MDT - User accounts and Windows Updates


  • I’ve been working on MDT2012 and my Litetouch deployment is getting to a perfect place (drivers, system updates, and applications).   I am running into a couple of issues that concern me however.

    First, I am going to be deploying Win7 to at least 50 machines in a Workgroup environment for a school lab.  However, I am trying to create both an administrator account (possibility of disabling the “administrator” account and creating an administrator account with a different name) and a standard user account.  Right now, it seems that I would have to deploy, create two new accounts, and then disable the “administrator” account… not necessarily a Litetouch solution.  How can I realistically accomplish the above?

    Secondly, Windows Updates do not allow the administrator to change the option on How Windows Can Install Updates.  It is currently greyed out stating, “download updates but let me choose whether to install them” and above that it states “Some settings are managed by your system administrator.”  Where’s the setting in my unattend.xml file to change this to allow the administrator to change this setting?

    Thank you for your assistance.

    Thursday, January 17, 2013 1:03 AM

All replies

  • 1.  You can use a script to create the users.  I do it with a .cmd file that I've setup as an Application and call it with "cmd /c SetupLocalUsers.cmd".  It can look something like this:

    Echo Off
    REM Configure Local Admin
    net User MyAdmin MyPassword /add
    net LocalGroup Administrators MyAdmin /add
    wmic UserAccount WHERE Name="MyAdmin" Set Disabled=0
    wmic UserAccount WHERE Name="MyAdmin" Set PasswordExpires=False
    REM Configure Local User
    net User MyUser MyPassword /add
    net LocalGroup Users MyUser /add
    wmic UserAccount WHERE Name="MyUser" Set Disabled=0
    wmic UserAccount WHERE Name="MyUser" Set PasswordExpires=False

    2.  If it states "Some settings are managed by your system administrator", that typically indicates it is being set by Group Policy.  However, you said that you are in a Workgroup environment, so it's more likely that the task "Apply Local GPO Package" is still enabled in your Task Sequence.  I'm not 100% sure of what it sets, but this would be my best guess.  You can find more information on that here and here.

    David Coulter | | @DCtheGeek

    Thursday, January 17, 2013 2:15 AM
  • I'll definitely try this script and see if it allows me to do what I need to do.  My only concern is that it looks like the script is fairly static, for example, although the administrator will be the same across all machines the standard user will not.  Will I have to modify the script for each machine?  Looking for something where once the deployment is complete, a prompt comes up to create a new user (kind of like OOBE).

    The Windows Update issue definitely was resolved by that, thank you!

    Thursday, January 17, 2013 4:57 PM
  • Glad your WSUS issue is solved. : )

    I didn't realize you wanted a different Standard User on each machine.  You could use the script I provided for the Local Admin on each, then do something with VBScript to create the user based on something like the machine name or something else unique.  Have a look at some of the scripting examples here.  You could accomplish the same with PowerShell if you prefer that (as shown here).

    David Coulter | | @DCtheGeek

    Thursday, January 17, 2013 5:06 PM