none
Authenticated Users & Users missing from Root RRS feed

  • Question

  • Hello,

    Environment: MDT 2013, 2008 R2, Windows 7 x86.  MDT is located on Windows 7 x86 and is not integrated with SCCM or WDS.

    Process: Separate build, capture, and deployment task sequences.

    Problem:  After deployment the Authenticated Users and local Users are missing from the root (e.g., c:).  The only security permissions assigned to the root are SYSTEM, domain account, Local Administrator.

    This causes problems once joined to a domain due to the fact Authenticated Users have no permissions forcing a given user to have a temporary account.  So far, only a partial workaround is identified and is undesirable in the long-run.  The workaround is to manually add Authenticated Users as well as the Local Users to the root and delete the domain account but the system will only allow partial inheritance through the file structure.  Delete all entries for a particular user in the registry (e.g., PolicyGUID, ProfileGUID, ProfileList).  Afterwards, log in to the machine with an account within the domain administrator group.

    Additional information shows the registry Profilelist entries for a user maintains partial access with a value of 204; this includes the user and a domain account within the administrator group.  The domain account present after deployment has a value of 0.  Two accounts have the expected value of 256 and they are the local and domain administrator account.

    Also, if the same image is deployed using the PE environment the accounts are as they should be.  The groups added are: Authenticated Users, Localmachine\Users, SYSTEM, Localmachine\Administrators.

    The questions are: why would the Authenticated Users and Local Users accounts be missing?  Why is the account used to deploy added?

    Help is very appreciated, and thank you.


    • Edited by cwright_ Thursday, August 21, 2014 10:21 PM
    Thursday, August 21, 2014 10:13 PM

Answers

  • The issue stemmed from using a 3rd party tool in the creation of Data WIMs.  Recreating the Data WIM with imagex resolved the permissions problem.

    Thank you to those for their effort of a resolution.

    • Marked as answer by cwright_ Monday, August 25, 2014 7:47 PM
    Monday, August 25, 2014 7:47 PM

All replies

  • Hello,

    Did you do a sysprep at the time of capture? What is the version of MDT are you using?

    Best Regards

    Friday, August 22, 2014 1:40 PM
  • I just ran a full build+capture (MDT 2013) from a VM reference machine, and then deployed to my laptop (MDT 2013 Litetouch). Permissions shown are:

    C:\>icacls c:\
    c:\ BUILTIN\Administrators:(OI)(CI)(F)
        NT AUTHORITY\SYSTEM:(OI)(CI)(F)
        BUILTIN\Users:(OI)(CI)(RX)
        NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
        NT AUTHORITY\Authenticated Users:(AD)
        Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
    
    Successfully processed 1 files; Failed processing 0 files
    Not sure what's going on here.

    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Saturday, August 23, 2014 1:29 AM
    Moderator
  • Thanks for the reply Nicolas.  It is a LTI TS from MDT 2013 and a standard sysprep & capture template used to pull an image.  The standard sysprep & capture template was used to keep things simple as well as the last attempt so far.

    We use custom deployment TS's to deploy the image.  However, we have used a standard client TS to see if there is an issue with the custom sequences and to rule out the possibility of a bad TS.

    As a note, we have attempted to use MDT 2012 to see if there is a bug affecting us from 2013 but this apparently is not the case.

    Saturday, August 23, 2014 2:25 PM
  • I  did not understand if the sysprep was done with mdt or if you make a sysprep and capture by hand. 

    Do you use an answer file? Have you tried with sysprep image capture with a cd winpe
    Monday, August 25, 2014 8:45 AM
  • Hello, Nicholas the sysprep and capture is completed by a default template from MDT LTI sequence.  The answer file used is the default provided by MDT.  No attempt is made to capture from winpe because this simply negates the point of the MDT process.  However, applying the same image from winpe there are no permission issues and all the appropriate groups are assigned to the root.

    With returning to the office this fine morning, I ran icacls on a machine:

    C:\Users\Administrator>icacls c:\
    c:\ No mapping between account names and security IDs was done.
    (I)(OI)(CI)(F)
        BUILTIN\Administrators:(I)(OI)(CI)(F)
        NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
        Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
    
    Successfully processed 1 files; Failed processing 0 files

    Thank you for the continued effort, Nicholas.  With the additional icacls information I will delve into the general error provided.

    Monday, August 25, 2014 3:05 PM
  • The issue stemmed from using a 3rd party tool in the creation of Data WIMs.  Recreating the Data WIM with imagex resolved the permissions problem.

    Thank you to those for their effort of a resolution.

    • Marked as answer by cwright_ Monday, August 25, 2014 7:47 PM
    Monday, August 25, 2014 7:47 PM