When performing Lite-Touch Deployments MDT will need to connect to shares for various purposes. For example, to access a deployment share, backup share or a user state migration share. Naturally, this process will require credentials. The account can be either a domain or local account. Below is an example on how to automate this:
UserDomain=scriptimus.local UserID=ScriptimusPrime UserPassword=V3ry_H4rd_p4$$w0rd
To start your Lite-Touch deployments automatically, enter the credentials in the bootstrap.ini file. This will automate the initial deployment share login.
To automate login to the backup share or user state migration shares during deployments, enter the credentials in the customsetting.ini file.
In a workgroup environment you would use a local account, like in this example:
UserID=PC01\ScriptimusPrime UserPassword=V3ry_H4rd_p4$$w0rd
In this workgroup scenario UserDomain can be omitted.
Remember, if you use the bootstrap.ini setting these credentials are stored in clear text format of every LiteTouchPE_x86.wim. Also, if you use the customsettings.ini settings, the credentials are visible in the deployment share, so just be aware of the security risk. I would try to work around the principle of least privilege.
For a successful deployment the service account will only need to access the user shares and in some cases to join machines to the domain. The account can be restricted in AD to only log on to the specific deployment server.
Hi Andrew,
I like your posts, simple and straight to the point.
I was wondering if you can help me with the last part of your article:
“For a successful deployment the service account will only need to access the user shares and in some cases to join machines to the domain. The account can be restricted in AD to only log on to the specific deployment server”
So I created and account with full access to my Deployment share and then I restricted its account to log on only to the deployment server.. which seemed fine but it only gives me a connection issue when booting into winpe. It tells me ‘Invalid Credentials’.. so I narrowed the problem to this:
when I see the error window, I get into the command prompt and type manually the ‘net use’ command to map the deployment share… but I get and error saying ‘This account is restricted to log on to this machine’ or something similar.. which makes sense since that computer is not my deployment server..
My question is, have you seen this issue? I wonder if I have to remove the ‘log onto..’ restriction.. but as you mentioned, it would be best practice to avoid any security risks..
any advice will be much appreciate it,
Thanks,
LikeLike
Its probably worth mentioning that some features of MDT dont work properly if you dont specify a value for userDomain
Also that the UserPassword value gets stored unencrypted in a file called variables.dat … base64 encoded is really no encryption at all.
LikeLike
Greetings,
When I try to add applications in MDT 2010 I get error “the specified destination path already exists and cannot be used for importing”. It allowed me to import only one application. I remember seeing this error a long time ago, but I can’t remember what I did to resolve this issue. Any help is greatly appreciated. Thanks.
LikeLike
I would look under the Applications folder in the deployment share. This would hold the folder of the name you are trying to ue.
LikeLike
Hi, If I have an appication for instalation on NAS device and in MDT > application section I put an link to script which runs the silent install of the application it finish with error the the app was not installed.
I think that the problem is creadentials but I putt all creadential to Bootstrap.ini and CustomSettings.ini , so what is the issue ?
Thanks for help.
I got an MDT 2012 + WDS
LikeLike
I’m not sure without seeing the logs etc. Post a topic in the MDT forum an I’ll take a look there.
LikeLike
Hi,
Now It works ,the problém is in NAS. I had to change registry in lanman, that the pc not require signed communication.
R,
M.
LikeLike