Running the MDT Task Sequence as a Different User

When using MDT (Lite Touch) for your deployments the default behavior is to run every task sequence action as the local Administrator account. In addition to this, MDT also connects to the deployment share using the account you start the deployment with. Either typed in via MDT deployment wizard login dialog box, or automated via bootstrap.ini. But what if you want to run the task sequence, at least the last part of it, as a different user in order to access resources on other servers than the deployment server? Or simply to install applications as a different user.

Installing Applications as a different user

In a scenario where you want to access resources that are on a different server than the deployment server, or just install the install application as a different user, you have a few options. You can do it by adding a Run Command Line action in MDT, and specify a different user account to run the action. Or by adding a command line or script that maps a network drive to the resource before installing the app. The ZTIConnect.wsf script built-in to MDT is a good example.

image
Configuring the Run Command Line action to run as a different user.

Running the Task Sequence as a different user

In the scenario where you have a bunch of tasks that needs to be run as a different user, you can also configure the entire task sequence to run in different user context. This is typically done by either hacking the unattend.xml template in MDT to use that account, or by adding a script to the task sequence that configures it to run as a different user. Since the latter example can be dynamic, and you can use CustomSettings.ini to configure it, that's what I'm recommend using here.

First, the user account that you use to run a task sequence, must be a local administrator on the machine during the deployment. That can be achieved in a number of different ways too: For example using restricted group feature in group policy, or group policy preferences, or a script, or why not simply by using the built-in feature in MDT that does it: The Administrators list property.

Secondly, because how MDT Lite Touch works, when running the task sequence as a domain user (but still a local admin), you also need to temporarily disable UAC. Otherwise the task sequence will never continue after the reboot (and you will see an error in the BDD.LOG about Regsvr32 failing to register the Microsoft.BDD.Utility.dll file). Disabling UAC temporarily can be done by simply setting a registry via the task sequence, and then of course you enable UAC back again when the task sequence is done. You should also add a FinishAction=REBOOT to your CustomSettings.ini to make sure the installation is rebooted after enabling UAC.

This is what you need to add to your CustomSettings.ini file

In this example the task sequence will run as the user Frank in the VIAMONSTRA domain (Anyone that have seen the Swedish Tele2 commercials knows where the name Frank came from 🙂 ).

[Settings]
Priority=AppInstallAsDifferentUser,Default
Properties=APPINSTALLDOMAIN, APPINSTALLACCOUNT, APPINSTALLPASSWORD

[AppInstallAsDifferentUser]
APPINSTALLACCOUNT=Frank
APPINSTALLPASSWORD=P@ssw0rd
APPINSTALLDOMAIN=VIAMONSTRA

[Default]
Administrators001=%APPINSTALLDOMAIN%\%APPINSTALLACCOUNT%
FinishAction=REBOOT

Create the Configure – Set Autologon in Domain application

The next step is to create the Configure – Set Autologon in Domain application, which is really just a VBScript that configures the Autologon settings in the registry, using the variables from the CustomSettings.ini file. The reason I recommend to add it as an application (you can just add it to the scripts folder) is because of portability. It's easy to just copy and paste applications in between deployment shares, and it also makes it visible in the Deployment Workbench.

Here is the Configure-SetAutologonInDomain.wsf script:
https://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Configure-SetAutologonInDomain.wsf

Import the script as an application to MDT. The command line for the application is: cscript.exe Configure-SetAutologonInDomain.wsf

image
The Configure – Set Autologon in Domain application added to the Deployment Workbench.

Edit the task sequence

After modifying the CustomSettings.ini file, and creating the application in MDT, you only need to modify the task sequence. In this example I created a group named Prepare for running TS as different user and added the following actions:

Run Command Line
Name: Add Administrator001 user to local admin group
Command line: cscript.exe "%SCRIPTROOT%\ZTIGroups.wsf" /restore

Run Command Line
Name: Disable UAC temporarily
Command line: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Install Application
Name: Configure – Set Autologon in Domain
Install a single application: Configure – Set Autologon in Domain

Restart Computer

Then, in the end of the task sequence, typically after the Apply Local GPO Package where the should be no more reboots, you enable UAC again by adding this action:

Run Command Line
Name: Enable UAC
Command line: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

That's it, now you have a task sequence that will run the last part of as a different user 🙂

image
The configured task sequence.
image
Acrobat Reader DC being installed as the user Frank.

Written by Johan Arwidmark

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
17 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Aaron Forsythe
Aaron Forsythe
5 months ago

I am on LTSC 21H2 and trying to implement this. It is currently failing at the 'Instruction name: Add Administrator001 user to local admin group' step with the following error:

<![LOG[Failed to run the action: Add Administrator001 user to local admin group.
Incorrect function. (Error: 00000001; Source: Windows)]LOG]!>

Is there a different way to do this now? My security team wants the OS to use a Domain account and not the local Administrator.

payam khosravi
payam khosravi
11 months ago

Hello Johan,
Thanks for the post
In the command line \ missing before ZTIGroup.wsf
Run Command Line
Name: Add Administrator001 user to local admin group
Command line: cscript.exe "%SCRIPTROOT%ZTIGroups.wsf" /restore

Last edited 11 months ago by payam khosravi
Geoni
Geoni
2 years ago

How do I run MDT Task Sequence under different local admin account already apart of my image?

ErikS
ErikS
2 years ago

What would be the best way to swap back to the default built-in Administrator account when all done using the domain account? My main purpose for this is to have one last reboot and clean-up of the alternate profile (remove from local admins / delete locally cached profile) before wrapping up.

Liran
Liran
2 years ago

Never mind 🙂 the issue was with the USB label…

Buwa
Buwa
2 years ago

Hi Johan, I tried to add this to our MDT/WDS environment and followed the same exact setup but I am running into an issue. After finishing the "Prepare for running TS as different user" steps, the domain account I setup won't auto-login after the restart. I will get the prompt "We can't sign you in with this credential because your domain isnt available." When I login manually, the task sequence will continue. I noticed the network connection icon in the login screen is showing not connected even though the computer is already joined to the domain and ethernet connection is… Read more »

gwenn
gwenn
5 months ago

is there also a variable for the pcname?

Florin
Florin
2 years ago

Hello, Somewhat related to this post – what would be the best way to start the deployment from a MDT server with and admin account, other than "Administrator" ? So far the task sequence is deployed under "Administrator" account and I have a script that contains WMIC command (wmic useraccount where "name='Administrator'" rename SysAdmin – for example). The issue with this is that the user profile folder remains "Administrator", it's not renamed to Sysadmin. I would like to avoid some extra steps (like logging in with another admin account, deleting the Administrator user profile and logging back with the Sysadmin… Read more »

Malcolm Walker
Malcolm Walker
2 years ago

Hey Johan, where is the script? I see it is greyed out on your website.


>