none
How to Disable Built in Administrator Account after Deployment RRS feed

  • Question

  • Hey there,

    the title descibes it all.

    After every Deploy, the system logs on in the built in Administrator Account automatically.

    Even I placed a command Line as the last step in Post Install Task Sequence with:

    cmd /c net user Administrator /active:no

    That does not work either.

    The reason: I prepare notebooks for schools. No Domain just Workgroup. There should be no built in admin visible at logon screen just the Teachers Admin and the childrens User.

    Thank you for your help!

    Thursday, January 31, 2019 12:10 PM

All replies

  • I have been looking into this as well recently.  So far it is working if I put that step as the very last task of State Restore.  
    Thursday, January 31, 2019 4:53 PM
  • For something like this I would just setup a GPO that disabled the admin account. Since the account could get enabled some time after deployment.

    If you do want to make sure the account is disabled immediately you can always use the SetupComplete.cmd file. You can add any cmd type command in there and it will run all command after windows setup is complete.

    Thursday, January 31, 2019 7:52 PM
  • Did you exactly used the same commad as I did in the State Restore part?

    I get logged in no matter what I do - I get a MDT Error with mdt unable to find bdd welcome message but I think thats past the Account Disable Task Sequence.

    Would like to try the gpo method past sysprep so I'll check now how I can inject a GPO afterwards...

    Friday, February 1, 2019 12:38 PM
  • What Shivvery wrote should work in the task sequence or a script in GPO. However I believe you need at least one other account in the admin group, such as a domain admin account, before you can disable the local admin account. Try these commands add a domain admin account then disable the local admin account:

    net localgroup administrators domain/domainAdminAcctName /add
    
    net user Administrator /active:no

    Typically I will put each command on its own task when testing so if there is a problem with one you know which it is. Then set them to continue with error.

    For the GPO you would use :

    Computer Policy | Windows Settings | Security Settings | Local policies | Security Options |Accounts: Administrator account status

    Or you can use the same net user script.

    
    Friday, February 1, 2019 12:58 PM
  • I created 2 admin Accounts prior sysprep by hand. I dont use MDT or Unattend for that as I set up the look and feel of the profiles before making the wim.

    So maybe I should run the task as such an other admin in the Task Sequence?

    As I mentioned these devices will not see a domain - at least not in the near future as the school does not have a DC for now.

    Friday, February 1, 2019 1:03 PM
  • Yes.  I have a few extra capital letters and such but it works fine for us in State Restore.  So far I have been testing it in our LTSC 1809 deployments.

    Command:  cmd.exe /c NET USER Administrator /active:no

    Location: 

    Friday, February 1, 2019 2:01 PM
  • ommand:  cmd.exe /c NET USER Administrator /active:no

    I think thats the cause - I put just cmd /c.

    Testing now.

    Thanks for your input!

    • Proposed as answer by Brian Gonzalez Monday, February 11, 2019 4:43 PM
    Monday, February 4, 2019 7:42 AM
  • It shouldnt really matter, cmd is a short form of cmd.exe used all the time form batch files. But MDT may be picky. You can also most sure to put the run location as C:\windows\system32. You may not even need it when run as a command line task and just enter "net user administrator /active:no"
    Monday, February 4, 2019 10:42 PM
  • You're right, this hasn't changed anything...
    I wanted to check the Task Sequence Log file but I can't find it in the folder mentioned in several blogs:

    https://sccmguy.com/2011/03/29/where-is-the-smsts-log-located/

    Checked: C:\windows\SysWOW64\ccm\logs\ 
    and several other mentioned folder paths.


    Do you have any tips for me to troubleshoot this?

    Tuesday, February 5, 2019 7:41 AM
  • Here is the error I get after the Restore Section in the Task Sequence (Wizard Page):

    Any tipps would be great as I don't see any error messages who are relevant or usefull... :(

    Screenshot: https://ibb.co/RYSwp5W

    Tuesday, February 5, 2019 12:16 PM
  • I cant view that screenshot, the site must not use higher SSL protocols for TLS.

    One thing I can think of is during the task sequence the system is logged in on its local admin account. If you disable that account the rest of the task may not run. You can try to put the disable admin account as the very last item on the state restore group and see if that helps.

    One way to test to ensure your script is working is to run it from the desktop of a computer you have imaged. I think it may be failing because once you disable the local admin account the task sequence can no longer continue because it uses that account to run the task sequence. You may need to run this after everything else has finished. Look at this about running a command as a finish action. Be sure to backup any files you modify first.

    https://blogs.technet.microsoft.com/deploymentguys/2012/07/06/finish-actions-for-configuration-manager-osd/

    Tuesday, February 5, 2019 3:05 PM
  • I shared the image on another host here: https://imgur.com/a/0EiwBU7

    That could be true as the last step at the Default Client Task Sequence (as I use this one) is "Imaging".

    But when the task sequence fails due to admin disable - why isn't it disabled on logout or reboot.

    Here is a screenshot of my sequence End - as mentioned I use the default Template for Client Installation.

    Maybe I can delete a bunch of steps as I don't need it either?

    https://imgur.com/a/EtBz2aW

    Tuesday, February 5, 2019 4:01 PM
  • Its probably giving an error because the disable action is failing. maybe due to the fact you are logged on with the account you are trying to disable. So it cannot disable the account and generates an error.

    Try to view the log files before restarting the computer to make sure MDT does not clear them out and see if there is anything helpful there. For troubleshooting try this.

    1) log onto a test computer as admin, open a command prompt type cmd and hit enter. Then type in the command to disable the admin account and see if it works. If it gives an error saying you cannot disable the only admin account or cannot disable the account that is currently logged on then that's the issue.

    2) If that works then make a new empty task sequence and make a single command line task with your disable command. You can access that from the desktop by entering the path to the lighttouch.vbs file like so \\servername\DeploymentShare$\scripts\litetouch.vbs. Enter the same credentials you use in your bootstrap.ini file to connect to the deploymentshare, select the new test task sequence and see if it runs without error. If not view the logs. (note make sure comment out any task sequences set to run automatically in your customsettings.ini first)

    Alternatively you can rename the admin account to something other than admin or run a script to disable the account remotely.

    
    Tuesday, February 5, 2019 5:30 PM
  • Now it's working.

    I created in unattend a user and added it to the Admin Group.

    Then I removed all unneccessary steps in the Task Sequence like imaging and sysprep -> see this screenshot.

    https://imgur.com/a/gN0ki6J

    I also added in the Settings.ini a command to logout the user after the wizard finishs but I dont know if that had an impact on the issue.

    Now with a new image everything is running fine with win10 1809. After the setup is finished the Notebooks are at the logon screen ready for usage.

    Thanks for your input!

    Monday, February 11, 2019 10:02 AM