locked
disable Administrator Account and create new account part RRS feed

  • Question

  • Hi, 

    Is there any way to disable default administrator account during build and capture of image and have new account provisioned and added as administrator in Local Administrator group? If yes , how to proceed?

    Once default administrator account is disabled, how the rest of the build and capture process will proceed (i mean what accoutn will be used to autologin while build and capture process is going on)? Its MDT Task sequence in configuration manager (MDT inetgrated). 

    Any pointers will be appreciated. 

    Regards,


    Wednesday, March 19, 2014 3:19 AM

Answers

  • It doesn't answer your question directly but if this is a build and capture, can you not do this when you actually deploy the resulting image?

    A batch file in a package using NET USER and NET LOCALGROUP will let you easily create a new local administrator during build.


    • Edited by Mollypebble Wednesday, March 19, 2014 9:53 AM
    • Proposed as answer by Joyce L Thursday, March 20, 2014 9:05 AM
    • Marked as answer by MS Expert 2010 Thursday, March 20, 2014 4:48 PM
    Wednesday, March 19, 2014 9:53 AM
  • You can disable the adminstrator account and add in other accounts using an unattend.xml file

    http://technet.microsoft.com/en-us/library/dd744293(v=ws.10).aspx


    Cheers

    Paul | sccmentor.wordpress.com

    • Proposed as answer by Narcoticoo Wednesday, March 19, 2014 10:22 AM
    • Marked as answer by MS Expert 2010 Thursday, March 20, 2014 4:48 PM
    Wednesday, March 19, 2014 10:16 AM
  • Task sequences in ConfigMgr created using the default wizard already have the local admin account set to disabled, there's nothing more to do. Also, task sequences in ConfigMgr never auto-login, they use special hook in Windows setup (Vista and beyond -- for XP they replace the Gina) that enables them to perform their work without ever logging into the system. All work performed during a task sequence is done as the local System account; the local admin account is never used.

    As for adding additional accounts, you can use net user and net localgroup as suggested or the unattend.xml as suggested.


    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Joyce L Thursday, March 20, 2014 9:05 AM
    • Marked as answer by MS Expert 2010 Thursday, March 20, 2014 4:48 PM
    Wednesday, March 19, 2014 12:59 PM

All replies

  • It doesn't answer your question directly but if this is a build and capture, can you not do this when you actually deploy the resulting image?

    A batch file in a package using NET USER and NET LOCALGROUP will let you easily create a new local administrator during build.


    • Edited by Mollypebble Wednesday, March 19, 2014 9:53 AM
    • Proposed as answer by Joyce L Thursday, March 20, 2014 9:05 AM
    • Marked as answer by MS Expert 2010 Thursday, March 20, 2014 4:48 PM
    Wednesday, March 19, 2014 9:53 AM
  • You can disable the adminstrator account and add in other accounts using an unattend.xml file

    http://technet.microsoft.com/en-us/library/dd744293(v=ws.10).aspx


    Cheers

    Paul | sccmentor.wordpress.com

    • Proposed as answer by Narcoticoo Wednesday, March 19, 2014 10:22 AM
    • Marked as answer by MS Expert 2010 Thursday, March 20, 2014 4:48 PM
    Wednesday, March 19, 2014 10:16 AM
  • Task sequences in ConfigMgr created using the default wizard already have the local admin account set to disabled, there's nothing more to do. Also, task sequences in ConfigMgr never auto-login, they use special hook in Windows setup (Vista and beyond -- for XP they replace the Gina) that enables them to perform their work without ever logging into the system. All work performed during a task sequence is done as the local System account; the local admin account is never used.

    As for adding additional accounts, you can use net user and net localgroup as suggested or the unattend.xml as suggested.


    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Joyce L Thursday, March 20, 2014 9:05 AM
    • Marked as answer by MS Expert 2010 Thursday, March 20, 2014 4:48 PM
    Wednesday, March 19, 2014 12:59 PM
  • Hi 

    Thanks. Just to update and if any one in the same requirements. I am using below:

    created batch file with below lines. included in TS to run the batch file.

    It will disable administrator account, create new user, add it to local admin group and set the password never expire.

    ____________________________

    cd\
    c:
    net user administrator /active:no
    net user <username> <password> /ADD
    net localgroup administrators <username> /ADD
    wmic path Win32_UserAccount where Name=''username> set PasswordExpires=false
    Exit

    __________________________________________________________

    Regards,

    Thursday, March 20, 2014 4:52 PM