Creating admin users via batch
As we deploy machines and getting our master image perfect... Sysprep likes only one user for our custom "default profile" I'd like to add atleast 1 extra user to the machine after imaging using a batch file and creating the profile automatically(without logging in as that user). The idea is that once the new user profile has been created, we can push shortcuts and etc to it. Does that make sense?
So, here's where I'm stuck. Here's my batch file:
net user /add user1 password
net localgroup administrators user1 /add
net share concfg*C:\/grant:user1,full
*Insert create profile command*
-
Could you tell what OS and architecture you are wanting to add the users to using the unattend.xml and I can give you the short answer? I'm assuming Windows 7 64bit... - crispybiscuit 11 years ago
Answers (5)
I'm not sure why you are using sysprep unless this is either for Windows XP or a System Image. For Scripted Installations I would recommend using an unattend.xml generated by Windows System Image Manager. You can add multiple local admin accounts that way.
Otherwise:
http://stackoverflow.com/questions/4971982/vbscript-for-creating-local-account-and-adding-to-admin-group-used-to-work-prior
Change the lines:
strUser = inputbox("Enter the username for the new admin account.")
strPass = inputbox("Enter the password for the new account.")
To:
strUser = "Username"
strPass = "Password"
Where "Username" is the Username and "Password" is the actual Password. (Yes I know that's obvious but...)
Name it adminuser.vbs and call it from a command line like:
cscript.exe adminuser.vbs
You can upload the script as a Post-Installation Task on the K2000. No need for a "batch" file to run it then, but you can call the script from a batch.
To protect the user and password in the script, encrypt it with screnc.exe which you can find online. Make sure to rename it to .vbe though if you do.
Veritas Amor Pax
Comments:
-
He didn't include the K2000 tag on the post so assuming he's deploying with the K2000 might not be correct. - chucksteel 11 years ago
-
I just assumed so because the K2000 handles system images while the K1000 handles inventory, patching, and package management mostly. Sometimes you have to put "K1000" or "K2000" in your title to get the tags to show up. At least, that's what works for me. Then I remove them from the title if I want. If anyone has a better way of getting tags to show up please tell me! Thanks! - crispybiscuit 11 years ago
I don't believe there is a way to create a user's profile without having the user login to the computer.
Comments:
-
Thanks for the feedback. Your right Chucksteel, I want to use this batch/script with the K1000 box if at all possible. But the possibility of adding the user on the deployment side intrigues me... What do I need to add to my unattend.xml file to make "User2"? I'm poking around the Win System Image Manager and probably overlooking the Components... - jbryant 11 years ago
-
To add an account with the unattend look in Microsoft-Windows-Shell-Setup, User Accounts, Local Accounts. - chucksteel 11 years ago
-
Go with this jb! You can add DomainAccounts like groups as well. Thanks Chuck! That's the short of it. Been wanting to respond but that whole work business got in the way.
All of this is under "oobeSystem" I believe. - crispybiscuit 11 years ago
-
You can create the profile with the script above, but if you want the actual user folder and files to appear they will have to log on. You can easily create a script in "Scripting" of the K1000 to create this profile on all machines. I was planning on making a blog post today similar to your request. It's a script to change the admin password of all machines using the Scripting feature of the K1000. It's use is for when someone unfortunately leaves employment and the password has to be changed. I also have it set to a schedule just in case anyone gets sneaky or sloppy.
Give me a second and I'll post the how to on adding users with the unattend.xml file. Shoot I may make that a blog post as well as you can use it to add domain groups to the local admin group and therefore have all your techs in that domain group and they will be local admins with their own logins everywhere they go. Need some caffeine first. - crispybiscuit 11 years ago
You can't create a profile via cmd line (i think??), the best you can do is auto logon for that profile, then logout/reboot or what ever.
Have a look at this link below, it will create a auto logon on next reboot, set the AutoLogonCount:1 (note the REG_DWORD, other websites say REG_SZ which is WRONG). When AutoLogonCount hits zero will remove the password etc - check though!
http://www.computerperformance.co.uk/windows7/windows7_auto_logon.htm
After you auto logon I would suggest adding something to RunOnce reg key:
-like to run a batch file to wait 2mins (chance to for the profile to sort it self out),
-then a cmd to log off or reboot. If your worried about security you can also send a lock
-workstation in the batch file (rundll32.exe user32.dll,LockWorkStation)
Run Once: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Good luck.
Comments:
-
Yeppers! You could make a script to do this and auto reboot the computer as well and send it out through the K1000. This procedure would create the profile files if needed in answer to ChuckSteel above. - crispybiscuit 11 years ago
If you have pstools to can remotely log into the computer with it and that will create the profile.
Comments:
-
Certain classrooms need a local user and we need to put a special link on the desktop for new student orientation. We use the k1000 to create the user with net use command and then use psexec running a txt list of the machines and that creates the profile in the background and the psexec command copies the link for us without ever touching the machines. - SMal.tmcc 11 years ago
-
Sounds interesting. Care to share? - jbryant 11 years ago
-
We run this from a server vs w/s so certain staff can remote to server and run and we only have one set of files out there.
We have a text files for the the classrooms with the machines names in them
example red-121.txt would look like:
red-121-01
red-121-02
red-121-03
etc.......
then using pstools psexec we call that text file and a batch file to do the task. The user you name in the psexec get passed to the machines and if that profile does not exist it does a remote login and the profile gets created.
the call would be
psexec @red-121.txt -i -accpteula -u (user or domain\user) -p password -d fixicon.bat
you should be able to upload psexec and the batch file as dependencies and then call that via a k1000 script even - SMal.tmcc 11 years ago
JB,
I don't know when I'll have time to type up a blog about all the cool things you can do with the unattend.xml, but I want to give you something that you can pick apart. I've removed all my employer's info of course so hunt through and enter your info. If you need this for 32 bit, just replace:
processorArchitecture="amd64"
With:
processorArchitecture="x86"
Well, at least I think that will work. Haven't tested it. Just didn't have time to edit out the info on the 32bit version I created.
Here's the xml:
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<settings pass="windowsPE">
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UseConfigurationSet>true</UseConfigurationSet>
<UserData>
<AcceptEula>true</AcceptEula>
<FullName>FULL_NAME</FullName>
<Organization>YOUR_ORGANIZATION</Organization>
</UserData>
<ImageInstall>
<OSImage>
<InstallToAvailablePartition>true</InstallToAvailablePartition>
</OSImage>
</ImageInstall>
<EnableNetwork>false</EnableNetwork>
</component>
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UILanguage>en-US</UILanguage>
<SetupUILanguage>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<RegisteredOwner>AutoBVT</RegisteredOwner>
<RegisteredOrganization>Microsoft</RegisteredOrganization>
<TimeZone>Central Standard Time</TimeZone>
<ComputerName>*</ComputerName>
<ShowWindowsLive>false</ShowWindowsLive>
<Themes>
<ThemeName>aero</ThemeName>
</Themes>
</component>
<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Identification>
<UnsecureJoin>FALSE</UnsecureJoin>
<Credentials>
<Domain>YOUR.DOMAIN.LOCAL</Domain>
<Password>DOMAIN_ADMIN_PASSWORD</Password>
<Username>DOMAIN_ADMIN_USER</Username>
</Credentials>
<JoinDomain>YOUR.DOMAIN.LOCAL</JoinDomain>
<MachineObjectOU/>
</Identification>
</component>
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v Category /t REG_DWORD /d 00000001 /f</Path>
<Description>Setting Network Location</Description>
<Order>2</Order>
<WillReboot>OnRequest</WillReboot>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Path>net user administrator /active:yes</Path>
<Order>1</Order>
<Description>Enable Default Admin</Description>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>3</Order>
<WillReboot>OnRequest</WillReboot>
<Description>Setting Network Name</Description>
<Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v NetworkName /t REG_SZ /d "Work" /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>4</Order>
<Description>Setting Network Icon</Description>
<WillReboot>OnRequest</WillReboot>
<Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v IconPath /t REG_SZ /d "%WINDIR%\system32\NetworkList\Icons\StockIcons\Office" /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>5</Order>
<Description>Setting Power Plan</Description>
<WillReboot>OnRequest</WillReboot>
<Path>POWERCFG -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>6</Order>
<Description>Setting Monitor Timeout</Description>
<WillReboot>OnRequest</WillReboot>
<Path>POWERCFG -X -monitor-timeout-ac 0</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>7</Order>
<Description>Setting Disk Timeout</Description>
<WillReboot>OnRequest</WillReboot>
<Path>POWERCFG -X -disk-timeout-ac 0</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>8</Order>
<WillReboot>OnRequest</WillReboot>
<Description>Setting Standby Timeout</Description>
<Path>POWERCFG -X -standby-timeout-ac 0</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>Setting Hibernate Timeout</Description>
<Order>9</Order>
<Path>POWERCFG -X -hibernate-timeout-ac 0</Path>
<WillReboot>OnRequest</WillReboot>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>10</Order>
<Description>Setting Hibernate to Disabled</Description>
<Path>POWERCFG -H OFF</Path>
<WillReboot>OnRequest</WillReboot>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>11</Order>
<Description>Setting RemoteRegistry to Auto</Description>
<WillReboot>OnRequest</WillReboot>
<Path>sc config RemoteRegistry start= auto</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>12</Order>
<Description>Setting FireWall to disabled</Description>
<WillReboot>OnRequest</WillReboot>
<Path>netsh advfirewall set privateprofile state off</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>13</Order>
<Description>Setting NIC Auto Power Off to Never</Description>
<Path>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007" /v PnPCapabilities /t REG_DWORD /d "280" /f</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>14</Order>
<Path>reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v SoftwareSASGeneration /t REG_DWORD /d "3" /f</Path>
<WillReboot>OnRequest</WillReboot>
<Description>Enable SAS for Bomgar</Description>
</RunSynchronousCommand>
</RunSynchronous>
</component>
<component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<SearchScopes>
<Scope wcm:action="add">
<ScopeDefault>true</ScopeDefault>
<ScopeDisplayName>Google</ScopeDisplayName>
<ScopeKey>SearchProvider1</ScopeKey>
<ScopeUrl>http://www.google.com/search?q={searchTerms}</ScopeUrl>
</Scope>
</SearchScopes>
<DisableWelcomePage>true</DisableWelcomePage>
<Home_Page>http://www.yourhomepage.com</Home_Page>
<DisableFirstRunWizard>true</DisableFirstRunWizard>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Name>Administrator</Name>
<Group>Administrators</Group>
<Password>
<Value>ENCRYPTED_PASSWORD</Value>
<PlainText>false</PlainText>
</Password>
<Description>Local Administrator</Description>
<DisplayName>Administrator</DisplayName>
</LocalAccount>
</LocalAccounts>
<AdministratorPassword>
<Value>ENCRYPTED_PASSWORD</Value>
<PlainText>false</PlainText>
</AdministratorPassword>
<DomainAccounts>
<DomainAccountList wcm:action="add">
<Domain>YOUR.DOMAIN.LOCAL</Domain>
<DomainAccount wcm:action="add">
<Group>Administrators</Group>
<Name>DOMAIN_WORKSTATION_ADMIN_GROUP</Name>
</DomainAccount>
</DomainAccountList>
</DomainAccounts>
</UserAccounts>
<DoNotCleanTaskBar>true</DoNotCleanTaskBar>
<RegisteredOrganization>YOUR_ORGANIZATION</RegisteredOrganization>
<RegisteredOwner>YOUR_OWNER</RegisteredOwner>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<NetworkLocation>Work</NetworkLocation>
<ProtectYourPC>3</ProtectYourPC>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
</OOBE>
<AutoLogon>
<Password>
<Value>ENCRYPTEDPASSWORD</Value>
<PlainText>false</PlainText>
</Password>
<Enabled>true</Enabled>
<LogonCount>2</LogonCount>
<Username>administrator</Username>
</AutoLogon>
</component>
<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<InputLocale>en-us</InputLocale>
<SystemLocale>en-us</SystemLocale>
<UILanguage>en-us</UILanguage>
<UserLocale>en-us</UserLocale>
</component>
</settings>
<settings pass="generalize">
<component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<SkipRearm>1</SkipRearm>
</component>
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
</component>
</settings>
<settings pass="offlineServicing">
<component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<EnableLUA>false</EnableLUA>
</component>
</settings>
<cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="wim:d:/win7ent/sources/install.wim#Windows 7 ENTERPRISE"/>
</unattend>
Just pick through it and see if you find anything you like. Look at the RunSynchronousCommand's. There's some goodness there!
Bonne chance!