Domain Policies that break MDT 2010

Option 3 – Delaying Domain Join to Avoid Application of Group Policy Objects (Help file MS MDT2010)

Group Policy is a rich and flexible technology providing the capability to efficiently manage a large number of Active Directory Domain Services (AD DS) computer and user objects through a centralized, one-to-many model. Group Policy settings are contained in a Group Policy object (GPO) and linked to one or more AD DS service containers— sites, domains, and organizational units (OUs).

Some organizations have Group Policy settings that are very restrictive and that could cause problems during operating system deployments. For example, the following Group Policy settings can interrupt an automated logon process:

· Autologon restrictions

· Administrator account renaming

· Legal banners and captions

· Restrictive security policies (for example, the Specialized Security – Limited Functionality [SSLF] policy)

One option to overcome the issues that a GPO might cause during deployment is to join the computer to the domain as late as possible in the deployment process. This join can be done using a custom task sequence step that runs the ZTIDomainJoin.wsf script.

To join the target computer to the domain, the ZTIDomainJoin.wsf script uses the DomainAdmin, DomainAdminDomain, DomainAdminPassword, JoinDomain, and MachineObjectOU properties. You can declare these properties using the Windows Deployment Wizard, deployment share rules, the MDT DB, and System Center Configuration Manager computer and collection rules. The account used must have the rights required to create and delete computer objects in the domain.

Typically, the ZTIConfigure.wsf script updates the Unattend.xml or Unattend.txt file with the values that these properties specify. These settings are then parsed by the Windows Setup program, and the system attempts to join to the domain early in the deployment process. Doing so subjects the target computer to settings specified in domain GPOs and can possibly cause the deployment process to fail.

To intentionally delay joining the target computer to the domain during the deployment process, you can remove certain elements from the Unattend.xml file. The ZTIConfigure.wsf script will skip over writing properties to the Unattend.xml file if the associated property element is missing from the file.

Note This sample work-around is only valid when deploying the Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 operating systems.

Prepare the unattend.xml file so the target computer does not attempt to join the domain during Windows Setup

1. Click Start, and then point to All Programs. Point to Microsoft Deployment Toolkit, and then click Deployment Workbench.

2. In the Deployment Workbench console tree, go to Deployment Workbench/Deployment Shares/deployment_share/Task Sequences/task_sequence (where deployment_share is the name of the deployment share and task_sequence is the name of the task sequence to be configured).

3. In the Actions pane, click Properties.

4. On the OS Info tab, click Edit Unattend.xml.

The Windows System Image Manager (Windows SIM) starts.

5. In the Answer File pane, go to 4 specialize/Identification/Credentials. Right-click Credentials, and then click Delete.

6. Click Yes.

7. Save the answer file, and then exit Windows SIM.

8. Click OK on the task sequence Properties dialog box.

With the Credentials elements missing from the unattend.xml file, the ZTIConfigure.wsf script is not able to populate the domain join information in the Unattend.xml file, which will prevent Windows Setup from attempting to join the domain.

To add a task sequence step that joins the target computer to the domain

1. Click Start, and then point to All Programs. Point to Microsoft Deployment Toolkit, and then click Deployment Workbench.

2. In the Deployment Workbench console tree, go to Deployment Workbench/Deployment Shares/deployment_share/Task Sequences/task_sequence (where deployment_share is the name of the deployment share and task_sequence is the name of the task sequence to be configured).

3. In the Actions pane, click Properties.

4. On the Task Sequence tab, go to and expand the State Restore node.

5. Verify that the Recover From Domain task sequence step is present. If yes, proceed to step 9.

6. In the task sequence Properties dialog box, click Add, go to Settings, and click Recover From Domain.

7. Add the Recover From Domain task sequence step to the task sequence editor. Verify that the step is in the desired location in the task sequence.

8. Verify that the settings for the Recover From Domain task sequence step are configured to meet your needs.

9. Click OK on the task sequence Properties dialog box to save the task sequence.

Not really a Domain Policy but how do you get MDT 2010 to automatically rename computers based on previous entry into Active Directory via GUID, like RIS does?

If using Option #1 will that disable the GPO for the existing computers on the domain without the DeploymentLogs folder in windowstemp? In other words I am testing opt 1 and it worked fairly well however I am noticing wierd things with machines that were already on the domain (IE. not locking after time out, no disclaimer, etc…)

Any assistance or guidence would be appreciated.

I am having a problem with the build in MDT functionality to join a domain. It stops on a legal disclaimer and by clicking OK i am able to resume the TS. When i try the method above i am no longer prompted to click OK to continue and workstation joins the domain however to AD has to entry for the workstation. So i have to join the workgroup and back to the domain manually.
I tried using ZTIDomainJoin.wsf and the DomainOUList.xml in the control folder at the end of the TS and before the bitlocker but not able to join the domain this way.
Is there a way to pass domain and OU information on a command line to ZTIDomainJoin.wsf?
Thank you.

With deleted specialize/Identification/Credentials from Unattend.xmland joining domain with ZTIDomainJoin.wsf or with “Recover From Domain”.

When i try to log in to the domain i am getting “The security database on the server does not have a computer account for this workstation trust relationship.”

I tried te steps above and seemed to run into issues. After a lot of searching I found the following blog and have not been tormented by the dreaded legal disclaimer or admin rename.

http://blogs.msdn.com/alex_semi/archive/2009/08/28/avoiding-legan-notice-that-breaks-mdt-autologon.aspx

this is a great article but I am stuck… I am trying to do the following..rename the administrator and we also have a legal banner. so what happens is that the Z drive share remains and a couple of the folders like MINI and _SMSTask…. I have been searchin for a solution for a few days now and I found this site and a couple others where I found a way to delete the Z drive. But I was wondering if this will cause issues in the future since the deployment didnt fully complete.
I tried the link that SJ3ff sent but I am not having any luck wiith that.

And I just found this link where Johan wrote a cleanup script however how does that run with the banner and admin rename?

http://social.technet.microsoft.com/Forums/en-CA/mdt/thread/7b07676d-78fe-45b1-b93e-136304b754ea

http://deploymentresearch.com/Blog/tabid/62/EntryId/17/Final-Configuration-for-MDT-2010-Lite-Touch.aspx