Join domain during unattended win7 install fails

[staun]

I have a weird issue with our unattended install of Windows 7 clients through WDS 2008R2.

During the the initial boot setup we are asked for credentials - If I enter a domain admin account the rest of the process works fine. BUT if I use a standard domain user account the computer will not join the domain later during the first startup, even though I have stated that it should use a ImageUnattend.xml file.

<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <JoinDomain>MYDOMAIN.LOC</JoinDomain>
                <UnsecureJoin>true</UnsecureJoin>
            </Identification>
        </component>

I even tried to add a domain admin user credentials in the XML-file but it still fails.

        <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <Credentials>
                    <Domain>MYDOMAIN</Domain>
                    <Password>AdminUser</Password>
                    <Username>PASSWORD</Username>
                </Credentials>
                <JoinDomain>MYDOMAIN.LOC</JoinDomain>
                <UnsecureJoin>true</UnsecureJoin>
            </Identification>
        </component>

The XML-file is processed fine if the user is a domain admin. (tried several standard users and admin users.)

Any idea how to allow standard users to install their OS through WDS and have the computer join the domain.?

[Tripredacus]

Is your DC configured to permit an unsecured join?

[staun]

Is your DC configured to permit an unsecured join?

I have modified the default domain policy :

Default Domain Controllers Policy-Admin Templates-System-Net Logon

To ENABLED.

If that is what your refer to.

Update.

If I logon to the computer with the local administrator account and try to add the computer to the domain with a domain user I get this error.

The join operation was not successful.  This could be because an existing computer account having the name “computer name” was 
previously created using a different set of credentials. Use a different computer name, or contact your administrator 
to remove any stale conflicting account.  The error was:

Access is denied

The computer account does not exist in AD or DNS. If I add the computer to the domain with an admin-user it is succesfully added.

Edited February 23, 2012 by staun

[Tripredacus]

Are you specifying a computer name in the XML?

[staun]

Are you specifying a computer name in the XML?

No, I use <ComputerName>*</ComputerName>

I attached the XML-file

Update.

I tried to specify a hardcode computername (gulerod345) and set machinepassword to the same, saw a similar issue that fixed the issue but that did not help me. If I look at det %windir\debug\netsetup.log file if that can help.

 -----------------------------------------------------------------
02/23/2012 16:02:07:835 NetpDoDomainJoin
02/23/2012 16:02:07:835 NetpMachineValidToJoin: 'GULEROD345'
02/23/2012 16:02:07:835 	OS Version: 6.1
02/23/2012 16:02:07:835 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
02/23/2012 16:02:07:835 	ServicePack: Service Pack 1
02/23/2012 16:02:07:835 	SKU: Windows 7 Enterprise
02/23/2012 16:02:07:835 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
02/23/2012 16:02:07:835 NetpGetLsaPrimaryDomain: status: 0x0
02/23/2012 16:02:07:835 NetpMachineValidToJoin: status: 0x0
02/23/2012 16:02:07:835 NetpJoinDomain
02/23/2012 16:02:07:835 	Machine: GULEROD345
02/23/2012 16:02:07:835 	Domain: company.loc\SRV-DC-NSB3.company.loc
02/23/2012 16:02:07:835 	MachineAccountOU: (NULL)
02/23/2012 16:02:07:835 	Account: (NULL)
02/23/2012 16:02:07:835 	Options: 0xe1
02/23/2012 16:02:07:835 NetpLoadParameters: loading registry parameters...
02/23/2012 16:02:07:835 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
02/23/2012 16:02:07:835 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
02/23/2012 16:02:07:835 NetpLoadParameters: status: 0x2
02/23/2012 16:02:07:835 NetpJoinDomain: Unsecure join requested.
02/23/2012 16:02:07:835 NetpJoinDomain: NETSETUP_MACHINE_PWD_PASSED passed, using lpPassword to authenticate as machine
02/23/2012 16:02:07:835 NetpValidateName: checking to see if 'company.loc' is valid as type 3 name
02/23/2012 16:02:08:272 NetpCheckDomainNameIsValid [ Exists ] for 'company.loc' returned 0x0
02/23/2012 16:02:08:272 NetpValidateName: name 'company.loc' is valid for type 3
02/23/2012 16:02:08:272 NetUseAdd to \\SRV-DC-NSB3.company.loc\IPC$ returned 1326
02/23/2012 16:02:08:272 Trying add to  \\SRV-DC-NSB3.company.loc\IPC$ using NULL Session
02/23/2012 16:02:08:272 NetpJoinDomain: status of connecting to dc '\\SRV-DC-NSB3.company.loc': 0x0
02/23/2012 16:02:08:288 NetpJoinDomainOnDs: Passed DC 'SRV-DC-NSB3.company.loc' verified as DNS name '\\SRV-DC-NSB3.company.loc'
02/23/2012 16:02:08:288 NetpLoadParameters: loading registry parameters...
02/23/2012 16:02:08:288 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
02/23/2012 16:02:08:288 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
02/23/2012 16:02:08:288 NetpLoadParameters: status: 0x2
02/23/2012 16:02:08:288 NetpDsGetDcName: status of verifying DNS A record name resolution for 'SRV-DC-NSB3.company.loc': 0x0
02/23/2012 16:02:08:288 NetpProvisionComputerAccount:
02/23/2012 16:02:08:288 	lpDomain: company.loc
02/23/2012 16:02:08:288 	lpMachineName: GULEROD345
02/23/2012 16:02:08:288 	lpMachineAccountOU: (NULL)
02/23/2012 16:02:08:288 	lpDcName: SRV-DC-NSB3.company.loc
02/23/2012 16:02:08:288 	lpDnsHostName: (NULL)
02/23/2012 16:02:08:288 	lpMachinePassword: (non-null)
02/23/2012 16:02:08:288 	lpAccount: company.loc\GULEROD345$
02/23/2012 16:02:08:288 	lpPassword: (non-null)
02/23/2012 16:02:08:288 	dwJoinOptions: 0xe1
02/23/2012 16:02:08:288 	dwOptions: 0xc0000003
02/23/2012 16:02:08:288 NetpLdapBind: ldap_bind failed on SRV-DC-NSB3.company.loc: 49: Invalid Credentials
02/23/2012 16:02:08:288 NetpJoinDomainOnDs: Function exits with status of: 0x52e
02/23/2012 16:02:08:288 NetpJoinDomainOnDs: status of disconnecting from '\\SRV-DC-NSB3.company.loc': 0x0
02/23/2012 16:02:08:288 NetpDoDomainJoin: status: 0x52e

imageUnattend.xml

Edited February 23, 2012 by staun

[IcemanND]

Do you pre-create the computer accounts in AD? Otherwise with your answer file it will by default try and create the computer account in the default Computers OU which in most places I have been has been restricted to domain admins only. If you supply the OU or pre-create the computer objects in the correct location with the correct name anyone with rights to join a computer to the domain should be able to.

[staun]

Do you pre-create the computer accounts in AD? Otherwise with your answer file it will by default try and create the computer account in the default Computers OU which in most places I have been has been restricted to domain admins only. If you supply the OU or pre-create the computer objects in the correct location with the correct name anyone with rights to join a computer to the domain should be able to.

You were right - it was a permissions issue. I just added a group with full control on the Computers Container at voila!

Now I just need to specify lower permission on this folder - Full permissions must be overkill.

Thanks a lot!!