safeboot emergency boot
When You can't get into the laptop you will need to perform an emergency boot. I will describe the steps that you will need to follow:
- Reboot the problem machine using SafeTech boot disk
- At DOS prompt, type SafeTech and press return
- Enter access code (you'll need to have this to be able to boot into the safetech tools
- Values from Database
- Loading values from a Machine’s database
- Ensure the correct machine configuration is on the disk (you need a machine export without the users)
- select ‘Proceed’ (caution the selection with the < proceed > is not colored but gray and has <>
- >Proceed< - Press Return.
- The machine name will be shown in an open window
- only the correct machine should be listed!
- Wait for this to load, a message “SafeBoot values read from configuration database"
- Select “Emergency Boot” menu option
- Select “Create Data File”. This will create a small file called sbrepair.dat on the disk
- SafeTech will also prompt to write an emergency MBR
- Select ‘Proceed’ (caution the selection with the < proceed > is not colored but gray and has <>
- >Proceed< - Press Return
- “The Emergency Boot MBR written” confirmation is displayed.
- Select ‘Previous menu’ option
- Exit to MSDOS
- Remove boot disk and reboot the machine
- The system will prompt for the SafeBoot Emergency Boot disk
- With the disk inserted press a key
- proceed with a normal boot
- Sync the safeboot from within Windows to make sure it will update it's database and you could normal boot the laptop
Error's on your laptops
You could receive the following error when you try to synchronize the laptop with the safeboot server:
DB010002 Unable to change the object's access mode
This error when you try to move the machine or delete it will keep popping up. The only resolution that I came across is to restart the safeboot communication server service on the safeboot database server. Then restart the Safeboot console on the server, just end the session and start a fresh session. Then reboot the troubled machine. After that you should be able to communicate with the central safeboot server again. This error occurs when the safeboot server thinks that the object is being held by another administrator. When you are sure this is not the case then restart the service.