/build/static/layout/Breadcrumb_cap_w.png

Sysprep is not disabling the local administrator account

Greetings

I am working on a new Windows 7 image for our organization. My image is pretty much ready to go, other than one issue. For some reason, the local administrator account does not get disabled by sysprep. What I am wanting is to have a different account used for local administrator. I have configured my unattend file to create this account, which works fine. When the sysprep is finished, and the computer reboots, everything seems okay. Windows prompts for a computer name as designed, and then I get prompted to login with default (which I can’t) or other account. I select other, enter in the credentials for my local account that sysprep created, and everything is good.

The strange thing is if I disjoin the system from the domain (after joining), and reboot, the system automatically logs in as the local administrator without prompting. It just sails right on in.

My method of creating the image is performing the ctrl shift f3 at the initial Welcome screen after a fresh install of Windows. While in Audit mode, I perform any updates, install my apps, etc.I have noticed this in my unattend file that could be the culprit:

<AutoLogon>
                <Password>
                    <Value>XXX</Value>
                    <PlainText>false</PlainText>
                </Password>
                <Enabled>true</Enabled>
                <LogonCount>5</LogonCount>
                <Username>Administrator</Username>
            </AutoLogon>

I am unsure if this is required for performing the sysprep and then is supposed to removed after sysprep is finished. If not, would removing this entry prevent the autologin into the administrator account, as well as allow sysprep to disable the administrator account as it is supposed to?

Thanks for any input.

Asked 9 years ago 6526 views
0 Comments   [ + ] Show comments

Answers (2)

Posted by: SMal.tmcc 9 years ago
Red Belt
0
you will need a few components to shut down the local admin

<settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Path>net user administrator /active:no</Path>
                    <Order>1</Order>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>

    <settings pass="oobeSystem">
       <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <UserAccounts>
                <LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <Password>
                            <PlainText>true</PlainText>
                            <Value>password</Value>
                        </Password>
                        <DisplayName>2nduser</DisplayName>
                        <Name>2nduser</Name>
                        <Group>Administrators</Group>
                    </LocalAccount>
                </LocalAccounts>
                 </UserAccounts>
            <AutoLogon>
                <Password>
                    <Value>password</Value>
                    <PlainText>true</PlainText>
                </Password>
                <Enabled>true</Enabled>
                <LogonCount>5</LogonCount>
                <Username>2nduser</Username>
            </AutoLogon>
        </component>
    </settings>
Comments:
  • Just to clarify, should I leave in the AutoLogon component I mentioned and put in the components you have listed? - torbuck 9 years ago
    • not sure if you use the kbox (not tagged) or not but if you are you will need a couple of reboots for the tasks to process properly. What I do when I join the machine to the domain is to poke the autologin keys to reflect a domain user and when all is finished I have a section to delete the autologon keys all together.

      my joindomain tasks reboots after joining then continues other post tasks, these lines are in that task script.
      reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /f
      reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 10 /f
      reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /d acaddomain /f
      reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d domainuser /f
      reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d domainuserspassword /f

      then when all is done I do this:

      reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 0 /f

      reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v defaultpassword /f - SMal.tmcc 9 years ago
      • CRAP IT RAN IT ALL TOGETHER!!!!! - SMal.tmcc 9 years ago
Posted by: SMal.tmcc 9 years ago
Red Belt
0
not sure if you use the kbox (not tagged) or not but if you are you will need a couple of reboots for the tasks to process properly.  What I do when I join the machine to the domain is to poke the autologin keys to reflect a domain user and when all is finished I have a section to delete the autologon keys all together.

my joindomain tasks reboots after joining then continues other post tasks, these lines are in that task script.
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1  /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 10  /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /d acaddomain  /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d domainuser  /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d domainuserspassword /f

then when all is done I do this:

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 0 /f

reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v defaultpassword /f
Comments:
  • For this case, we are not using kbox. Just a simple ghost image - torbuck 9 years ago
    • then you do not really need autologin unless some scripts you have run after post sysprep. - SMal.tmcc 9 years ago
      • just create your secondary admin and disable the primary administrator account. - SMal.tmcc 9 years ago
  • Just to reiterate, I am creating the image using the audit mode method (ctrl shift f3 at the initial Welcome screen). I believe you are logged in as administrator when you are in this mode. Once you reseal, sysprep is supposed to automatically disable the administrator account. My unattend file creates my secondary admin. I am going to try just remove this entry in my unattend unless someone has a better idea. I was simply following the IT Bros sysprep guide, so possibly this got added by mistake.

    <AutoLogon>
    <Password>
    <Value>XXX</Value>
    <PlainText>false</PlainText>
    </Password>
    <Enabled>true</Enabled>
    <LogonCount>5</LogonCount>
    <Username>Administrator</Username>
    </AutoLogon> - torbuck 9 years ago
    • yea audit mode is a little different from generalizing it. that should do it, after cast your image go into the registry and just check the keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and see what the keys for autologon are set at. That will answer the question. - SMal.tmcc 9 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ