bootstrap.ini userid RRS feed

  • Question

  • Our admin credentials are in the MDT2013 bootstrap.ini file. This means that everyone can see the credentials. I have mad a deploy user which had local admin access en is granted the rights to sign on computers on the domain controllers. That user must have the right user rights to add computers to a domain.

    However we want to use that deployment account in the bootstrap.ini so that the administrator account can left of.

    i want to replace the line in bootstrap.ini:





    UserPassword=for administrator



    When i replace administrator with the deploy account and when the clients boots from WDS the client gives the message after loading the litetouch: a connection with the deploymentshare could not be made.

    When i replace the deploy account with the administrator all goes fine again.

    What rights does this user needs on the domain to deploy the images thru MDT and WDS?


    Friday, March 27, 2020 10:35 AM

All replies

  • First off, I don't believe anyone can see your Bootstrap.INI file except those with access to your MDT server and know the MDT server password.

    Secondly, the user account you need is one devoted to having ability to join pc's to your domain. I had my server group create an AD account whose sole purpose is to be used in MDT to join pc's to the domain.
    I made sure this password could not be changed and never expires.

    My bootstrap.ini file is just like yours, only I have the domain account as the user and its password.
    No one should ever be able to see that info but MDT techs.

    Friday, March 27, 2020 3:58 PM
  • Ok but the account i m trying to use has the rights to join pc's to the domain. I have tested this to join a pc manually to our domain with that user...

    Where can i check that that user has the rights?

    When you go to the folder here the bootstrap.ini is located everyone can open this file and see the password...

    I also do no know exactly who must have acccess to the MDT folder or better to the folder control where the bootstrp.ini is located.


    Saturday, March 28, 2020 7:39 AM
  • Whoever maintains you Active Directory accounts should be able to tell you if the account you're using has rights to join pc's to your domain.

    "when you go to the folder here the bootstrap.ini is located where everyone can open this file"
    Where is the file that anyone can open? Did you give everyone full access to your MDT server? Otherwise, please explain how everyone can open the INI file.

    Monday, March 30, 2020 2:03 PM
  • Everyone can access: \\server\deploymentshare$

    Then go to control folder en open bootstrap.ini

    Can i restrict access to the deploymentshare folder?


    Tuesday, March 31, 2020 12:59 PM
  • First off, have your AD group verify that the account you are using has one main job, to join computers to your

    domain. I would not allow everyone to have access to your deployment share. Additionally, you should have a password to that share which no one should have but those who maintain MDT.

    So lock down your deploy and build shares with passwords and only allow certain users to have access, one being the special account which was created to join pc's to the domain. Your AD group should explain and show
    how that works. Edit the permissions to the share options of the deployment share folder.

    Tuesday, March 31, 2020 3:11 PM
  • Everyone can access: \\server\deploymentshare$

    Then go to control folder en open bootstrap.ini

    Can i restrict access to the deploymentshare folder?


    There are two parts to a share.

    1. There's the sharing tab, which you set for Everyone, reason being you need unauthenticated requests to be able to see that the share exists. 

    2. There's the Security tab, which is your Access Control List. This is where you control who actually has rights to the folder and files. This is where you do not want "everyone" but instead want to only allow those whom you want to be using MDT for deployment.

    Using a service account is perfectly fine, just make sure it has been added to the "security tab" and has "Read & Execute" rights. Personally I've individually added the few people who do imaging and tell them to login with their own credentials. That way there's accountability and I can look at the logs to see who imaged what.

    Daniel Vega

    • Edited by Dan_Vega Wednesday, April 15, 2020 1:50 PM
    Wednesday, April 15, 2020 1:50 PM