Windows 10 Local Admin account (SOLVED)

dorian.borovina
Beiträge: 36
Registriert: 24 Aug 2017, 12:32

Windows 10 Local Admin account (SOLVED)

Beitragvon dorian.borovina » 24 Aug 2017, 12:55

Hello everyone.

I have Win10 X64 installation working fine just fine in OPSI, with added drivers.
No problems at all.

Question is "unattend.xml" for Win10.

Code: Alles auswählen

<settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ComputerName>#@pcname*#</ComputerName>
            <UserAccounts>
                <AdministratorPassword>
                    <PlainText>true</PlainText>
                    <Value>nt123</Value>
                </AdministratorPassword>
                <!--
            <LocalAccounts>
               <LocalAccount wcm:action="add">
                  <Password>
                     <PlainText>true</PlainText>
                     <Value>nt123</Value>
                  </Password>
                  <Description>opsiadm</Description>
                  <Group>Administrators</Group>
                  <Name>opsiadm</Name>
                  <DisplayName>opsiadm</DisplayName>
               </LocalAccount>
            </LocalAccounts>
            -->
            </UserAccounts>

        </component>


This is the part from original Win10 unattend.xml file.
As you can see in here, part where he creates a Local Account is commented out.
When I "turn it on", my installation of Win10 fails, doesn't end up successfully.
Doesn't matter if I change the password, description, name, display name, or I leave default values.

Point is, I want to remove "Enable Built-in Administrator Account" from unattend.xml, and I want to use create local account with Administrator privileges.

I'm trying to leave "Enable Built-in Administrator Account" for now, as long as I can create local account.

Is there anyone who has successfully created a Local Administrator account on Win10 with OPSI?

Thank you.
Zuletzt geändert von dorian.borovina am 31 Aug 2017, 10:16, insgesamt 1-mal geändert.
Best regards,
Dorian Borovina

Benutzeravatar
SisterOfMercy
Beiträge: 999
Registriert: 22 Jun 2012, 19:18

Re: Windows 10 Local Admin account

Beitragvon SisterOfMercy » 26 Aug 2017, 23:44

I have changed nothing in this part for windows 7. Have you tried to login as Administrator with the password nt123?
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!

dorian.borovina
Beiträge: 36
Registriert: 24 Aug 2017, 12:32

Re: Windows 10 Local Admin account

Beitragvon dorian.borovina » 28 Aug 2017, 13:39

SisterOfMercy hat geschrieben:I have changed nothing in this part for windows 7. Have you tried to login as Administrator with the password nt123?


Thanks for the reply! :)

That part works, when I leave all default values I'm able to log in with Administrator and nt123

The thing is, Administrator account is built-in Microsoft account, which unattend.xml enables it and which is disabled by the default.

I want to leave this account disable, and use local account with administrator privileges.

On Win7 it worked out of box.
Best regards,
Dorian Borovina

Benutzeravatar
ueluekmen
uib-Team
Beiträge: 1891
Registriert: 28 Mai 2008, 10:53

Re: Windows 10 Local Admin account

Beitragvon ueluekmen » 28 Aug 2017, 15:36

It's a better way to disable the local administrator-account after OS-Deployment is completed. We have done this in Windows 7 over a opsi-package. Perhaps you can do this during the softwaredeployment phase. And things that have worked in windows 7 does not work automatically in Windows 10... Things that have worked on Windows 10 1607 does not work automatically in Windows 10 1703.... :roll:
opsi support - uib gmbh
For productive opsi installations we recommend support contracts.
http://www.uib.de

dorian.borovina
Beiträge: 36
Registriert: 24 Aug 2017, 12:32

Re: Windows 10 Local Admin account

Beitragvon dorian.borovina » 28 Aug 2017, 15:44

ueluekmen hat geschrieben:It's a better way to disable the local administrator-account after OS-Deployment is completed. We have done this in Windows 7 over a opsi-package. Perhaps you can do this during the softwaredeployment phase. And things that have worked in windows 7 does not work automatically in Windows 10... Things that have worked on Windows 10 1607 does not work automatically in Windows 10 1703.... :roll:


I understand, it's not a problem to disable the built in microsoft administrator account.

Code: Alles auswählen

net user Administrator /active:no


and that's it.

This part in here doesn't work.

It needs to create a opsiadm account which is in the Administrators group.

Code: Alles auswählen

 <LocalAccounts>
      <LocalAccount wcm:action="add">
                  <Password>
                       <PlainText>true</PlainText>
                       <Value>nt123</Value>
                  </Password>
                       <Description>opsiadm</Description>
                       <Group>Administrators</Group>
                       <Name>opsiadm</Name>
                      <DisplayName>opsiadm</DisplayName>
        <LocalAccount>
</LocalAccounts>


Thanks for the help! :)
Best regards,
Dorian Borovina

Benutzeravatar
SisterOfMercy
Beiträge: 999
Registriert: 22 Jun 2012, 19:18

Re: Windows 10 Local Admin account

Beitragvon SisterOfMercy » 29 Aug 2017, 15:38

As ueluekmen said, why don't you create a postinstall package to take care of all this.
This way you can always change it on deployed clients, when needed. For example, you need to change the password of this local account.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!

dorian.borovina
Beiträge: 36
Registriert: 24 Aug 2017, 12:32

Re: Windows 10 Local Admin account

Beitragvon dorian.borovina » 30 Aug 2017, 09:43

SisterOfMercy hat geschrieben:As ueluekmen said, why don't you create a postinstall package to take care of all this.
This way you can always change it on deployed clients, when needed. For example, you need to change the password of this local account.


Thanks for the reply,

Possibly, I could create a post install package which will create a local account with administrator privileges.

What bothers me is why it's not working in unattend.xml. :x
Best regards,
Dorian Borovina

dorian.borovina
Beiträge: 36
Registriert: 24 Aug 2017, 12:32

Re: Windows 10 Local Admin account

Beitragvon dorian.borovina » 31 Aug 2017, 10:15

Thread is marked as Solved, I've created a OPSI Package which does the job.

Quick solutions which suits my needs.

Here is the setup.opsiscript

Code: Alles auswählen

[Actions]

DefVar $ProductId$
DefVar $ExitCode$
DefVar $LogDir$
DefVar $Username$
DefVar $Password$
DefVar $Disable_Builtin$

requiredWinstVersion >= "4.11"
setloglevel="7"

if not ("Windows_NT" = GetOS)
   LogError "This product is for Windows only"
   isFatalError "Wrong OS"
endif

if CompareDotSeparatedNumbers(GetMsVersionInfo,"10") < "0"
   LogError "This product is for Windows 10"
   isFatalError "Wrong WinVer"
endif

Set $LogDir$ = "%SystemDrive%\tmp"
Set $Username$ = GetProductProperty("local_admin_username", "localadmin")
Set $Password$ = GetProductProperty("local_admin_password", "pw123")
Set $Disable_Builtin$ = GetProductProperty("disable_built-in_administrator", "yes")


; ----------------------------------------------------------------
; - Please edit the following values                             -
; ----------------------------------------------------------------
Set $ProductId$       = "win10-localadmin"
; ----------------------------------------------------------------

ShowBitmap "%ScriptPath%\" + $ProductId$ + ".png" $ProductId$

DosInAnIcon_local_account_setup

if $Disable_Builtin$ = "yes"
   DosInAnIcon_disable_builtin_admin
endif
if $Disable_Builtin$ = "no"
   DosInAnIcon_enable_builtin_admin
endif

[DosInAnIcon_local_account_setup]
net user $Username$ /add
net user $Username$ $Password$
net localgroup Administratoren $Username$ /add

[DosInAnIcon_disable_builtin_admin]
net user Administrator /active:no

[DosInAnIcon_enable_builtin_admin]
net user Administrator /active:yes


and here is the control file.

Code: Alles auswählen

[Package]
version: 1
depends:
incremental: False

[Product]
type: localboot
id: win10-localadmin
name: win10-localadmin
description: This OPSI Package will create a Local Administrator account,and it can also disable Built-in Administrator account
advice:
version: 1.0
priority: 0
licenseRequired: False
productClasses:
setupScript: setup.opsiscript
uninstallScript:
updateScript:
alwaysScript:
onceScript:
customScript:
userLoginScript:

[ProductProperty]
type: unicode
name: local_admin_username
multivalue: False
editable: True
description: Microsoft Windows Local account username
values: ["localadmin"]
default: ["localadmin"]

[ProductProperty]
type: unicode
name: local_admin_password
multivalue: False
editable: True
description: Microsoft Windows Local account password
values: ["pw123"]
default: ["pw123"]

[ProductProperty]
type: unicode
name: disable_built-in_administrator
multivalue: False
editable: True
description: Disable Built-in Microsoft Administrator Account
values: ["no", "skip", "yes"]
default: ["yes"]

[Changelog}

Nothing special yet, first version.



Yes, I know...I can enhance it, but at this time I really don't need nothing better than this. :)

Cheers everyone.
Best regards,
Dorian Borovina