locked
script that prompts for credentials for domain join RRS feed

  • Question

  • Hi all, here is my situation. I am working on an offline media for our Win10 deployment. Everything is working great, but our security team has put a road block on the process. They do not like the password in the customsettings.ini file which I can respect since it is in clear text. Yes I know about the wizard that will prompt for that if not configured in the INI file. The thing is, these devices would not be able to join the domain at the early point of the process, so I already moved it to later in the process by removing the domain join option from the unattend.xml file, disabling the recover step from the TS, and then using a script to join the domain. All this works fine, except for the password in the script. There is also a step that displays a message box so it causes the process to pause so that the users can configure the vpn client, that way during the domain join step, the device can reach the network for authentication. Once they complete the vpn connection, and click OK on the message box, the process continues. Again, as is, all this works great, just have to get past the password issue. I would love to either:

    1. move the popup wizard that prompts for the domain credentials to further down
    2. create a way for a popup to happen maybe from a script, that will allow the users to enter credentials so I won't have to put it in the script. 

    I figure some kind of input box that would mask the entry, then once they click OK to confirm, the password from the input field would pass thru and allow the machine to authenticate. I hope I was able to clearly explain what I am trying to achieve and need help with


    We sacrificed so you can enjoy a good night's sleep. Airborne Ranger all the way!!!

    Friday, January 25, 2019 4:55 PM

All replies

  • Not sure if it helps, but I don't join to a domain via the TS. I add that in my unattend. Also, the
    admin password that I use in that unattend gets encrypted so if I reopen the xml, it's all jibberish so I feel
    pretty confident about that method of security.
    Monday, January 28, 2019 1:38 AM
  • You can do as described above, putting the join information into your unattended file. And if you select the option to hide sensitive information it will mask the passwords for that and the local admin passwords listed in the file as well.

    There is a way to hide the passwords in the ini files for MDT, see https://blogs.technet.microsoft.com/mniehaus/2012/06/27/encoding-sensitive-information-in-customsettings-ini-and-bootstrap-ini/.

    As for a script in your task sequence, that is easy to do. You can use any vbs, batch file or powershell script that prompts for input. The task sequence will stop at that point automatically due to that prompt and continue after you enter the information. You will need to modify the script to get the computer name from the task sequence which i believe is OSDComputerName

    Tuesday, January 29, 2019 1:20 PM