Monday, August 27, 2012 7:54 PM
I have another question about capturing an image. Our deployment server is on another subnet then our working network. So we have to rejoin a computer to our working network when we are done with the imaging. In our working network we always add a group to every computer that is local admin but the domain is different than our deployment network. So basically I did this I made sure the reference computer was on the working network joined it to the domain, added this group to the local admin group, disjoined the reference computer from the working domain, so when I did that the group that I added was gone obviously because it was no longer on that domain. Now my question to you is this when we go ahead and add it back to the domain will it also add back the group that is on the same domain or will we have to manually add it again. Or is there a simpler way to do this?
Thursday, August 30, 2012 8:22 PM"restricted groups" with a GPO on your destination domain ?
- Marked As Answer by CompSol123 Friday, September 28, 2012 1:57 PM
Thursday, August 30, 2012 8:40 PMWhat about Administrators001=DOMAIN\GROUPNAME in your CustomSettings.ini?
Thursday, August 30, 2012 8:53 PMOk I will give that a try and see what happens thanks
Friday, August 31, 2012 5:33 PM
Ok what I did not work, perhaps I did something wrong so this is what I did.
- In MDT I opened the custom.ini file for the OS I was working on under Task Sequence.
- Then I entered in a synchronous command to Pass 6 audituser and this is what I typed in the command line box Administrators001=DOMAIN\GROUPNAME I was not sure if I needed to put the parentheses.
- I saved my changes and updated the share and I imaged a machine joined it to the domain and checked the users and the user I was looking for was not there.
Friday, August 31, 2012 8:31 PM
OK, try this, I looked at my customsettings.ini and it is a little different than what I posted.
On the deployment share, go to the Control folder and edit the CustomSettings.ini.
add the following line to the Defailt section:
Save the file and test the deployment.
Thursday, September 27, 2012 1:43 PMSorry it took so long for me to get back to you but I just now bulit the image and I tested the image and I joined the machine to the domain with the line in the ini file as you said but I did not see our group in there do you have any other ideas? I will search the internet and see what I find out thanks.
Thursday, September 27, 2012 7:22 PM
I would look in the bdd.log and see what ZTIGroups is doing.
The RestoreGroups step of the task sequence calls cscript.exe "%SCRIPTROOT%\ZTIGroups.wsf" /restore so you should see something like this:
Thursday, September 27, 2012 10:06 PM
I don't see a way how you can add a user group to your local admin group during the deployment process if it's a disjoint network from the production domain. It's not possible to add domain user groups (whether they are domain local, global or universal) to a non-domain joined pc. The pc needs to be domain joined in order to query AD.
You would have to configure your network so that the machines being deployed will be able to join the domain during the deployment process in order to add domain user groups to any local user group as part of the task sequence.
As Julien Darakdjian said, a very effective way to manage local user groups on a machine, is the group policy "restricted groups" (Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups). These are somewhat tricky if you've never worked with them so I suggest to read up on this topic before you configure this policy.
Another policy that works really well too, and not as "destructive" as restricted groups, is "Group Policy Preferences", in this case you can configure either computer of user configuration > preferences > control panel settings > local users and groups.
If one of these posts answered your question or issue, please click on "Mark as answer".
My Blog | Twitter: @Schwarz_Stephan | MCTS, MCITP, MCSA, MCC-2011.
How to configure Windows RE/OEM Recovery Partition with MDT
Friday, September 28, 2012 1:56 PMThanks after reading on this a bit it seems like the best way to do this is just push it down through Group Policy when I join it to the network, thanks