Administrator account disabled RRS feed

  • Question

  • Hello,

    I'm pretty new to MDT so please bare with me.  I just captured a new build and I'm running into an issue when I try to deploy it.  The deploy runs fine and reboots and when it comes back it stops at a user logon page.  On all the builds I have done before it will log directly into the administrator account and finish the deploy. 

    So with this one I attempt to log into the Administrator account and I'm told it's disabled.  We have another build of this same model number that works just fine.  I built this new capture completing from scratch using a Windows 7 Enterprise disk. 

    I've read a little that I should look at the skiprearm setting since it is possible that I've captured the same machine 3 times, but I have no idea on how or where to change that.  I would appreciate any thoughts you might have.

    Thank you!!!!

    Friday, December 6, 2013 4:35 PM

All replies

  • First off, you should verify that Sysprep completed successfully. Crack open the wim, and check the sysprep logs (panther) logs.

    Are you joining to any domain? Do they have any Group Policy restrictions regarding the local administrator account? (disable or rename?)

    Finally, is this a sysprep of a sysprep of a sysprep? That's what is meant by the 3 time rule, and there may be no way around that, although I'm not sure that the symptoms you list above are the outcome of this.

    Keith Garner -

    Friday, December 6, 2013 5:57 PM
  • Thanks Keith. Where would the exact file location be for these logs?

    I am joining a domain, but there is no group policy restrictions regarding the local admin account.

    And here is what we do for captures and sysprep.  We have 5 different models of laptops in the company.  All having their own unique captures and syspreps.  We are upgrading to Office 2013 so I want my capture/sysprep to have Office 2013 as well.  For this new capture I installed Windows directly from a Windows 7 Enterprise disk, not from sysprep, and installed Office 2013, made some other changes, and then captured.  The capture went fine. I made a new task sequence for this capture.  Now when deploying it goes to the log in page and the admininistrator account is disabled.

    The other sysprep for this model of the laptop still works fine, no issues.

    I really appreciate the help!

    Friday, December 6, 2013 6:10 PM
  • I could really use some more ideas on this.  I'm not sure I'm checking the right logs, but there is nothing in the setuperr.log in C:\Windows\System32\Sysprep\Panther\IE. 

    Really in a bind with this one since I need to get this sysprep working ASAP.

    Thanks for the help.

    • Edited by IT_Phil Thursday, December 12, 2013 2:14 PM
    Thursday, December 12, 2013 2:02 PM
  • I can see several different threads going on here, Are you still using Images that are captures of captures?

    How are you using MDT? LTI/ZTI? Capture, Deployment, or both? SCCM or Litetouch?

    Have you tried using a non-captured image in your deployment? Have you tried using a captured image without MDT?

    When you say there is "nothing" in the panther logs, do you mean that there is nothing of interest, or that there is nothing in the log file, that it's empty, which would be a different problem.

    If the machine did not login, then you should see a \minint\smsosd\osdlogs\bdd.log file present on the local system, and it should indicate what MDT was doing when it launched the setup program.

    If you still need help, please copy the newest bdd.log file to a public site like SkyDrive, and share the link.

    Keith Garner -

    Thursday, December 12, 2013 11:16 PM
  • I'm using MDT for both the capture and deployment.  And using Litetouch. I am not using a capture of a capture. The capture is from a brand new Windows 7 build from a Windows 7 disk.

    A non-captured image works.  Not sure what you mean by using a captured image without MDT.

    I have uploaded the newest bdd.log I have here.

    Thanks again.

    Tuesday, December 17, 2013 4:51 PM
  • Nothing obvious from the bdd.log file.

    I am not sure what is going here that would cause the administrator account to be disabled. I can't tell if it's caused by the Deployment process itself, or if there is something in the image.

    Keith Garner -

    Tuesday, December 17, 2013 7:12 PM
  • I'm not sure either.  We haven't changed anything with the image that would cause this.  It is strange why the deployment is not enabling the built in administrator account and auto logging it in.  I know the deployment hasn't finished because of this.  When I go start another deployment it tells me one is already in progress.  There is something disabling the built in admin account and not enabling it again. But I can't figure out what that might be. We don't have any group policy setup that would cause this.

    Tuesday, December 17, 2013 7:45 PM
  • We also have an old image/task sequence of the same model of laptop that still works.  When we use that task sequence the administrator account is not disabled and the deployment boots into the admin account and finishes.  The unattend.xml files are the same for both of these task sequences.

    That has to mean that the problem lies with the captured image right?  I don't know what though because I'm not doing anything different with this new build.

    Wednesday, December 18, 2013 2:45 PM
  • Ok, I've done some further testing on this today. I've added a command prompt to run this command after the Sysprep step during the Capture/Sysprep. 

    net user administrator /ACTIVE:YES

    I captured a new image, created a new task sequence, and deployed it.  Now after the OS install it reboots to a log in screen with the Administrator account active and asking for a password.  I put that in and it goes into Windows.  But something strange is going on.  Windows then proceeds to find all the drivers for the system and MDT deployment does not continue.  It is almost like it isn't even running the Task Sequence I created.  Isn't it supposed to inject the drivers before?

    Any ideas on this???

    Wednesday, December 18, 2013 8:19 PM
  • This command *should* be executed during Litetouch Depoyment.

    See the template file at: C:\Program Files\Microsoft Deployment Toolkit\Templates\Unattend_x86.xml

                    <RunSynchronousCommand wcm:action="add">
                        <Path>cmd /c net user Administrator /active:yes</Path>
    The question is now, why did this command not execute during deployment? Did you modify the MDT Litetouch Unattend.xml template?

    Keith Garner -

    Wednesday, December 18, 2013 8:48 PM
  • I didn't modify the template and that command is in there.  As well as in the unattend.xml for that task.  From what I can see the unattend.xls file is the same as one that currently works just fine.  My thoughts are something is going on with the sysprep and capture, but have no idea what that might be.  This is the first sysprep/capture we have done for a while and on MDT 2013.  Here are rules we have setup if that might help in any way.



    Wednesday, December 18, 2013 8:59 PM
  • It looks as Keith mentioned  Sysprep was not completed successfully so that  speciallize/OOBE phases had nothing to ask from answer file.   Ideally what happens is MDT copies the ltibootstrap.vbs in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce   so that when system boots up it can run this and continue the task sequence operation.  Once this is run the entry gets deleted from the registry.   So to identify the flow, we need a few logs

    C:\windows\panther folder  -  need entire folder without missing any sub folders

    C:\windows\system32\sysprep\panther folder

    C:\MININT folder or  C:\windows\temp\deploymentlogs folder

    Also send your  \\MDTserver\deploymentshare\control folder



    Wednesday, December 25, 2013 4:20 AM