Seite 1 von 1

Windows 10 Local Admin account (SOLVED)

Verfasst: 24 Aug 2017, 12:55
von dorian.borovina
Hello everyone.

I have Win10 X64 installation working fine just fine in OPSI, with added drivers.
No problems at all.

Question is "unattend.xml" for Win10.

Code: Alles auswählen

<settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ComputerName>#@pcname*#</ComputerName>
            <UserAccounts>
                <AdministratorPassword>
                    <PlainText>true</PlainText>
                    <Value>nt123</Value>
                </AdministratorPassword>
                <!--
            <LocalAccounts>
               <LocalAccount wcm:action="add">
                  <Password>
                     <PlainText>true</PlainText>
                     <Value>nt123</Value>
                  </Password>
                  <Description>opsiadm</Description>
                  <Group>Administrators</Group>
                  <Name>opsiadm</Name>
                  <DisplayName>opsiadm</DisplayName>
               </LocalAccount>
            </LocalAccounts>
            -->
            </UserAccounts>

        </component>


This is the part from original Win10 unattend.xml file.
As you can see in here, part where he creates a Local Account is commented out.
When I "turn it on", my installation of Win10 fails, doesn't end up successfully.
Doesn't matter if I change the password, description, name, display name, or I leave default values.

Point is, I want to remove "Enable Built-in Administrator Account" from unattend.xml, and I want to use create local account with Administrator privileges.

I'm trying to leave "Enable Built-in Administrator Account" for now, as long as I can create local account.

Is there anyone who has successfully created a Local Administrator account on Win10 with OPSI?

Thank you.

Re: Windows 10 Local Admin account

Verfasst: 26 Aug 2017, 23:44
von SisterOfMercy
I have changed nothing in this part for windows 7. Have you tried to login as Administrator with the password nt123?

Re: Windows 10 Local Admin account

Verfasst: 28 Aug 2017, 13:39
von dorian.borovina
SisterOfMercy hat geschrieben:I have changed nothing in this part for windows 7. Have you tried to login as Administrator with the password nt123?


Thanks for the reply! :)

That part works, when I leave all default values I'm able to log in with Administrator and nt123

The thing is, Administrator account is built-in Microsoft account, which unattend.xml enables it and which is disabled by the default.

I want to leave this account disable, and use local account with administrator privileges.

On Win7 it worked out of box.

Re: Windows 10 Local Admin account

Verfasst: 28 Aug 2017, 15:36
von ueluekmen
It's a better way to disable the local administrator-account after OS-Deployment is completed. We have done this in Windows 7 over a opsi-package. Perhaps you can do this during the softwaredeployment phase. And things that have worked in windows 7 does not work automatically in Windows 10... Things that have worked on Windows 10 1607 does not work automatically in Windows 10 1703.... :roll:

Re: Windows 10 Local Admin account

Verfasst: 28 Aug 2017, 15:44
von dorian.borovina
ueluekmen hat geschrieben:It's a better way to disable the local administrator-account after OS-Deployment is completed. We have done this in Windows 7 over a opsi-package. Perhaps you can do this during the softwaredeployment phase. And things that have worked in windows 7 does not work automatically in Windows 10... Things that have worked on Windows 10 1607 does not work automatically in Windows 10 1703.... :roll:


I understand, it's not a problem to disable the built in microsoft administrator account.

Code: Alles auswählen

net user Administrator /active:no


and that's it.

This part in here doesn't work.

It needs to create a opsiadm account which is in the Administrators group.

Code: Alles auswählen

 <LocalAccounts>
      <LocalAccount wcm:action="add">
                  <Password>
                       <PlainText>true</PlainText>
                       <Value>nt123</Value>
                  </Password>
                       <Description>opsiadm</Description>
                       <Group>Administrators</Group>
                       <Name>opsiadm</Name>
                      <DisplayName>opsiadm</DisplayName>
        <LocalAccount>
</LocalAccounts>


Thanks for the help! :)

Re: Windows 10 Local Admin account

Verfasst: 29 Aug 2017, 15:38
von SisterOfMercy
As ueluekmen said, why don't you create a postinstall package to take care of all this.
This way you can always change it on deployed clients, when needed. For example, you need to change the password of this local account.

Re: Windows 10 Local Admin account

Verfasst: 30 Aug 2017, 09:43
von dorian.borovina
SisterOfMercy hat geschrieben:As ueluekmen said, why don't you create a postinstall package to take care of all this.
This way you can always change it on deployed clients, when needed. For example, you need to change the password of this local account.


Thanks for the reply,

Possibly, I could create a post install package which will create a local account with administrator privileges.

What bothers me is why it's not working in unattend.xml. :x

Re: Windows 10 Local Admin account

Verfasst: 31 Aug 2017, 10:15
von dorian.borovina
Thread is marked as Solved, I've created a OPSI Package which does the job.

Quick solutions which suits my needs.

Here is the setup.opsiscript

Code: Alles auswählen

[Actions]

DefVar $ProductId$
DefVar $ExitCode$
DefVar $LogDir$
DefVar $Username$
DefVar $Password$
DefVar $Disable_Builtin$

requiredWinstVersion >= "4.11"
setloglevel="7"

if not ("Windows_NT" = GetOS)
   LogError "This product is for Windows only"
   isFatalError "Wrong OS"
endif

if CompareDotSeparatedNumbers(GetMsVersionInfo,"10") < "0"
   LogError "This product is for Windows 10"
   isFatalError "Wrong WinVer"
endif

Set $LogDir$ = "%SystemDrive%\tmp"
Set $Username$ = GetProductProperty("local_admin_username", "localadmin")
Set $Password$ = GetProductProperty("local_admin_password", "pw123")
Set $Disable_Builtin$ = GetProductProperty("disable_built-in_administrator", "yes")


; ----------------------------------------------------------------
; - Please edit the following values                             -
; ----------------------------------------------------------------
Set $ProductId$       = "win10-localadmin"
; ----------------------------------------------------------------

ShowBitmap "%ScriptPath%\" + $ProductId$ + ".png" $ProductId$

DosInAnIcon_local_account_setup

if $Disable_Builtin$ = "yes"
   DosInAnIcon_disable_builtin_admin
endif
if $Disable_Builtin$ = "no"
   DosInAnIcon_enable_builtin_admin
endif

[DosInAnIcon_local_account_setup]
net user $Username$ /add
net user $Username$ $Password$
net localgroup Administratoren $Username$ /add

[DosInAnIcon_disable_builtin_admin]
net user Administrator /active:no

[DosInAnIcon_enable_builtin_admin]
net user Administrator /active:yes


and here is the control file.

Code: Alles auswählen

[Package]
version: 1
depends:
incremental: False

[Product]
type: localboot
id: win10-localadmin
name: win10-localadmin
description: This OPSI Package will create a Local Administrator account,and it can also disable Built-in Administrator account
advice:
version: 1.0
priority: 0
licenseRequired: False
productClasses:
setupScript: setup.opsiscript
uninstallScript:
updateScript:
alwaysScript:
onceScript:
customScript:
userLoginScript:

[ProductProperty]
type: unicode
name: local_admin_username
multivalue: False
editable: True
description: Microsoft Windows Local account username
values: ["localadmin"]
default: ["localadmin"]

[ProductProperty]
type: unicode
name: local_admin_password
multivalue: False
editable: True
description: Microsoft Windows Local account password
values: ["pw123"]
default: ["pw123"]

[ProductProperty]
type: unicode
name: disable_built-in_administrator
multivalue: False
editable: True
description: Disable Built-in Microsoft Administrator Account
values: ["no", "skip", "yes"]
default: ["yes"]

[Changelog}

Nothing special yet, first version.



Yes, I know...I can enhance it, but at this time I really don't need nothing better than this. :)

Cheers everyone.