1 of 1 people found this helpful
I'll be watching this ticket for a final answer as our issues match up nearly exactly with the described issues above. We also use a server property and cannot join the domain at the time of provisioning for security issues.
However, since there was no reply, I'll put in a high level over view of how we worked around this issue.
At the time of provisioning, the OS installs and uses Administrator by default. Due to this, our Server Property is an enumarated string whose default is "Administrator".
Later on, when we run the post-provisioning batch job, I have another batch job embedded that has two member jobs. The member jobs:
- Use Group Policy to rename Administrator to Admin2
- Run an NSH Script job that updates the Server Property to the Admin2 value.
It was necessary to group these two member jobs into a single batch job because we'd lose connectivity to the targer server between steps 1 and 2 if there were run as seperate jobs.
Hope this helps!
Thanks. Very helpful. So you are manually applying the group policy to rename the administrator account? We haven't gotten that far yet. We're plowing through a whole bunch of other issues related to provisioning in a secure manner. So far we have done as you have and changed the default to Administrator. Our current plan is:
PXE boot into PE
redirect output of ipconfig to a file on the provisioning server
provision the server with dhcp (small scope with ACLs limiting access to BL app/provisioning servers)
kick off a batch job that first parses the ipconfig output and adds a line to the app servers hosts file then does all the post provisioning steps.
Then we'll have to write a job that re-ips the host, strips the entry out of the app server hosts file, and forces the app server to do a name cache clear or somthing....
You could add a line in the post install section of the system package like:
Echo BLAdmins:* rw,map=Administrator > C:\windows\rsc\users.local
You might be able to parameterize that a bit if your role is different
Then create a package that runs the domain add (net dom I think?) and in that package add a line to do:
Echo BLAdmins:* rw,map=??TARGET.ADMIN_ACCOUNT > C:\windows\rsc\users.local
To set it to the new admin name.