Rename built-in Administrator account on K2000 (KACE SDA) system image
Has anyone found a way to deploy a system image on the K2000 with a renamed Administrator account (not an additional local administrator account, but the 'built-in' administrator account.
I'm aware that if the account is renamed when preparing the 'base' image, then sysprep will revert it back to 'Administrator' when the image is deployed.
This can't be done as a post-install task for two reasons:
1. The unnatend.xml is set to autologin to an account named 'Administrator' so renaming the account during the post-install task phase will stop it logging in again after reboots (and halt any further post-installation tasks).
2. In order to do this properly, I would want to rename the Administrator account and delete the Administrator profile - I can only do this if I'm logged on as another account (i.e. NOT Administrator) and it's the Administrator account that the task engine logs in as to perform the post-install tasks.
Looking around, the method of getting around this seems to be adding the following command:
wmic useraccount where name="Administrator" call rename "[new admin account name]"
to the file 'SetupComplete.cmd' located in %windir%\Setup\Scripts. This script should run before Sysprep does its stuff, and you can edit the 'unattend.xml' to reference the 'new' name for the built-in administrator account so that it can autologon etc.
However, the K2000 task engine seems to overwrite the existing 'SetupComplete.cmd' with its own version which points towards the list of post-install tasks etc, so in the process knobbles the command in there that would otherwise rename the built-in admin account.
I know the first question may be 'why do you want to rename the built-in administrator account' but it's a historical/legacy/consistency thing across our site.
This is easy enough to achieve with a script at the post-image 'configuration' stage of our builds, but it would be rather nice to get the K2000 to do it for me as part of the image deployment.
Any ideas? Many thanks in advance.
Edit: I ought to point out, these are Windows 7 systems we're deploying with the K2000.
Answers (1)
why don't you do what I do to autologin the sysprep image. I create a local admin account named installer prior to sysprep. So I have 2 local admin accounts, installer and administrator. You then put the user installer in your answer file (do not login prior to sysprep with the account installer to avoid an extra profile in your image.)
<AutoLogon>
<Password>
<Value>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</Value>
<PlainText>false</PlainText>
</Password>
<Enabled>true</Enabled>
<LogonCount>3</LogonCount>
<Username>installer</Username>
</AutoLogon>
during post I join the machine to the domain and delete that account and you could put the rename in the post task since it will be logged in as someother admin account
as example:
:this will rename the administrator account, set it active and set a password, we are currently autologged in as local installer
start /wait wmic useraccount where name="Administrator" call rename "newadmin"
start /wait net user newadmin /active:yes
Start /wait net user newadmin newpassword
:this changes the autologin to the domain account acad\installer
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /f
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 3 /f
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /d acad /f
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d installer /f
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d password /f
:this deletes the local user installer, even if I am logged doing post tasks as this user the delete still works
start /wait net user installer /delete
:this joins to acad domain and the post task finish, the machine reboots and comes up logged in the acad domain as acad\installer
start /wait cscript.exe c:\windows\w2d\join_domain.vbs acad.tmcc.edu installer password
Comments:
-
Thanks, interesting suggestion. I had considered something like this, but it involves logging on as a domain account that we wouldn't normally need to log on as (and creating another profile on the computer for this account). The only domain account we would normally log on as after imaging, is the user for whom we were setting the machine up, and from here it'seasy to run a script that renames the administrator account and deletes the administrator profile. I just wondered if there was a way to rename the built-in Administrator account from 'inception' and keep it that way through the imaging process. Thank you for your reply though, it was particularly interesting to see how you changed the autologon behaviour through the registry entries. - Chordmeister 9 years ago
-
What you can do is still create an self destructing local user like I do, but in the post tasks go this route instead. Call the user even something like "syspreper"
Create a local admin account named syspreper prior to sysprep, set a password on the account. So you will have 2 local admin accounts, syspreper and administrator. You then put the user syspreper in your answer file (do not login prior to sysprep with the account syspreper to avoid an extra profile in your image.)
:Add this to the answer file xml
<AutoLogon>
<Password>
<Value>SysprepersPassword</Value>
<PlainText>True</PlainText>
</Password>
<Enabled>true</Enabled>
<LogonCount>3</LogonCount>
<Username>syspreper</Username>
</AutoLogon>
::Run this as last post task:
start /wait wmic useraccount where name="Administrator" call rename "newadmin"
start /wait net user newadmin /active:yes
Start /wait net user newadmin newpassword
:use this section if you want the box to autologin as local newadmin after post imaging
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /f
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 2 /f
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d newadmin /f
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d newpassword /f
start /wait reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /f
:this deletes the local user syspreper, even if it logged on doing post tasks
start /wait net user syspreper /delete - SMal.tmcc 9 years ago-
Ok, just one thing - how would the last command get executed automatically once logged on as 'newadmin'? - Chordmeister 9 years ago
-
the box does not reboot till after the post tasks are run so that delete actually happens when the box is still logged in as syspreper (he deletes his own account). Deleting the account prevents that user from logging in but if they are already logged in it does not throw them off that session. the kbox reboots automatically after post tasks so at that point it will use the newadmin credentials to log back in and finish the post cleanup phase. - SMal.tmcc 9 years ago
-
you can also add a line like this if you want to delay the delete till after the reboot and login as newadmin
start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v deletesyspreper /d "net user syspreper /delete" /f
I posted a blog about this trick
http://www.itninja.com/blog/view/run-batch-files-or-apps-after-kace-k2000-3-6-is-done-with-it-s-post-imaging-tasks - SMal.tmcc 9 years ago -
Hey, I like what you did nesting the 'run once's in the registry, very clever. :) That kind of answers my last question, which was going to be: I can delete a user account whilst logged on to it, but I can't delete the profile for that user account whilst logged to it - how do I delete the profile?
I guess I can use your reboot delay registry trick to ensure that the run once command to delete the profile (I use remprof.exe) happens after the autologon to the renamed administrator account. - Chordmeister 9 years ago -
What user profile are you trying to delete?
If it is one in your sysprep the guid will remain constant and all you should have to do is nuke/change 1 or 2 registry keysets and do a rd c:\users\name /q /s
If you want to change the admin user to use a new profile when you rename you can repoint him to a new profile directory prior to reboot or sysprep shutdown and rd c:\user\admistrator and he will then create a new profile when looged into and the administrator profile will not be locked.
the key to change is
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-627490252-3428972242-1794926782-500]
"ProfileImagePath"
but it is stored hex value so
C:\Users\Administrator translates to hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,00,\
72,00,00,00
if you change it via regedit while logged in as admin just before you call sysprep that will work. Or edit it to the new directory name you want to use, export the keys and get the hex value and do a reg add in post tasks to change it.
So for example I want TMCCadmin as the user and profile name, run regedit and change that key to c:\users\tmccadmin and export, I get this code.
hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,54,00,4d,00,43,00,43,00,61,00,64,00,6d,00,69,00,6e,00,00,00
so I can then create a reg.exe add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-627490252-3428972242-1794926782-500] /v "ProfileImagePath" /t reg_expand_sz /d "43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,54,00,4d,00,43,00,43,00,61,00,64,00,6d,00,69,00,6e,00,00,00" /f - SMal.tmcc 9 years ago -
Ok, I think was overcomplicating things in my last reply. Suffice to say, the techniques you suggested have allowed me to achieve what I wanted to do, so many thanks indeed. Will write up exactly how I did it later and post here, in case it's useful to anyone else. - Chordmeister 9 years ago
-
--- FINAL SOLUTION ---
(replace [NEWADMINACCOUNTNAME] with the new name of the built-in administrator account, and [newadminaccountpassword] with the password for this account).
Create base image and configure required settings logged on as 'Administrator'. Create an additional local administrator account called 'setup' but don't log on as this account, just add it to the local Administrators group.
Create the sysprep unattend.xml using the 'sysprep creator' tool. Edit the unattend.xml so that it references the additional local admin account 'setup' rather than the built-in 'Administrator' account (there are several places where 'Administrator' needs to be changed to 'setup' in this file).
Sysprep using the edited unattend.xml and capture the image to the K2000.
Make sure you set the number of autologons in the unattend.xml to the number required to get you up to the stage of the LAST post-install task (described later). This will depend on the number of reboots your post-install tasks require. I use a mid-level task which is a vbscript that updates the unattend.xml with the required number of auto-logons (the number is specified as an input variable configured in the mid-level task).
Set up pre/post-install tasks as required on the system image.
One of the post-install tasks needs to:
1. Rename the local administrator account
2. Delete the old Administrator profile
3. Make the renamed administrator account active
4. Set the password for the renamed administrator account
To do this, I use the following POST-INSTALL BATCH TASK (I use RemProf.exe, copied to the windows\system32 folder, to remove user profiles - for info: http://www.ctrl-alt-del.com.au/files/RemProf08.txt )
start /wait %windir%\system32\RemProf.exe Administrator
start /wait wmic useraccount where name="Administrator" call rename "[NEWADMINACCOUNTNAME]"
start /wait net user [NEWADMINACCOUNTNAME] /active:Yes
start /wait net user [NEWADMINACCOUNTNAME] [newadminaccountpassword]
The LAST post-install task needs to add registry entires that cause the following to happen at next reboot (before logon) using the RunOnce regkey:
1. Remove the profile of the 'setup' account we no longer want
2. Delete the 'setup' account we no longer want
3. Set Windows Autologon to logon 1 time automatically as the renamed administrator account
To do this, I use the following POST-INSTALL BATCH TASK
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v DelAdminProf /d "C:\Windows\System32\RemProf.exe Setup"
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v DelAdminAcct /d "net user Setup /delete"
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d [NEWADMINACCOUNTNAME] /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d [newadminaccountpassword] /f
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /f
Many thanks to SMal.tmcc for putting me on the right track and providing me with the bits of script I needed to get this working! - Chordmeister 9 years ago
