1

I have rolled out MDT for imaging at my workplace. As part of the deployment process I have the customsettings.ini file set to join our Domain. The technician is prompted to enter their administrative credentials and the appropriate OU and Domain is already set.

Everything works very well and the machine images properly, binding to the Domain and installing all software. However, in speaking with our Domain Administrator, each time we image a system the AD\Administrator user account is automatically locking. From what we can tell, it appears that the local "Administrator" account used on a target system for MDT is trying to either login locally or access network resources using the AD\Administrator account instead of the local Administrator account.

I have gone into the unattend.xml file and specifically set the login user settings to use the "." domain, but the issue still persists. However, if we skip joining the Domain and have the system instead join "WORKGROUP" the issue goes away. I have checked the various log files MDT creates on the target systems, and have found no obvious indications as to why this would be. It occurs on all Task Sequences.

Does anyone have any suggestions?

EEAA
  • 108,414
  • 18
  • 172
  • 242
bispymusic
  • 131
  • 1
  • 4

1 Answers1

1

First off stop using the AD\Administrator account. Shared accounts like that are just all sorts of a bad idea. Everyone who needs domain admin access should have a separate account just for doing domain admin things. Create a service account just for MDT. It doesn't even have to be a domain admin. All it needs to do is join computers to the domain. You can set it in the customsettings.ini or mdt database.

DomainAdmin = DeploymentAccount
DomainAdminDomain = Domain.local
DomainAdminPassword = S@msFantas1cP0rkSh0p
JoinDomain = Domain.local
MachineObjectOU = ComputerDeploymentOU

To avoid giving my deployment account domain admin rights I created a deployment team group. added that account along with the techs that need access for deployments and gave it access to add / remove computers from an OU for deployment. When you go to deploy a computer it should add to that OU without problems. If you wanted a little more control you could always pre-create the computer account too. To do that just right click on the OU, select new -> computer. Then in the computer object creation screen change the user or group to your deployment team. I like doing this because it lets me plan out my deployments a little better. This should fix the lockout problems you're having with that account. If you're still getting locked out then it's time to dig deeper. At least this way you can be sure your deployment's aren't the cause.

Hugh
  • 141
  • 9
  • Yes, create a service account for MDT, put those credentials in the bootstrap file. Hugh's probably right, you should be able to grant that account little more than the right to join to the domain. To play it safe, use WDS to push boot images, arguably, a wee bit safer than bootdiscs, you don't want those passwords walking out the door. – MDT Guy May 13 '13 at 19:10