Windows – Copy the default user profile – Administrator account

deploymentunattendeduser-accountswindows 7

I need to amend the default user account during deployment of Windows 7. Having read the following MS article: http://support.microsoft.com/kb/973289 I have a few questions.
The article suggests that the amendments must be made under the built in local administrator account. Does this have to be the built in Admin account? or can the changes be made under the context of another local account within the local administrators group. The customer does not wish to enable the the built in admin account.
Is the profile copied from the account that is currently logged in when the specialise path is initiated?

The article also says to remove all existing local accounts. I assume this is because the amendments to the default profile will not apply to these accounts. Basically, the image has some existing local profiles that must remain. The default settings do not need to be applied to these accounts.

I would test this out but I currently do not have access to my test environment unfortunately.

Any guidance is greatly appreciated.

Thanks in advance.

Best Answer

If you're trying to build a customized default profile, but you don't want the admin account enabled, use it, run sysprep and disable the admin account from your unattended answer file. Make sure you're using WAIK at the very minimum, It's highly recommended using WAIK in conjunction with MDT.

http://www.microsoft.com/deployment

In win7 you use the local admin account to build the default profile, but much of what used to need to be done by hand in the xp days can mostly be done with your unattend.xml answer file.

You will need to use the copyprofile=true setting in the specialize pass in the unattend.xml file when you run sysprep or it will not work.

WSIM Screenshot The setting in WSIM

       <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
        <RegisteredOrganization>Spud-Co Labs</RegisteredOrganization>
        <RegisteredOwner>Administrator</RegisteredOwner>
        <DoNotCleanTaskBar>true</DoNotCleanTaskBar>
        <CopyProfile>true</CopyProfile>
       </component>

Sample For a 32bit Win7 Unattend.xml file

Although you may get away with having other profiles created already in the reference image, just understand that it's not recommended, as sometimes, sysprep may generalize settings from those profiles, not the admin, that's why its advised to not have them.

To play it safe, configure your reference account with the admin account, and run sysprep from there.

A clean, complete and concise guide to running sysprep can be found here: http://theitbros.com/sysprep-a-windows-7-machine-start-to-finish-v2/

I'm not 100% sure that sysprep redisables this account for you, and you may have little luck turning back off from the answer file. Use MDT to deploy with a task sequence, this will allow you to disable the account at the very end of the deployment.

Try this in the Windows Deployment, Run Synchronous Section, it should disable the account after you run sysprep.

            <RunSynchronousCommand wcm:action="add">
                <Description>EnableAdmin</Description>
                <Order>1</Order>
                <Path>cmd /c net user Administrator /active:no</Path>
            </RunSynchronousCommand>

To make life easier on yourself, test all this in some kind of VM. I recommend virtual box, but any VM should work.Take a snapshot before you run sysprep, and that way you can test the answerfile and revert easily and save a lot of time.

UPDATE: Recently I had some luck using MDT and the Built in Admin, but creating a second account, making it admin, then disabling the admin at the very end of the task sequence using MDT. I don't think this can be done using the stand alone xml file, to get away with this you most likley need to use a MDT task sequence.

Related Question