UnattendJoin using Windows 7 sysprep and unattend xml file

Posted on 2011-09-23
Medium Priority
Last Modified: 2012-06-27

I have created a custom Windows 7 image and I am now trying to configure the unattendjoin component of my unattend file to make the computer join our domain as part of the sysprep process.

I have this working partially. Using the following entries I can get the PC to join the Domain but when I try to log on as Domain admins to the recently sysprep'd machine I am given some sort of error which is associated with there being no machine account in Active Directory.

Why if the unattend file is joining the machine to the domain is it not creating a machine account in AD?

Is there an option to get the PC to prompt you as part of the setup to put the machine on the Domain just like sysprep worked in Windows XP?

Furthermore there appears to be two options for joining the machine to the domain, secure and unsecure. I am led to believe that if you leave unsecure as false the you must enter domain name, username and password credentials for joining the PC to the Domain under the credentials field. (This is the option that I have been using that results in the PC appearing as if it is on the Domain but has no machine account associated in AD, and yes the credentials I am using are domain admins!)

If setting unsecurejoin to true apparently you leave all fields under credentials blank but instead enter the relevant details under the Identifications field for Domain etc. There is also a field for Machine password. Can anything be typed in here???


 <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">


<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

This options results in my pc being on the Workgroup whilst the first option results in my pc being on the domain but has no machine account in AD.

Has anyone managed to get this working?

I am working from a sypreped image and using ghost to deploy.
Question by:Anne_Ward
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 40

Expert Comment

ID: 36596742
Can you post the actual error message you are seeing?

Are you sure the computer is actually joined to the domain?  If you log on locally, look at computer properties...

I tend to prefer using UnsecureJoin=true so I don't have to included credentials in any text file, but anyway...  If using this, the credentials section should not have empty elements, so delete it entirely.  Also delete the MachineObjectOU element unless you're filling it out.

Are you using the Windows AIK to create the answer file?

Also, in both cases, how are you going about naming the computer?  This has to be set in the answer file for the domain join to succeed.

There is no way to prompt you to join the domain.

Author Comment

ID: 36598216
Hi Footech:

The error is:

The trust relationship between this workstation and the primary domain failed.

I have already double checked under the properties and the PC has a fqdn PC3600.local.mydomain.co.uk.

Also i did not realise that you ahve to remove the machine password and credentials if not using which is good however i do have sysprep prompting for the PC name as we have nop way of automating the PC names because they are the same as the asset tag we put on them.

Does this then mean that the only way to get the PC to join the Domain, in my case, with the correct PC name is to do it manually?

LVL 40

Accepted Solution

footech earned 2000 total points
ID: 36599213
Correct.  The domain join process happens in phase 4 (specialize).  If you don't supply a computer name until the prompt, this is happening in stage 7 (OOBE).  Frankly I'm surprised that it's being joined to the domain at all, as I've never heard of this succeeding unless the computer name is specified in the answer file as well (either specifically or with *).

I suppose you could use a random name to do the join and then change it manually afterwards to match the asset tag, but it doesn't save you much work, if any.

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question