aravind anche
asked on
sysprep and capture task sequence enables admin account
I created a TS in MDT for sysprep and capture. I checked in reference computer the default admin account is disabled and local admin account 'abc' is enabled. I ran the litetouch.vbs and successfully captured the image. I created a TS to deploy and deployed that image successfully on physical machine. On physical machine it logs directly into admin account and also admin account and local admin 'abc' are enabled. Is there anyway after deploying the system logs into 'abc' account and admin account is disabled
Thanks
Thanks
ASKER
Thanks for the Solution. But We don not want that to do with GPO. We want that to be in the image itself. So is there any solution?
OK.
You may try to insert a Runsynchronous Command under FirstLogonCommand in the component Microsoft-Windows-Shell-Se tup.
SynchronousCommand specifies a command to run the first time a user logs on to the computer, its description, and the order in which it is run. FirstLogonCommands are run after logon but before the user sees the desktop.
You may try to insert a Runsynchronous Command under FirstLogonCommand in the component Microsoft-Windows-Shell-Se
SynchronousCommand specifies a command to run the first time a user logs on to the computer, its description, and the order in which it is run. FirstLogonCommands are run after logon but before the user sees the desktop.
ASKER
Thanks
Do we need to insert that in unattended.xml? I am confused
Do we need to insert that in unattended.xml? I am confused
Yes, it is part of unattended.xml file, below is example:
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<Order>1</Order>
<CommandLine>cmd.exe /c reg.exe ADD HKCU\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \Explorer\ Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine>
<Description>ChangeHideFil es</Descri ption>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
<CommandLine>powershell.ex e -noprofile -executionpolicy bypass -command "Set-Content C:\test 'WHATTHEHELL' -force"</CommandLine>
<Description>PSell</Descri ption>
</SynchronousCommand>
</FirstLogonCommands>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<Order>1</Order>
<CommandLine>cmd.exe /c reg.exe ADD HKCU\SOFTWARE\Microsoft\Wi
<Description>ChangeHideFil
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
<CommandLine>powershell.ex
<Description>PSell</Descri
</SynchronousCommand>
</FirstLogonCommands>
ASKER
Sorry I am being Kinky. I have no idea where to add that thing. I am new to MDT.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Should we add this under oobe system>amd64_Microsoft-Win dows-Shell -setup_neu tral>First logon command
Right click>Create New Synchronous command.
Right click>Create New Synchronous command.
ASKER
Oh we create a script file in scripts folder and then give that path under oobe system>amd64_Microsoft-Win dows-Shell -setup_neu tral>First logon command right?
ASKER
I got it So include the above code in unattend file in control folder
ASKER
I made changes to xml file. after the installation I will end up with ALT+ctrl+del screen after restart. It wont login. then when I login manually it wont join to domain.
Any suggestions?
Any suggestions?
Can you attach the xml file here without passwords, please ?
ASKER
Hi,
Here is my xml file
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microso ft-com:una ttend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-Se tup" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<ImageInstall>
<OSImage>
<WillShowUI>OnError</WillS howUI>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionI D>
</InstallTo>
<InstallFrom>
<Path>.\Operating Systems\Capture102\Capture 102.wim</P ath>
<MetaData>
<Key>/IMAGE/INDEX</Key>
<Value>1</Value>
</MetaData>
</InstallFrom>
</OSImage>
</ImageInstall>
<Display>
<ColorDepth>16</ColorDepth >
<HorizontalResolution>1024 </Horizont alResoluti on>
<RefreshRate>60</RefreshRa te>
<VerticalResolution>768</V erticalRes olution>
</Display>
<ComplianceCheck>
<DisplayReport>OnError</Di splayRepor t>
</ComplianceCheck>
<UserData>
<AcceptEula>true</AcceptEu la>
<ProductKey>
<Key></Key>
</ProductKey>
</UserData>
</component>
<component name="Microsoft-Windows-In ternationa l-Core-Win PE" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SetupUILanguage>
<UILanguage>en-US</UILangu age>
</SetupUILanguage>
<InputLocale>0409:00000409 </InputLoc ale>
<SystemLocale>en-US</Syste mLocale>
<UILanguage>en-US</UILangu age>
<UserLocale>en-US</UserLoc ale>
</component>
</settings>
<settings pass="generalize">
<component name="Microsoft-Windows-Sh ell-Setup" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DoNotCleanTaskBar>true</D oNotCleanT askBar>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Un attendedJo in" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<Identification>
<Credentials>
<Username>wksimport</Usern ame>
<Domain>corp.com</Domain>
<Password>12345</Password>
</Credentials>
<JoinDomain></JoinDomain>
<JoinWorkgroup></JoinWorkg roup>
<MachineObjectOU></Machine ObjectOU>
</Identification>
</component>
<component name="Microsoft-Windows-Sh ell-Setup" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<ComputerName></ComputerNa me>
<ProductKey></ProductKey>
<RegisteredOrganization>co rp</Regist eredOrgani zation>
<RegisteredOwner>corp</Reg isteredOwn er>
<DoNotCleanTaskBar>true</D oNotCleanT askBar>
<TimeZone>Pacific Standard Time</TimeZone>
</component>
<component name="Microsoft-Windows-IE -InternetE xplorer" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Home_Page>about:blank</Ho me_Page>
<DisableWelcomePage>true</ DisableWel comePage>
<DisableFirstRunWizard>fal se</Disabl eFirstRunW izard>
</component>
<component name="Microsoft-Windows-De ployment" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Description>EnableAdmin</ Descriptio n>
<Order>1</Order>
<Path>cmd /c net user Administrator /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>UnfilterAdmin istratorTo ken</Descr iption>
<Order>2</Order>
<Path>cmd /c reg add HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \Policies\ System /v FilterAdministratorToken /t REG_DWORD /d 0 /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>disable user account page</Description>
<Order>3</Order>
<Path>reg add HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Setup\OOB E /v UnattendCreatedUser /t REG_DWORD /d 1 /f</Path>
</RunSynchronousCommand>
</RunSynchronous>
</component>
<component name="Microsoft-Windows-In ternationa l-Core" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>0409:00000409 </InputLoc ale>
<SystemLocale>en-US</Syste mLocale>
<UILanguage>en-US</UILangu age>
<UserLocale>en-US</UserLoc ale>
</component>
<component name="Microsoft-Windows-Ta piSetup" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<TapiConfigured>0</TapiCon figured>
<TapiUnattendLocation>
<AreaCode>""</AreaCode>
<CountryOrRegion>1</Countr yOrRegion>
<LongDistanceAccess>9</Lon gDistanceA ccess>
<OutsideAccess>9</OutsideA ccess>
<PulseOrToneDialing>1</Pul seOrToneDi aling>
<DisableCallWaiting>""</Di sableCallW aiting>
<InternationalCarrierCode> ""</Intern ationalCar rierCode>
<LongDistanceCarrierCode>" "</LongDis tanceCarri erCode>
<Name>Default</Name>
</TapiUnattendLocation>
</component>
<component name="Microsoft-Windows-Sy stemRestor e-Main" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DisableSR>1</DisableSR>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Sh ell-Setup" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<UserAccounts>
<AdministratorPassword>
<Value>QQBkAG0AaQBuAGkAcwB 0AHIAYQB0A G8AcgBQAGE AcwBzAHcAb wByAGQA</V alue>
<PlainText>false</PlainTex t>
</AdministratorPassword>
</UserAccounts>
<AutoLogon>
<Enabled>true</Enabled>
<Username>abc</Username>
<Domain>.</Domain>
<Password>
<Value>MQBCAHIAdQBaADEAbgA 4AFAAYQBzA HMAdwBvAHI AZAA=</Val ue>
<PlainText>false</PlainTex t>
</Password>
<LogonCount>999</LogonCoun t>
</AutoLogon>
<Display>
<ColorDepth>32</ColorDepth >
<HorizontalResolution>1024 </Horizont alResoluti on>
<RefreshRate>60</RefreshRa te>
<VerticalResolution>768</V erticalRes olution>
</Display>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>wscript.exe %SystemDrive%\LTIBootstrap .vbs</Comm andLine>
<Description>Lite Touch new OS</Description>
<Order>1</Order>
</SynchronousCommand>
</FirstLogonCommands>
<AutoLogon>
<Password>
<Value>12345</Value>
<PlainText>True</PlainText >
</Password>
<UserName>abc</UserName>
<Enabled>true</Enabled>
<LogonCount>5</LogonCount>
</AutoLogon>
<OOBE>
<HideEULAPage>true</HideEU LAPage>
<NetworkLocation>Work</Net workLocati on>
<ProtectYourPC>1</ProtectY ourPC>
</OOBE>
<RegisteredOrganization>co rp</Regist eredOrgani zation>
<RegisteredOwner>corp</Reg isteredOwn er>
<TimeZone></TimeZone>
</component>
<component name="Microsoft-Windows-In ternationa l-Core" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>0409:00000409 </InputLoc ale>
<SystemLocale>en-US</Syste mLocale>
<UILanguage>en-US</UILangu age>
<UserLocale>en-US</UserLoc ale>
</component>
</settings>
<settings pass="offlineServicing">
<component name="Microsoft-Windows-Pn pCustomiza tionsNonWi nPE" processorArchitecture="amd 64" publicKeyToken="31bf3856ad 364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DriverPaths>
<PathAndCredentials wcm:keyValue="1" wcm:action="add">
<Path>\Drivers</Path>
</PathAndCredentials>
</DriverPaths>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog://wdst est01/shar edeploymen t$/operati ng systems/capture102/capture 102_101ddr ive.clg" xmlns:cpi="urn:schemas-mic rosoft-com :cpi" />
</unattend>
So what I really need is at the first logon it should log into abc account and join the domain and the restart and then go into ctrl+alt+del screen where we can enter corp login details.
Thanks
Here is my xml file
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microso
<settings pass="windowsPE">
<component name="Microsoft-Windows-Se
<ImageInstall>
<OSImage>
<WillShowUI>OnError</WillS
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionI
</InstallTo>
<InstallFrom>
<Path>.\Operating Systems\Capture102\Capture
<MetaData>
<Key>/IMAGE/INDEX</Key>
<Value>1</Value>
</MetaData>
</InstallFrom>
</OSImage>
</ImageInstall>
<Display>
<ColorDepth>16</ColorDepth
<HorizontalResolution>1024
<RefreshRate>60</RefreshRa
<VerticalResolution>768</V
</Display>
<ComplianceCheck>
<DisplayReport>OnError</Di
</ComplianceCheck>
<UserData>
<AcceptEula>true</AcceptEu
<ProductKey>
<Key></Key>
</ProductKey>
</UserData>
</component>
<component name="Microsoft-Windows-In
<SetupUILanguage>
<UILanguage>en-US</UILangu
</SetupUILanguage>
<InputLocale>0409:00000409
<SystemLocale>en-US</Syste
<UILanguage>en-US</UILangu
<UserLocale>en-US</UserLoc
</component>
</settings>
<settings pass="generalize">
<component name="Microsoft-Windows-Sh
<DoNotCleanTaskBar>true</D
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Un
<Identification>
<Credentials>
<Username>wksimport</Usern
<Domain>corp.com</Domain>
<Password>12345</Password>
</Credentials>
<JoinDomain></JoinDomain>
<JoinWorkgroup></JoinWorkg
<MachineObjectOU></Machine
</Identification>
</component>
<component name="Microsoft-Windows-Sh
<ComputerName></ComputerNa
<ProductKey></ProductKey>
<RegisteredOrganization>co
<RegisteredOwner>corp</Reg
<DoNotCleanTaskBar>true</D
<TimeZone>Pacific Standard Time</TimeZone>
</component>
<component name="Microsoft-Windows-IE
<Home_Page>about:blank</Ho
<DisableWelcomePage>true</
<DisableFirstRunWizard>fal
</component>
<component name="Microsoft-Windows-De
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Description>EnableAdmin</
<Order>1</Order>
<Path>cmd /c net user Administrator /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>UnfilterAdmin
<Order>2</Order>
<Path>cmd /c reg add HKLM\SOFTWARE\Microsoft\Wi
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>disable user account page</Description>
<Order>3</Order>
<Path>reg add HKLM\Software\Microsoft\Wi
</RunSynchronousCommand>
</RunSynchronous>
</component>
<component name="Microsoft-Windows-In
<InputLocale>0409:00000409
<SystemLocale>en-US</Syste
<UILanguage>en-US</UILangu
<UserLocale>en-US</UserLoc
</component>
<component name="Microsoft-Windows-Ta
<TapiConfigured>0</TapiCon
<TapiUnattendLocation>
<AreaCode>""</AreaCode>
<CountryOrRegion>1</Countr
<LongDistanceAccess>9</Lon
<OutsideAccess>9</OutsideA
<PulseOrToneDialing>1</Pul
<DisableCallWaiting>""</Di
<InternationalCarrierCode>
<LongDistanceCarrierCode>"
<Name>Default</Name>
</TapiUnattendLocation>
</component>
<component name="Microsoft-Windows-Sy
<DisableSR>1</DisableSR>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Sh
<UserAccounts>
<AdministratorPassword>
<Value>QQBkAG0AaQBuAGkAcwB
<PlainText>false</PlainTex
</AdministratorPassword>
</UserAccounts>
<AutoLogon>
<Enabled>true</Enabled>
<Username>abc</Username>
<Domain>.</Domain>
<Password>
<Value>MQBCAHIAdQBaADEAbgA
<PlainText>false</PlainTex
</Password>
<LogonCount>999</LogonCoun
</AutoLogon>
<Display>
<ColorDepth>32</ColorDepth
<HorizontalResolution>1024
<RefreshRate>60</RefreshRa
<VerticalResolution>768</V
</Display>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>wscript.exe %SystemDrive%\LTIBootstrap
<Description>Lite Touch new OS</Description>
<Order>1</Order>
</SynchronousCommand>
</FirstLogonCommands>
<AutoLogon>
<Password>
<Value>12345</Value>
<PlainText>True</PlainText
</Password>
<UserName>abc</UserName>
<Enabled>true</Enabled>
<LogonCount>5</LogonCount>
</AutoLogon>
<OOBE>
<HideEULAPage>true</HideEU
<NetworkLocation>Work</Net
<ProtectYourPC>1</ProtectY
</OOBE>
<RegisteredOrganization>co
<RegisteredOwner>corp</Reg
<TimeZone></TimeZone>
</component>
<component name="Microsoft-Windows-In
<InputLocale>0409:00000409
<SystemLocale>en-US</Syste
<UILanguage>en-US</UILangu
<UserLocale>en-US</UserLoc
</component>
</settings>
<settings pass="offlineServicing">
<component name="Microsoft-Windows-Pn
<DriverPaths>
<PathAndCredentials wcm:keyValue="1" wcm:action="add">
<Path>\Drivers</Path>
</PathAndCredentials>
</DriverPaths>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog://wdst
</unattend>
So what I really need is at the first logon it should log into abc account and join the domain and the restart and then go into ctrl+alt+del screen where we can enter corp login details.
Thanks
ASKER
Addining "net user administrator /active:no" in custom tasks as run command line worked
you can do it by Group policy settings:
https://www.experts-exchange.com/questions/23047109/How-To-Disable-Local-Accounts-Using-GPO.html