MDT 2010: Network Share Credentials

When performing Lite-Touch Deployments MDT will need to connect to shares for various purposes. For example, to access a deployment share, backup share or a user state migration share. Naturally, this process will require credentials. The account can be either a domain or local account. Below is an example on how to automate this:


To start your Lite-Touch deployments automatically, enter the credentials in the bootstrap.ini file. This will automate the initial deployment share login.

To automate login to the backup share or user state migration shares during deployments, enter the credentials in the  customsetting.ini file.

In a workgroup environment you would use a local account, like in this example:


In this workgroup scenario UserDomain can be omitted.

Remember, if you use the bootstrap.ini setting these credentials are stored in clear text format of every LiteTouchPE_x86.wim. Also, if you use the customsettings.ini settings, the credentials are visible in the deployment share, so just be aware of the security risk. I would try to work around the principle of least privilege.

For a successful deployment the service account will only need to access the user shares and in some cases to join machines to the domain. The account can be restricted in AD to only log on to the specific deployment server.


About Andrew Barnes

A Scripting and Deployment Specialist.
This entry was posted in Deployment, MDT 2010 and tagged , , , , , , , . Bookmark the permalink.

7 Responses to MDT 2010: Network Share Credentials

  1. Miguel says:

    Hi Andrew,
    I like your posts, simple and straight to the point.
    I was wondering if you can help me with the last part of your article:
    “For a successful deployment the service account will only need to access the user shares and in some cases to join machines to the domain. The account can be restricted in AD to only log on to the specific deployment server”

    So I created and account with full access to my Deployment share and then I restricted its account to log on only to the deployment server.. which seemed fine but it only gives me a connection issue when booting into winpe. It tells me ‘Invalid Credentials’.. so I narrowed the problem to this:
    when I see the error window, I get into the command prompt and type manually the ‘net use’ command to map the deployment share… but I get and error saying ‘This account is restricted to log on to this machine’ or something similar.. which makes sense since that computer is not my deployment server..
    My question is, have you seen this issue? I wonder if I have to remove the ‘log onto..’ restriction.. but as you mentioned, it would be best practice to avoid any security risks..

    any advice will be much appreciate it,


  2. John says:

    Its probably worth mentioning that some features of MDT dont work properly if you dont specify a value for userDomain

    Also that the UserPassword value gets stored unencrypted in a file called variables.dat … base64 encoded is really no encryption at all.


  3. Rufus says:


    When I try to add applications in MDT 2010 I get error “the specified destination path already exists and cannot be used for importing”. It allowed me to import only one application. I remember seeing this error a long time ago, but I can’t remember what I did to resolve this issue. Any help is greatly appreciated. Thanks.


  4. Mirek Zeman says:

    Hi, If I have an appication for instalation on NAS device and in MDT > application section I put an link to script which runs the silent install of the application it finish with error the the app was not installed.
    I think that the problem is creadentials but I putt all creadential to Bootstrap.ini and CustomSettings.ini , so what is the issue ?

    Thanks for help.
    I got an MDT 2012 + WDS


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s