locked
Have Administrator Account disabled during task sequence? RRS feed

  • Question

  • Hi folks.  I'd rather have the administrator account disabled once the task sequence is complete.  Is there a way to do this?  Thanks.
    Friday, July 15, 2016 3:40 PM

All replies

  • What account is logging onto the desktop when the TS completes? You can add a batch file in MDT:
    net user administrator /active:no
    Just open Notepad, type in the line above, name it Admin Deactivate (or whatever), and save the file as whatever.cmd and add it to MDT as an application.
    Friday, July 15, 2016 4:22 PM
  • It's logging in as administrator after task sequence is complete.
    Where can I add that command in the task sequence?

    Thank you.

    Friday, July 15, 2016 4:28 PM
  • You may just want to auto-sign on as a different user and run that command. What you're doing is logging on as admin and disabling the admin. This will work, but only after a reboot or logoff of admin.
    You can run the command near the end of the whole thing. If you get an error on the first try, you may need to run it as admin so permissions allow it to go through.
    Friday, July 15, 2016 4:35 PM
  • Right preferrably I would login as the other user I have setup but it uses Administrator I think for the deployment.

    I can just run that command I guess at the end and also put a command in to reboot.

    Friday, July 15, 2016 4:42 PM
  • No need to add a reboot if you have the Final Summary page to reboot when you click Finish. Edit your Rules (right-click deployment share/properties) and add a final line
    FinishAction=Reboot
    When you get the summary page at the end, clicking on Finish will reboot a final time.
    Friday, July 15, 2016 4:46 PM
  • Well I have a reboot in my sequence already for something else so I can use that.  Thanks!  Gonna try this today I think.
    Friday, July 15, 2016 5:56 PM
  • If it all works out please mark as answered. Thanks!
    Friday, July 15, 2016 7:15 PM
  • The way I have mine set up is (for Win7), I create a VM using an account which has admin rights, but not the administrator account. In my unattend, I delete the activate administrator step. I let that other user sign on to the desktop, and I have a command run as a batch file (MDT application) which activates the administrator. Then when I reboot, I just sign on as administrator. I do it this way because for a long while I was ending up with two admin accounts and it created a major headache. You can have MDT sign onto the desktop as whomever you want, and once there, run the job to activate the admin. In your case, I'd just remove the step in the unattend which activates the admin and sign on as someone else. If you must sign on as admin, then still run the command to deactivate it, and after reboot, it will be disabled.
    Friday, July 15, 2016 7:24 PM
  • The way I have mine set up is (for Win7), I create a VM using an account which has admin rights, but not the administrator account. In my unattend, I delete the activate administrator step. I let that other user sign on to the desktop, and I have a command run as a batch file (MDT application) which activates the administrator. Then when I reboot, I just sign on as administrator. I do it this way because for a long while I was ending up with two admin accounts and it created a major headache. You can have MDT sign onto the desktop as whomever you want, and once there, run the job to activate the admin. In your case, I'd just remove the step in the unattend which activates the admin and sign on as someone else. If you must sign on as admin, then still run the command to deactivate it, and after reboot, it will be disabled.
    This sounds like what I want to do almost completely.  I have 2 accounts in my image, Administrator and another account I created.  Can I just set my unattend to not activate Administrator account and be done with it?  I'm trying to find that setting using Windows system image manager but cannot find it.  Where can I find that setting in that tool?  Thanks!
    Saturday, July 16, 2016 12:35 PM
  • I build my VM as one account and I do not ever sign on as administrator on that VM. When I create the Deploy Task Sequence, edit the Unattend, look at #4, Specialize, and amd64_Microsoft-Windows-Deployment_neutral. In the sub-folder, the first one should be Order #1 - EnableAdmin. I remove that, but then I tell the unattend to sign on as my other account, 999 times, and I enter its password. I do that in #7, OOBE, Shell-Setup, AutoLogon. At the very last step, UserAccounts, you can still add the administrator password even if you never activate that account. It will always sit there waiting for you to activate it sometime, and the password will be stored already. Then in my case, I add a small batch file to activate the administrator account from the desktop of the other account, but in your case, just skip that. You can activate it manually anytime you want from a CMD.
    Monday, July 18, 2016 1:01 PM
  • I run the below script at the end of the TS. It disables the admin account using part of the SID because the spelling of the admin account changes based on the language.

    set wshShell = WScript.CreateObject("WScript.Shell" )
    Set objNetwork = CreateObject("Wscript.Network") 'get the current computer name
    objComputerName = objNetwork.ComputerName
    
    Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)
    qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'" 'set query, making sure to only look at local computer
    
    
    For Each Admin in objwmi.ExecQuery(qry)
     if (left(admin.sid, 6) = "S-1-5-" and right(admin.sid,4) = "-500") then 'look for admin sid
     AdminName = admin.name
     end if
    next
    
    'MsgBox adminname
    
    wshshell.Run ("%comspec% /c net.exe user " & AdminName & " /active:no")

    Wednesday, July 20, 2016 11:55 AM
  • Whatever works for you. I just made a text file with
    net user administrator /active:yes   (or no)

    and saved it as a batch file and run it on each machine.

    Wednesday, July 20, 2016 12:34 PM
  • I build my VM as one account and I do not ever sign on as administrator on that VM. When I create the Deploy Task Sequence, edit the Unattend, look at #4, Specialize, and amd64_Microsoft-Windows-Deployment_neutral. In the sub-folder, the first one should be Order #1 - EnableAdmin. I remove that, but then I tell the unattend to sign on as my other account, 999 times, and I enter its password. I do that in #7, OOBE, Shell-Setup, AutoLogon. At the very last step, UserAccounts, you can still add the administrator password even if you never activate that account. It will always sit there waiting for you to activate it sometime, and the password will be stored already. Then in my case, I add a small batch file to activate the administrator account from the desktop of the other account, but in your case, just skip that. You can activate it manually anytime you want from a CMD.

    This looks great.  Probably exactly what I wanted to do.  I tried what you mentioned above but received this error

    I realized I was trying it with my previous custom image that didn't have another account in it.  I added my new image into the task sequence and ran the Edit Unattend.  It tried to build the file but then I got this error:

    Performing the operation "generate" on target "Catalog". Starting: "C:\Program Files\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog40.exe" "D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim" 1 > "C:\Users\ADMINI~1\AppData\Local\Temp\Microsoft.BDD.Catalog.log" 2>&1 No existing catalog file found. PROGRESS: 0: Starting. PROGRESS: 0: Creating mount folder: C:\Users\Administrator\AppData\Local\Temp\IMGMGR_Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16_Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16_gupw0arp.wvg. PROGRESS: 5: Creating temp folder: C:\Users\Administrator\AppData\Local\Temp\IMGMGR_Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16_temp_i330gsru.3cr. PROGRESS: 10: Mounting Windows image: D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim. This might take a few minutes. PROGRESS: 30: Mounted Windows image. PROGRESS: 33: Serializing Data. PROGRESS: 63: Cleaning up... PROGRESS: 63: Unmounting Windows image: D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim. PROGRESS: 66: Deleting mount folder. PROGRESS: 69: Cleaning up... ERROR: Unable to generate catalog on D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim: System.InvalidOperationException: The operation failed to complete. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentException: Value does not fall within the expected range.    at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)    at Microsoft.ComponentStudio.ComponentPlatformInterface.CbsSessionAdaptor..ctor(String bootDrive, String imageWinDir, String servicingPath)    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageImpl.InitializePackages()    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageImpl..ctor(OfflineImageInfo imageInfo)    --- End of inner exception stack trace ---    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)    at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)    at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)    at System.Reflection.Assembly.CreateInstance(String typeName, Boolean ignoreCase, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)    at Microsoft.ComponentStudio.ComponentPlatformInterface.Cpi.PlatformImplementation.CreateOfflineImageInstance(OfflineImageInfo imageInfo)    --- End of inner exception stack trace ---    at Microsoft.ComponentStudio.ComponentPlatformInterface.Cpi.PlatformImplementation.CreateOfflineImageInstance(OfflineImageInfo imageInfo)    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageCatalog.Serialize(OfflineImageInfo imageInfo)    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageInfo.CreateCatalog()    at Microsoft.BDD.Catalog.Program.DoCatalog() Non-zero return code from catalog utility, rc = 2002

    So i guess I need help with this before I move on.  Help appreciated.  Thanks!  I'll be quicker to respond.  Just got hung up with other things for work and this took a backseat.  Thank you.

    Monday, July 25, 2016 2:05 PM
  • Open your Unattend normally by clicking on the OS Info tab and editing the xml. While its open, click on Tools, then  Validate. That shows any errors. I get one about IE and a setting being deprecated and that's fine. It sounds like one of the entries does not have info its looking for. Run the Validate and see what errors appear at the bottom, rightfully it should say No warnings or errors.
     The Specialize pass is #4 in the Unattend. Its telling you that there error is in that step. Look through sub-folders in there and see if you left something blank, often times a sub-folder asking for credentials. I see those and just remove them.
    • Edited by the1rickster Monday, July 25, 2016 2:14 PM more info
    Monday, July 25, 2016 2:10 PM
  • Open your Unattend normally by clicking on the OS Info tab and editing the xml. While its open, click on Tools, then  Validate. That shows any errors. I get one about IE and a setting being deprecated and that's fine. It sounds like one of the entries does not have info its looking for. Run the Validate and see what errors appear at the bottom, rightfully it should say No warnings or errors.
     The Specialize pass is #4 in the Unattend. Its telling you that there error is in that step. Look through sub-folders in there and see if you left something blank, often times a sub-folder asking for credentials. I see those and just remove them.

    Right that's what I did actually.  Opened the task sequence, clicked OS tab, then clicked Edit Unattend.xml and got that string of errors.  I just went back and tried again.  After clicking the Edit Unattend, it goes into a Get Operating System Catalog (same as before) which runs for a few minutes with hard drives definitely working on something, then got this error (looks like the same as before) :

    Performing the operation "generate" on target "Catalog". Starting: "C:\Program Files\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog40.exe" "D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim" 1 > "C:\Users\ADMINI~1\AppData\Local\Temp\Microsoft.BDD.Catalog.log" 2>&1 No existing catalog file found. PROGRESS: 0: Starting. PROGRESS: 0: Creating mount folder: C:\Users\Administrator\AppData\Local\Temp\IMGMGR_Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16_Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16_5sh5k4sd.xtc. PROGRESS: 5: Creating temp folder: C:\Users\Administrator\AppData\Local\Temp\IMGMGR_Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16_temp_n1hkqluz.syb. PROGRESS: 10: Mounting Windows image: D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim. This might take a few minutes. PROGRESS: 30: Mounted Windows image. PROGRESS: 33: Serializing Data. PROGRESS: 63: Cleaning up... PROGRESS: 63: Unmounting Windows image: D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim. PROGRESS: 66: Deleting mount folder. PROGRESS: 69: Cleaning up... ERROR: Unable to generate catalog on D:\DeploymentShare\Operating Systems\Windows 10 x64 Pro - VLSC\Windows 10 x64 Pro OS Only Master eOpen - Updated 7.5.16.wim: System.InvalidOperationException: The operation failed to complete. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentException: Value does not fall within the expected range.    at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)    at Microsoft.ComponentStudio.ComponentPlatformInterface.CbsSessionAdaptor..ctor(String bootDrive, String imageWinDir, String servicingPath)    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageImpl.InitializePackages()    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageImpl..ctor(OfflineImageInfo imageInfo)    --- End of inner exception stack trace ---    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)    at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)    at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)    at System.Reflection.Assembly.CreateInstance(String typeName, Boolean ignoreCase, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)    at Microsoft.ComponentStudio.ComponentPlatformInterface.Cpi.PlatformImplementation.CreateOfflineImageInstance(OfflineImageInfo imageInfo)    --- End of inner exception stack trace ---    at Microsoft.ComponentStudio.ComponentPlatformInterface.Cpi.PlatformImplementation.CreateOfflineImageInstance(OfflineImageInfo imageInfo)    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageCatalog.Serialize(OfflineImageInfo imageInfo)    at Microsoft.ComponentStudio.ComponentPlatformInterface.OfflineImageInfo.CreateCatalog()    at Microsoft.BDD.Catalog.Program.DoCatalog() Non-zero return code from catalog utility, rc = 2002

    Then after I click okay it shows this:

    Not sure what is going on...

    Monday, July 25, 2016 5:19 PM
  • Ok, this error is what made me call MS. He did all kinds of things to get it going. He took the catalog file from my DVD, put it in the folder where the correct clg should be, renamed it to what it was supposed to be after it was generated, and then I used it. It definitely is a flaw in the program. Once he got it going, I was able to create an answer file. Then later, when I had to modify it again, it again told me it could not be created. I would try to contact them directly to find a fix. Its a huge pain doing it this long way, but I can show you how I did it if you need to.
    Monday, July 25, 2016 5:42 PM
  • Ok, this error is what made me call MS. He did all kinds of things to get it going. He took the catalog file from my DVD, put it in the folder where the correct clg should be, renamed it to what it was supposed to be after it was generated, and then I used it. It definitely is a flaw in the program. Once he got it going, I was able to create an answer file. Then later, when I had to modify it again, it again told me it could not be created. I would try to contact them directly to find a fix. Its a huge pain doing it this long way, but I can show you how I did it if you need to.

    Oh boy.  I think I saw something like that on another post.  Might have found the issue though...

    So i opened the wim file in Windows System Image Manager and tried to have it build a catalog file.  I got this at the top of a long error log:

    2:05 PM : This application requires version 10.0.10586.0 of the Windows ADK.
    Install this version to correct the problem

    My version is 10.1.10586.0 that I have installed.  I'm thinking that since this server is 2012R2 and the wim is for a Windows 10 v1511 that it wants the previous version (10.0.10586.0).

    Thoughts?

    Thanks so much for your help!

    Monday, July 25, 2016 6:27 PM
  • That's the version that I had when the MS tech remoted in. He didn't mention anything about it being a conflicting version, and since I can at least get my xml's to open, I fear changing my version in the risk of things breaking, but I will continue to monitor this post for other answers.
    Monday, July 25, 2016 6:47 PM
  • That's the version that I had when the MS tech remoted in. He didn't mention anything about it being a conflicting version, and since I can at least get my xml's to open, I fear changing my version in the risk of things breaking, but I will continue to monitor this post for other answers.

    Interesting.  well I found a solution, i think.  I loaded up a VM of Windows 10 NON 1511 original release and installed Win10 adk and was able to have it make a catalog file without issue from my custom WIM.  So that part is solved.  Unfortunately now when I deploy it gets to the first boot and just stops.  No errors, no windows, nothing.  Just sits at the desktop and never completes the sequence.  I'm trying to track down whatever log that might be in but haven't found it yet.  Any ideas?  Again, thanks for all your help. 
    Tuesday, July 26, 2016 4:28 PM
  • Just FYI I created a new task sequence without modifying the unattend file and it installed fine so it's got something to do with the changes I'm making with the unattend file. 
    Tuesday, July 26, 2016 5:02 PM
  • Anyone still watching this???
    Wednesday, August 3, 2016 6:45 PM
  • There isn't really any hired staff that answers stuff in this forum.  I answer stuff because it is interesting.

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Thursday, August 4, 2016 1:03 AM
  • There isn't really any hired staff that answers stuff in this forum.  I answer stuff because it is interesting.

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    No i'm aware just still having this problem.  Thought i'd send a ping :)  Thanks.
    Saturday, August 6, 2016 12:12 PM