Unattend Files and Joining a Domain

[crowe80]

I've searched on this subject on these forums and have gotten some ideas but I've worked on this issue for a week and I'm having a hard time with it. I'm wanting to be able to have an image that will prompt me to name the PC what I want it to and then join it to the domain. I know there is a bug with this that it joins the domain first before I can name the PC. I've tried some vb scripts that people have offered on the Internet and I can sysprep and it will restart and prompt me to name the pc and put in my domain admin password but if will eventually error out saying it could not parse or process the unattend file etc. I've also tried the mysysprep.exe method although I'm not sure this is supported and would rather not use it but I get the same thing with it too.

So my question is...Is there anywhere I can copy a good vbscript for doing this and go from there? If I have a good VB script I can go by then I will modify my unattend file to point to it. I'll keep searching in the meantime. This seems to be the last thing hanging me up on getting images to work the way I want them to. Thanks!

[crowe80]

I didn't put this in my original post. I have attached my Unattend.xml file and a reg hack I run after I sysprep right before I reboot. I have pasted my script as well, below here. If you see anything that jumps out at you please let me know, thanks!

Option Explicit
Dim answer, answer2, computerName, domainAdminPass, unattendFile, WshShell, fso, unattendFileObject, strContents

unattendFile = "C:\Windows\Panther\unattend.xml"

Set WshShell = WScript.CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")

Do While answer <> vbYes
   computerName = InputBox("Enter the desired Computer Name:", "Computer Name")
   answer = MsgBox("Is this correct?" & vbCrLf & "Computer Name: " & computerName, vbYesNo, "Verify Name")
Loop

Do While answer2 <> vbYes
   domainAdminPass = InputBox("Enter the Domain Admin Password :", "Domain Admin Password")
   answer2 = MsgBox("Is this correct?" & vbCrLf & "Domain Admin Password: " & domainAdminPass, vbYesNo, "Verify Password")
Loop

If fso.FileExists(unattendFile) = False Then
   wscript.echo "ERROR: Could not find the unattend file"
Else
   'Read the unattend file in and replace apprpriate variables
   Set unattendFileObject = fso.OpenTextFile(unattendFile, 1)
   strContents = unattendFileObject.ReadAll
   strContents = Replace(strContents, "ReplaceMe1", computerName)
   strContents = Replace(strContents, "ReplaceMe2", domainAdminPass)
   unattendFileObject.Close

   'Write the updated contents back to the unattend file
   Set unattendFileObject = fso.OpenTextFile(unattendFile, 2)
   unattendFileObject.Write(strContents)
   unattendFileObject.Close
End If

' Launch setup (will use the modified unattend.xml)
WScript.Sleep 5000
WshShell.Run "%WINDIR%\System32\oobe\windeploy.exe", 0, True

Unattend.xml

Sysprep Reg Hack.cmd

[crowe80]

I got a little further with this. I have now got past the error message "Windows could not parse or process the unattend answer file for pass [specialize]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].

I had deleted all the user accounts except for the local admin account. But I had not deleted it from the registry HKLM\Software\Windows NT\CurrentVersion\ProfileList

After doing this it ran smoothly, it prompted me for a computer name and a domain admin password. I did all this and no errors. It rebooted, however it did not join the domain and now I can't log in. The only account I had on there was my local admin account and it's not working and is now disabled. So I'm still not sure why it's not joining to the domain and why my local admin account does not work. IT did not name the PC what I named either.

[winoutreach5]

The first thing I notice when I attempt to validate your answer file inWindows System Image Manger (WSIM - a part of Windows Automated Installation Kit (AIK)) is that your LocalAccount name is long and therefore receives an error that the name is deemed invalid. I realize that the name of the Local Account may have been changed for privacy purposes but please be sure to check the length of the name and first validate your answer file using WSIM. You might also want to use WSIM to create your unattended file and use it to help you add the appropriate settings for automating the domain joining. Sample unattend files can be found here.

Also, when looking for a solution the problem you described and came across this thread from the TechNet forums in which Mike_EEC from Microsoft provides a sample VBScript and specifies the change necessary for the specialize pass in your XML file. According to the thread, this work around was proven successful.

There could be an issue with way the user profiles were created and subsequently removed. As you can see in this TechNet Article it is recommend to first use Audit mode to clean up the image and then remove the temporary user account’s profile and the account itself from the control panel ->User Accounts-> Manage User Accounts utility. Audit mode is used to make changes to the default user profile which you can then use CopyProfile to set a customized profile.

Finally, it is always helpful to have as much information about the process you are going through as possible. It would be beneficial for us to be aware of what utilities you are using such as WDS (Windows Deployment Services) and whether that is 2003 or 2008, MDT (Microsoft Deployment Toolkit) and whether that is 2008, 2010, or 2012. For the record, MDT provides a common console and is perhaps the most recommended process and toolset for automated deployments. The Microsoft Deployment Toolkit 2012 is now available here.

Jessica

Windows Outreach Team – IT Pro

P.S There is a Webcast coming up on May 15th and May 17th entitled "Everything You Wanted to Know and Ask about Windows Deployment" (Part 1&2). To register, click here.

[jvennes]

I use wsname.exe to rename the computer using a reverse DNS lookup:

wsname /N:$DNS /REBOOT

Then, join the domain as the final step from "%windir%\Setup\SetupComplete.cmd" instead of from within the unattend.xml:

netdom join %COMPUTERNAME% /domain:mydomain.edu /UserD:admin /PasswordD:xxxxxx

(make sure that netdom.exe, netapi32.dll are in the %windir%\Setup folder or in the PATH).

Works like a charm! YMMV

Edited May 9, 2012 by jvennes

[winoutreach5]

One thing about the proposed solution jvennes posted is that the netdom command is a command line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is unclear as to whether or not Crowe80 is using Windows Server 2008 or if he is using a workstation to do this deployment.

Another thing I did notice when playing with Crowe80’s provided XML file was that the name of the account is being set to “administrator” which is an account that already exists and is just disabled. I was able to successfully use the XML script within a test deployment and have my test local account: “Admin Test” add just fine. My machine also connected to the domain without error.

As it stands at the moment, I used an “*” to populate a random computer name as I have not yet tested the VB script. Again, the only changes I made to Crowe80’s XML file was the name of the computer, the name of the local account and I updated the domain settings with my own. I also changed CopyProfile to false because I did not have any settings from the administrator account to copy to the default user profile.

It may be wise to consider recreating your image as the image you are currently using has many registry edits as it stands now. The test deployment I did was from a standard install.wim file pulled directly off of a Windows 7 installation DVD and again the local admin account was created and the machine was successfully joined to the domain.

Jessica

Windows Outreach Team – IT Pro

[crowe80]

Thank you for some suggstions and links to refer to. Just to give you more insight. I use WSIM (version 6.1.7600.16385) on a stand alone PC to create my unattend files. From there I have WinPE disc created that I boot to. So I have another PC that I will install Windows 7 on and get it the way I want and from what I understand for certain settings to carry over I have to set them under the local admin account. So I set all this up and have the unattend file set to true to copy profiles. I then clean up any profiles other than my local admin account. So if there is a domain account on there I delete it from C:\Users and also from the registry under the profile list. I then have my unattend file and Unedit script saved in the sysprep folder along with my reghack command which sets a registry setting to point to the script after reboot. I then open the command prompt by running it as an administrator and type: sysprep /generalize /oobe /quit /unattend:unattend.xml

It does its thing and after it's finished I run the reg hack command and reboot. From there I would put my WinPe disc in and I copy this image out to a network share that we have. After that would finish and reboot it does all it's set up and prompts me for a PC name and admin password and it goes through and like I said I get to the Windows login screen but it's like it never named the PC or joined it and then my local admin account is disabled. Although I did not have the RunSynchronous path set to "net user administrator /active:yes" So I'm going to test that, that could be the disabling issue. But I still have the issue of joining a domain and getting it named. You are also correct that was not my real login account so it's actually not that long.

Also, if the machineojbecOU is blank is that o.k? I can manully put it where I need it once it's named in AD.

I will look at some of these suggestions and see what happens. Seems I have everything working fine except this last part and it become a little frustrating and confusing but I appreciate this site and the help I have recieved!!

Edited May 10, 2012 by crowe80

[winoutreach5]

Thank you for some suggstions and links to refer to. Just to give you more insight. I use WSIM (version 6.1.7600.16385) on a stand alone PC to create my unattend files. From there I have WinPE disc created that I boot to. So I have another PC that I will install Windows 7 on and get it the way I want and from what I understand for certain settings to carry over I have to set them under the local admin account. So I set all this up and have the unattend file set to true to copy profiles. I then clean up any profiles other than my local admin account. So if there is a domain account on there I delete it from C:\Users and also from the registry under the profile list. I then have my unattend file and Unedit script saved in the sysprep folder along with my reghack command which sets a registry setting to point to the script after reboot. I then open the command prompt by running it as an administrator and type: sysprep /generalize /oobe /quit /unattend:unattend.xml

It does its thing and after it's finished I run the reg hack command and reboot. From there I would put my WinPe disc in and I copy this image out to a network share that we have. After that would finish and reboot it does all it's set up and prompts me for a PC name and admin password and it goes through and like I said I get to the Windows login screen but it's like it never named the PC or joined it and then my local admin account is disabled. Although I did not have the RunSynchronous path set to "net user administrator /active:yes" So I'm going to test that, that could be the disabling issue. But I still have the issue of joining a domain and getting it named. You are also correct that was not my real login account so it's actually not that long.

Also, if the machineojbecOU is blank is that o.k? I can manully put it where I need it once it's named in AD.

I will look at some of these suggestions and see what happens. Seems I have everything working fine except this last part and it become a little frustrating and confusing but I appreciate this site and the help I have recieved!!

The first question that comes to mind when I read your configuration and your process is:

• Are you joining the machine to the domain you are intending to sysprep?

• And then subsequently unjoining the machine from the domain prior to sysprep therefore creating domain accounts that elicit removal?

As stated in this TechNet article, you should only need to remove the user accounts through the control panel and not in the registry itself. Sub-step #2 under Step 1: Configure the default user profile says: “Open the User Accounts control panel, and remove all added user accounts except for the one Administrator-level user account that you used to log on to Windows.” To be clear, it is from my experience that when one sysprep’s a machine that is currently / formerly connected to a domain one may experience unforeseen issues.

As for the administrator account being disabled, each time you run the sysprep / generalize command, the built-in Administrator account will be disabled the next time the computer starts. You could use the net user administrator /active:yes command or you could enable the built-in administrator account in the XML file as outlined in this TechNet library resource.

And finally, in answer to your question about the MachineObjectOU, it is said that you should not create an empty value for the string. However, the MachineObjectOU is an optional setting. More information on this can be found on TechNet here.

Jessica

Windows Outreach Team –IT Pro