Announcement

Collapse
No announcement yet.

Windows Vista/7 Sysprep Bug - Domain Join

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows Vista/7 Sysprep Bug - Domain Join

    Windows 7 sysprep still has a bug Vista had where if you use unattended domain join, it binds to the domain BEFORE you name the computer, so after you assign it a name during the OOBE, you can not log into the domain. I can't believe they still haven't fixed this bug...
    How are you all getting around this? I used an first login script on Vista, will probably do the same for 7
    Last edited by JK1150; 28th September 2009, 21:18.

  • #2
    Re: Windows Vista/7 Sysprep Bug - Domain Join

    I include all the settings to bypass the OOBE wizard in the unattend XML files, and generally just have a random name generated also by the unattend files. Never run in to this problem.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Windows Vista/7 Sysprep Bug - Domain Join

      Same Here! Hey JK1150, can you share part of your First login script. I'm assuming it is a RunOnce Script? Thanks!

      Lance

      Comment


      • #4
        Re: Windows Vista/7 Sysprep Bug - Domain Join

        Originally posted by cruachan View Post
        I include all the settings to bypass the OOBE wizard in the unattend XML files, and generally just have a random name generated also by the unattend files. Never run in to this problem.
        my issue is that I do not want my computers to have random names.

        I will also get that script to you guys as soon as I find it! I was just using netdom though

        Comment


        • #5
          Re: Windows Vista/7 Sysprep Bug - Domain Join

          OK here is what I do.
          I create the first account called "Authorize" with a password under Shell Setup > UserAccounts > LocalAccounts. This is nice because it is another basic layer of security added in case someone steals your image.
          When you log into authorize, 3 OOBE FirstLogonCommands run
          1. netdom to join the domain, netdom join /Domain: (the rest will vary based on your domain setup. You can also put them into a pre-allocated OU.)
          2. Delete the user account: net user Authorize /delete
          3. shutdown /r /f to restart the computer

          EDIT: unless you want to install RSAT to get netdom, you will have to use powershell -command "add-computer ..." (where the ... is is space for the rest of the command, which will vary depending on how you want to join the domain)
          Last edited by JK1150; 29th September 2009, 15:41.

          Comment


          • #6
            Re: Windows Vista/7 Sysprep Bug - Domain Join

            Originally posted by JK1150 View Post
            my issue is that I do not want my computers to have random names.

            I will also get that script to you guys as soon as I find it! I was just using netdom though
            In that case just prestage the accounts in AD. More info at this link.

            The computer names are not really "random" though. E.g if you use the administrator account as the authorising account during the install procedure then the computers will be called administrator1, administrator2 etc.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: Windows Vista/7 Sysprep Bug - Domain Join

              Originally posted by cruachan View Post
              In that case just prestage the accounts in AD. More info at this link.

              The computer names are not really "random" though. E.g if you use the administrator account as the authorising account during the install procedure then the computers will be called administrator1, administrator2 etc.
              If I prestage accounts, won't it still join with the "random" name though?

              Comment


              • #8
                Re: Windows Vista/7 Sysprep Bug - Domain Join

                No, by pre-staging the account you create the computer account with the correct name in the correct OU in AD before the OS is installed. It involves an extra step during the setup phase, but the computer has the right name and is in the right OU as soon as it's built, so all your GPOs etc apply straight away.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: Windows Vista/7 Sysprep Bug - Domain Join

                  Originally posted by cruachan View Post
                  No, by pre-staging the account you create the computer account with the correct name in the correct OU in AD before the OS is installed. It involves an extra step during the setup phase, but the computer has the right name and is in the right OU as soon as it's built, so all your GPOs etc apply straight away.
                  For us, it is still not going to be easy to prestage all our computers for imaging. I would rather get a post logon command to work since I want to delete the temp account Vista/7 forces you to create anyway.

                  I'd rather not install RSAT to get netdom working, but my powershell command (add-computer) is having problems. I made the command to join the domain and it will ask for a password when run from a command line. However, when running as a synchronous command it doesn't prompt for the password

                  Comment


                  • #10
                    Re: Windows Vista/7 Sysprep Bug - Domain Join

                    I'm about to give up here, when running the add-computer as a synchronous command, I can't get it to prompt for credentials, even with "RequiresUserInput" set to true.
                    Embedding the credentials into add-computer seems extremely complicated, as you have to create a whole script to pass the credentials through.
                    Adding netdom via RSAT also adds AD Users & Computers amongst other things, which I do not want.

                    Any suggestions?

                    Comment


                    • #11
                      Re: Windows Vista/7 Sysprep Bug - Domain Join

                      Just wanted to give an update:

                      Turns out my problem was that while in Windows, you can use the command powershell -command "sample-command"
                      in FirstLogonCommands, you have to use:
                      C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerSh ell.exe -Command "sample-command"

                      You can set the command RequireUserInput to true so you are properly prompted for the credentials as well.

                      Comment


                      • #12
                        Re: Windows Vista/7 Sysprep Bug - Domain Join

                        Originally posted by JK1150 View Post
                        For us, it is still not going to be easy to prestage all our computers for imaging. I would rather get a post logon command to work since I want to delete the temp account Vista/7 forces you to create anyway.
                        If you don't configure the unattend files to create a user account, then not only do you not need to create a local account, but the local Administrator account is also disabled. Only Domain Accounts can logon. It's only if you manually go through the OOBE wizard that you have to create a local account, which I agree is very annoying and a huge security risk if you let users run through the wizard themselves.
                        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                        sigpic
                        Cruachan's Blog

                        Comment


                        • #13
                          Re: Windows Vista/7 Sysprep Bug - Domain Join

                          Originally posted by cruachan View Post
                          If you don't configure the unattend files to create a user account, then not only do you not need to create a local account, but the local Administrator account is also disabled. Only Domain Accounts can logon. It's only if you manually go through the OOBE wizard that you have to create a local account, which I agree is very annoying and a huge security risk if you let users run through the wizard themselves.
                          I am creating an image for OEM installs, so we can't skip the OOBE because we at least need to put in a product key. So long as you don't skip the OOBE, you have to create a local user either unattended or through the wizard. The only way I can see around that is having sysprep skip the OOBE, but that's bad practice and not sure even that will work.

                          Comment


                          • #14
                            Re: Windows Vista/7 Sysprep Bug - Domain Join

                            As far as I know Windows 7 doesn't require a product key during the OOBE or install, last install I did (admittedly RC) I put the key in later through the system properties console. Haven't done much in the way of 7 deployments as yet though, so I'd need to do some more research there.

                            I'm confused though, if you are creating OEM images and must run the OOBE then why are you joining the machines to a domain?
                            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                            sigpic
                            Cruachan's Blog

                            Comment


                            • #15
                              Re: Windows Vista/7 Sysprep Bug - Domain Join

                              Originally posted by cruachan View Post
                              As far as I know Windows 7 doesn't require a product key during the OOBE or install, last install I did (admittedly RC) I put the key in later through the system properties console. Haven't done much in the way of 7 deployments as yet though, so I'd need to do some more research there.

                              I'm confused though, if you are creating OEM images and must run the OOBE then why are you joining the machines to a domain?
                              you are right it does not require a product key. but at the end of the day I'd rather not skip the OOBE since I have this solution working. Preconfiguring the computer accounts in AD is just too much hassle for me.

                              I should rephrase that, I am creating images for OEM licenses, so I will order a computer with Windows 7 Pro, and then apply my image of Windows 7 Pro and use the key that came with the computer. This way I will keep within licensing terms.

                              Comment

                              Working...
                              X