none
MDT - Can I disable the Administrator account RRS feed

  • Question

  • I found threads on how to turn it on and maybe some on how to turn it off. I already see how to have my task sequence *NOT* enable the administrator account. I just remove the corresponding line in the unattend.xml file. However, are there any repercussions to this? I already changed what account it automatically logs into.
    Thursday, May 29, 2014 9:00 PM

Answers

  • Do not remove the administrator account from within the unattend.xml file, that will prevent MDT from performing the State-Restore phase.

    Why do you need to disable the account?!?!

    The alternative is to disable the account at the end of the deployment and/or through group policy sometime later.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Monday, June 2, 2014 8:39 PM
    Moderator
  • Ultimately what I did was setup Final Configuration 2013, http://www.deploymentresearch.com/Research/tabid/62/EntryId/122/Final-Configuration-for-MDT-2013-Lite-Touch-now-with-Autologon-support.aspx. I edited it to stop the autologon stuff and added sections to undo what MDT does.

    	' Disable local administrator account
    		strComputer = "."
    		Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    		objUser.AccountDisabled = True
    		objUser.SetInfo
    		StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Local Administrator Disabled"
    	
    	'Delete Administrator Filter Change
    		Set objShell = CreateObject("Wscript.Shell")
    		objShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken"
    		StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Administrator Filter Change removed"

    • Marked as answer by mhammett Thursday, August 14, 2014 4:45 PM
    Thursday, August 14, 2014 4:45 PM

All replies

  • Do not remove the administrator account from within the unattend.xml file, that will prevent MDT from performing the State-Restore phase.

    Why do you need to disable the account?!?!

    The alternative is to disable the account at the end of the deployment and/or through group policy sometime later.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Monday, June 2, 2014 8:39 PM
    Moderator
  • The administrator account came from Microsoft disabled, it should probably stay that way. I create another account with a unique name and it is the local administrator. Maintaining an active and enabled account named Administrator is just bad practice.

    I'll look into disabling the account afterwards.

    Monday, June 2, 2014 9:40 PM
  • Ultimately what I did was setup Final Configuration 2013, http://www.deploymentresearch.com/Research/tabid/62/EntryId/122/Final-Configuration-for-MDT-2013-Lite-Touch-now-with-Autologon-support.aspx. I edited it to stop the autologon stuff and added sections to undo what MDT does.

    	' Disable local administrator account
    		strComputer = "."
    		Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    		objUser.AccountDisabled = True
    		objUser.SetInfo
    		StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Local Administrator Disabled"
    	
    	'Delete Administrator Filter Change
    		Set objShell = CreateObject("Wscript.Shell")
    		objShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken"
    		StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Administrator Filter Change removed"

    • Marked as answer by mhammett Thursday, August 14, 2014 4:45 PM
    Thursday, August 14, 2014 4:45 PM
  • Can you explain how you did that
    Thursday, November 17, 2016 9:49 PM
  • I agree. I create virtual machines with the OS DVD and log on with a company-created admin account. I never sign on as admin on the VM. I skip (delete) the activate admin step in my unattend, sign on with my own admin account but I do set the actual admin password in the unattend. MDT signs me on with my own admin account, activates the admin account from a command line in the TS, finishes MDT then reboots after the Final Summary, at which point I sign on as Administrator. I do this because at one time my deployed pc's were ending up with two admins and this was a very reliable way to avoid that.
    Saturday, November 19, 2016 8:03 PM