Domain join account for apply network settings step in task sequence

Similar Messages

• How to select domain OU for "Apply Network Settings" task sequence step, based on the ip address.

  We are finally getting ready to migrate from SCCM 2007 to 2012 R2.
  Our current setup has 5 site servers with five OSD setups with boot media and Windows 7 task sequences.
  I want to move all that to one site with a single OSD W7 task sequence.
  The current, "apply network settings", step adds the workstation to one of five different  OUs. The same with the "apply windows settings" step, we have five local admin passwords for five regions around the state.
  I thought I might run five versions of each step and add a condition to each one that would only run if the machine was on the right subnet. Or the right Boundary group or maybe the right active directory site.
  Currently I'm creating five boundary groups that I hope to detect by running a power script get-CmBoundaryGroup. Then apply the results maybe as a task sequence variable in the task steps options/Add Conditions.
  Anybody have a better approach. Or alternate plan.

  Are you integrated with MDT? If so, you can use customsettings.ini to put machines into specific OUs based on the DefaultGateway.
  See these links for ideas:
  https://scriptimus.wordpress.com/2011/05/10/mdt-2010-joining-a-domain/
  http://deploymentbunny.com/2012/04/21/back-to-basic-customsettings-ini-explained/
  Jeff

• (OSD) : Apply Network Settings Step in SCCM2012R2 Task Sequence

  Have a specific question around the "Apply Network Settings Step". What is the exact timeout period for this step? Essentially, I have seen USB Ethernet dongles fail to allow systems to become joined to the domain, and it looks like it is relate
  to the timing for enumeration. I want to specifically find out how long the Apply Network Setting step will attempt to run (so that a newly deployed OS can attempt to join the domain). Does anyone have this answer? Is there an option to extend the time the
  step runs?
  Thanks in advance

  I recently had some NIC driver issues and some devices failed to join the domain. These task sequences typically took 15 minutes longer to complete than successful task sequences. That would suggest that it gives up and fails that step after approx. 15 mins.
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Trying to use Variables with the Unknown Computer collection to prompt Task Sequence for Domain, Join Account, Join Password, and Join Location.

  I want to use SCCM 2012 R2 and OSD, to boot a bare metal machine, install and OS, and bind it to Active Directory. The catch is that I want the deployment process in SCCM to prompt for the following pieces of information, and then use that information to
  bind the computer to Active Directory (W/O using MDT) instead of supply the data in the task sequence.
  Computer Name
  Domain
  Domain OU
  Domain Join Account
  I am approaching this in a similar fashion as stated in this blog.
  http://osdblog.com/2013/06/26/add-a-prompt-for-a-computer-name-in-your-sccm-deployment/
  I have added the following collection variables to the unknown computers collection:
  When I launch the task sequence, I am prompted as I would expect. I input the desired information, the deployment competes, but it does not bind to the domain.  Here is what my TS looks like. I intentally disabbled  the apply Network Settings step
  because it forces you to enter specific information if it enabled. I don't want to that, thus why I am trying to use the variables.
  My SMSTS log does not have a whole lot of meaningfull data, but I can post it if someone wants to see it. The only possible thing I could think of would be drivers, their are some driver errors in the log. However, if I turn on the Apply Networking setting
  process in the task sequence and turn off the variables, the machines bind fine. With that in mind, I would not think my problem would be driver related. Anyone out there have expertise in using a process like this, that could assist?
  --Tony

  Awesome! Thanks. One more thing, how should I supply the OSDJoinPassword variable? Should I just enter %OSDJoinPassword%
  for Password and Confirm Password? I can not tell if it will actually read it as a variable or try to use "%OSDJoinPassword%" for
  the actual password.
  --Tony

• Apply network settings join domain issues

  I create a default task sequence in CM 2012 R2. On the apply network settings there is the option to join the domain. If I select to join to the domain, there is an account to set.  I set the account and test the account (test button right there) and
  the test to ad succeeds.
  I then apply and close the task sequence.  if you go back into the task sequence, and check the account to join domain, the password is now much longer than the original (only dots shown of course) and if I click test, the test FAILS.
  I am not sure if that is the expected behavior or the root of my issue. 
  My issue is my machines are failing to join the domain.  Under Windows\Pather\UnattendGC, I see a log file with the error, failed to join domain, error code 5 (something like that).  When I look up that error, I see it means access denied. 
  Any ideas?

  The task sequence will never show the correct length of the password for security reasons, so that's the expected behavior.
  Could you share what permissions you've given that account?
  These are the permissions that I use:
  Scope: This Object and all descendant objects
  - Create Computer Objects
  - Delete Computer Objects
  Scope: Descendant Computer Objects
  - Read All Properties
  - Write All Properties
  - Read Permissions
  - Modify Permissions
  - Change Password
  - Reset Password
  - Validated write to DNS host name
  - Validated write to services principal name
  This will work for every kind of deployment scenario that you may have to use the account in.
  Regards,
  Nickolaj Andersen | www.scconfigmgr.com | @Nickolaja

• Domain Join Account

  Sorry guys (and ladies), I have a really stupid question and I am hoping someone can help. I had provided my client with the minimum permissions for a Domain Join account to join a computer to a domain during an OSD and I am getting kickback from security
  on why the account needs Delete Computer Objects permissions. Can someone explain why, because I honestly do not know. Here are the permissions I provided them:
  Scope: This Object and all descendant objects
      Create Computer Objects
      Delete Computer Objects
  Scope: Descendant Computer Objects
      Read All Properties
      Write All Properties
      Read Permissions
      Modify Permissions
      Change Password
      Reset Password
      Validated write to DNS host name
      Validated write to services principal name
  Thanks in advance.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

  Hi,
  Thanks for your posting.
  As you said, the following permissions are needed in the OU where your account "Join" should be able to create computer accounts:
  Scope: This Object and all descendant objects
      Create Computer Objects
      Delete Computer Objects
  Scope: Descendant Computer Objects
      Read All Properties
      Write All Properties
      Read Permissions
      Modify Permissions
      Change Password
      Reset Password
      Validated write to DNS host name
      Validated write to services principal name
  Please refer to the following articles:
  http://jonconwayuk.wordpress.com/2011/10/20/minimum-permissions-required-for-account-to-join-workstations-to-the-domain-during-deployment/
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/83962106-d634-4ea8-b782-3507cb76522d/adding-computers-to-ad-domain
  http://support.microsoft.com/kb/932455/en-us
  Hope this helps.
  Regards.
  If you have any feedback on our support, please click
  here
  Vivian Wang

• HT4259 When a Netgear N 300 wireless router is the base station for my network, what steps do I take to add AirPort Express 802.11n as an network extender?

  When a Netgear N 300 wireless router is the base station for my network, what steps do I take to add AirPort Express 802.11n as an network extender?

  You don't have to do anything to the netgear.. the Express cannot wirelessly extend non-apple networks. You must plug the Express in by ethernet and create a new wireless network.. this can be the same name (SSID) and security as the netgear so it can become a roaming network.

• HT202233 If I made the mobile account for a network user, can this user unlock the FileVault2-disk?

  My Mac is connected to Microsoft Active Directory. Every time I schould unlock the disk with the local admin, then login as network user.
  If I made the mobile account for a network user, can this user unlock the FileVault2-disk?
  Thanks.

  Yes, but the FileVault password won't be updated automatically if the login password changes.

• Combining multiple WMI Queries for Single Step in Task Sequence?

  Hi there,
  since i couldn't find an answer on google i try to find the information here:
  i would like to use a multiple wmi query in a single step in task sequence.
  hat means i want to query fist if the Computer is a Laptop or not and then if yes, if it is from HP  Manufacturer.
  To find out if Machine is a Laptop i use the following wmi query:
  Select * from Win32_Battery WHERE (Batterystatus <> 0)
  To find out if the Machine is from Manufacturer HP i use the following wmi query:
  Select * from Win32_ComputerSystem WHERE Manufacturer LIKE "%HP%"
  my question: is it possible to combine those 2 queries?
  Like IF this is a Laptop AND IF it comes from HP, then install this type of software package?
  Thanks for your answers!

  unfortunely this did not work.
  i try to install specific software for all HP Laptops:
  but this software won't get installed on any HP Laptop. Message according to the logfile
  "The task sequence execution engine skipped an action because the condition was evaluated to be false"
  If i remove one of the WMI-Queries Installation works successfully.
  Can anyone point me what i might do wrong here?

• Problems setting a Yosemite domain name account for Send only

  What do I do in Yosemite Mail so that my DOT MAC account is IMAP, but  so that I can also send email from a domain account that is a POP account at GoDaddy?
  My Dot Mac / iCloud account is my primary Mail account. I also have a domain name account that I use only for sending mail. The domain name account is a POP account, not an IMAP account. The domain server (not an Apple server) forwards the email to my Dot Mac account as it comes in, but I do NOT sync mail or even pick up mail from the domain name server.
  With Yosemite, Apple apparently changed the way it deals with that situation. I say "apparently" because I'm having a hard time getting help on this. Before Yosemite, I had the domain account enabled, but while there was a password for sending there was no password for picking up the domain name mail. Every once in the while over the years that setup would get flaky (as Apple made changes on its end?) but usually it worked.
  I continued that setup with Yosemite, but a few months ago I started having problems. My mail worked as normally, but during the night or the morning, many messages would arrive as unread duplicates, and many emails I didn't want deleted were permanently deleted. Oddly, in addition, I had an easy time keeping the setup on my MacAir but I had a hard time keeping it on my Mac Mini, even though both have Yosemite.
  I took my MacAir to an Apple genius who said the settings had changed in Yosemite. He somehow reset the account for Send Only by clicking a box. Everything worked fine for a week or so,* But then I could no longer send domain name mail, I couldn't find the setting, and I went to another Genius, who didn't know what I was talking about and who couldn't solve the problem.
  I need to be able to send my domain name account without making it an IMAP account, but can't figure out how.
  thanks
  * In other words, the Dot Mac IMAP worked correctly, the POP messages forwarded correctly to DOT MAC (without any duplication problems), and I was able to send mail from the domain account.

  I've not tested it but if you simply leave the incoming mail server field in the Mail account preferences blank for that account blank but set up the outgoing server and do not check "include when automatically checking new mail" you should be able to send but not receive
  OR undo the forward that you have set up from #2 to #1 and use both normally
  LN

• MDT 2013 Windows 8.1 Deployment Starts Prompting For Administrator Login In Middle Of Task Sequence

  I have a 8.1 deployment task sequence that automatically logs into the administrator account until about half way through the deployment.
  It actually looks like it logs in for a second and then dumps back out to the login prompt.
  After this reboot, the problem starts.  When I log in manually, I see it is at the installing the Java application step.  What could cause this?

  Yes, it's possible that the scripts to boot to desktop or the script to remove apps are causing this, but other people use these settings in deployments and didn't mention this as a side effect.
  This reg file is supposed to set the Start Menu background to match the desktop wallpaper and set IE to use desktop version, but does not seem to work.
  regedit.exe /s 81settings.reg
  Windows Registry Editor Version 5.00
  [HKEY_USERS\CUSTOM\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent]
  "MotionAccentId_v1.00"=dword:000000db
  [HKEY_USERS\CUSTOM\Software\Policies\Microsoft\Windows\EdgeUI]
  "DisableHelpSticker"=dword:00000001
  [HKEY_USERS\CUSTOM\Software\Microsoft\Internet Explorer\Main]
  "ApplicationTileImmersiveActivation"=dword:00000000
  "AssociationActivationMode"=dword:00000002
  ================================================
  powershell.exe -Command "set-ExecutionPolicy Unrestricted -Force; cpi '%DEPLOYROOT%\Applications\Remove Windows 8.1 Modern Applications\RemoveWindows8Apps.ps1' -destination c:\; c:\RemoveWindows8Apps.ps1; ri c:\*.ps1 -Force; set-ExecutionPolicy Restricted
  -Force"
  <#     
      Purpose:    Remove built in apps specified in list 
      Pre-Reqs:    Windows 8.1 
  #>
  # Main Routine 
  # Get log path. Will log to Task Sequence log folder if the script is running in a Task Sequence 
  # Otherwise log to \windows\temp
  try
  $tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
  $logPath = $tsenv.Value("LogPath")
  catch
  Write-Host "This script is not running in a task sequence"
  $logPath = $env:windir + "\temp"
  $logFile = "$logPath\$($myInvocation.MyCommand).log"
  # Start logging
  Start-Transcript $logFile
  Write-Host "Logging to $logFile"
  # List of Applications that will be removed
  $AppsList = "microsoft.windowscommunicationsapps","Microsoft.BingFinance","Microsoft.BingMaps",`
  "Microsoft.BingWeather","Microsoft.ZuneVideo","Microsoft.ZuneMusic","Microsoft.Media.PlayReadyClient.2",`
  "Microsoft.XboxLIVEGames","Microsoft.HelpAndTips","Microsoft.BingSports",`
  "Microsoft.BingNews","Microsoft.BingFoodAndDrink","Microsoft.BingTravel","Microsoft.WindowsReadingList",`
  "Microsoft.BingHealthAndFitness","Microsoft.WindowsAlarms","Microsoft.Reader","Microsoft.WindowsCalculator",`
  "Microsoft.WindowsScan","Microsoft.WindowsSoundRecorder","Microsoft.SkypeApp"
  ForEach ($App in $AppsList)
  $Packages = Get-AppxPackage | Where-Object {$_.Name -eq $App}
  if ($Packages -ne $null)
        Write-Host "Removing Appx Package: $App"
        foreach ($Package in $Packages)
        Remove-AppxPackage -package $Package.PackageFullName
  else
        Write-Host "Unable to find package: $App"
  $ProvisionedPackage = Get-AppxProvisionedPackage -online | Where-Object {$_.displayName -eq $App}
  if ($ProvisionedPackage -ne $null)
        Write-Host "Removing Appx Provisioned Package: $App"
        remove-AppxProvisionedPackage -online -packagename $ProvisionedPackage.PackageName
  else
        Write-Host "Unable to find provisioned package: $App"
  # Stop logging
  ====================================================
  Install java and turn off updates.
  Start /wait jre-8u25-windows-i586.exe INSTALL_SILENT=1 STATIC=0 AUTO_UPDATE=0 WEB_JAVA=1 WEB_JAVA_SECURITY_LEVEL=H WEB_ANALYTICS=0 EULA=0 REBOOT=0
  regedit.exe /s disableupdate.reg
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy]
  "EnableJavaUpdate"=dword:00000000
  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy]
  "EnableJavaUpdate"=dword:00000000

• Whats the best way to apply office updates during OSD task sequence with Software Update Agent disabled?

  I am trying to update office via the SCCM 2012 R2 OSD task sequence. I know offline updating only updates the core components in the WIM and I'm trying to figure out how to add office updates as well. I am aware of using powershell to try and kick off
  a WU scan as seen here:
  http://myitforum.com/myitforumwp/2012/01/24/use-powershell-commands-to-assist-with-patching-during-sccm-image-build/
  But the kicker is we don't use SCCM to update the workstations (Solo WSUS install). Is there a way to do this (maybe set the client in the TS to switch on SUP, then off again when it goes off into production) rather than have to build a new image every month?

  You could use the ZTI_WindowsUpdates.wsf script from MDT.
  http://scriptimus.wordpress.com/2012/03/22/mdt-2012-automating-updates-in-lite-touch-deployments/
  How does it work?
  The task sequence steps run a script called ZTIWindowsUpdate.wsf. The script uses the
  Windows Update Agent API to manage the downloading and installation of updates. All audit information is written to the
  ZTIWindowsUpdate.log file. If you find any unusual error codes in your log returned from the API (although I never have)  you can compare the codes
  here. The script will also check and update the
  Windows Update Agent(WUA) as needed at the start.
  In its default state, the ZTIWindowsUpdate.wsf script will connect to Microsoft Update then search for and download all available updates including Security Patches, Drivers, Browser Updates and Service Packs. This is essentially the same
  as opening the GUI and selecting check for updates.
  Daniel Ratliff | http://www.PotentEngineer.com

• Drivers for different Operating Systems in one Task Sequence

  Hi,
  I would like to implement a solution for our deployment process. We are using UDI Wizard, and in this moment in time we are deploying only Windows 7 x64 and Windows 8.1 x64.
  Here is how it looks in UDI:
  Drivers for our HP laptops are setup and working with Windows 7 x64, but when I choose Windows 8.1 x64 from my dropdown menu in UDI, during the deployment process I get the driver package that is made for Windows 7 x64 version.
  What am I missing here? Ofcourse i added all of this conditions to see if it works because I am testing it right now:
  If possible we would like to use the same TS for both OS (and in the future Windows 10).
  Thanks,

  Hi Jason,
  thanks for your reply. As I tried to explain above, I just added many conditions to see if it would work, random throwing of everything, nothing more. Well it didnt.
  It worked like this:
  1. First you configure the operating systems in UDI wizard, then their name is what counts.
  2. Then you implement OS into UDI task sequence, and for that to works you also use OSDImageName variable.
  For example Windows 7 x64 Enterprise you Add condition->TS variable->OSDImageName equals "Windows 7 x64 Enterprise", I got that name from UDI wizard. For Windows 8 x64 the same, just make another step including Install Operating system Windows
  8 and change the variable according to the name.
  3. Then create install driver steps both for different OS and also add the condition like bellow:
  You have to specify both conditions in order to work, otherwise it will install both driver packages.
  Thanks,

• As step in Task Sequence : Deleting all existing partitions on harddrive before partitioning, is it possible? Thoughts appreciated

  Everyone,
  I have just received a load of 100+ computers off corporate lease for the school district I manage, and while imaging them in SCCM, i've noticed that of those 100 computers about 7 or 8 have failed during the task sequence.  Just on a guess, I tried
  booting up off a windows 7 disk and physically deleting all partitions and THEN running the task sequence it fixes the issue and the task sequence jumps off/completes without any problems (which there's only been one main partition and one system reserve partition).
  My question to you all, I want ALL computers that run my task sequences to completely wipe ALL partitions...and then go forward with the standard partitioning step that's in the task sequence (Step name Partition Disk 0 - BIOS, where it sets up a 350mb system
  reserve and then a 100% remaining space NTFS windows Primary partition)
  Can someone point me in the right direction?  I feel this is a simple process to add to my task sequence, but I wanted to confirm with some of you that might can ease my anxiety a bit first. 
  Thanks so much!

  as above, you could even use a prestart command to achieve this before displaying the task sequence however i'd be VERY careful about doing so, as you could end up wiping out a whole estate of computers without intending to if you deploy it to the wrong
  collection or wrong query, far better to keep the logic in the task sequence as a scripted diskpart step (or two)
  you can download a diskpart script and view the associated step in the
  following task sequence
  Step by Step Configuration Manager Guides >
  2012 Guides |
  2007 Guides | I'm on Twitter > ncbrady

• Install application step on task sequence - application does not appear in the application list

  Hi,
  I am trying to create a build and capture task sequence and add some application installation steps in the process.
  On Install the following applications step when I click the star to choose which applications I want to install, Office 2010 application is not listed there, even though it is available in software library
  and and I've been installing it successfully from application catalog.
  I tried changing the setting "Allow this application to be installed from the Install Application task sequence action instead of deploying it manually", but it had no effect.

  See http://technet.microsoft.com/en-us/library/hh846237.aspx:
  The applications that are installed must meet the following criteria:
  It must run under the local system account and not the user account.
  It must not interact with the desktop. The program must run silently or in an unattended mode.
  It must not initiate a restart on its own
  Torsten Meringer | http://www.mssccmfaq.de