Need urgent help on joining a domain automatically after installation

Piplup

Hello,

I need to verify a few things because I need them in a project I need to submit to a comission for a job training.

I want to sysprep a Win10 Pro Image and distribute it so that it automatically joins a domain. I never managed it to work. It should work like:

#1 Sysprep a generalised image with software preinstalled
(With / Without having joined domain?)
#2 Worker enters his credentials in the FOG Network Boot
#3 Image gets downloaded and installed with his personal domain credentials

Can I do that?
Please, explain it if so, because I wasn’t able to make it work and I really need this feature for my paper to submit.

Sebastian Roth

@Piplup What exactly have your tried so far? What errors did you run into? What does your configuration XML look like? Which version of FOG do you use?

Piplup

Deleted my post because of missing information.
Will update later today.

Sebastian Roth

@Piplup There is no need to delete the post. Just update as much information as you can.

Piplup

@Sebastian-Roth
Update:

What my plan was -
1. I want to distribute prepared / generalized (with Software like Firefox preinstalled) Windows 10 Images that,

2. depending on the user logging into the FOG PXE Enviroment,
will be logged into their Windows 10 AD Accounts, after installation, respectively.

3. (optionally) Possible Administration through the FOG Smart Application, like shutting off PC’s or changing screen resolution, but I’m not that far.

The existing domain is based on SAMBA 4, so it runs on Windows Server 2008 R2.

There is an option in FOG to map FOG user accounts with AD domain credentials, so I wanted to use this for comission project.

What I did / achieved so far:

I distributed these Images with preinstalled software with no problem, (#1)
but I wasn’t able to make the domain join work. I put the correct credentials for a Domain User and mapped it to a FOG User account. Then I distributed the generalized image, and the software preinstall worked, however the automatic domain join did not.

The XML in question is the autoattend XML file, right?
I left it mostly generic, because I expected FOG to fill the credentials for each Domain user that has been mapped to a FOG User account.

Used:
FOG 1.5.7
Debian 10 LTS / Dnsmasq for DHCP Proxy
Win 10 Pro

The main question here is:
Is what I’m trying to do possible here? If so, what am I missing

Because “just” image distribution is too thin to pass training with this project, I believe.
I am new here and barely know anything about the features possible with FOG, but I’m trying my best.

Piplup

This post is deleted!

george1421

@Piplup In theory this is possible with the exception of the fog admin setting the default user on the windows side.

You will need to be a bit creative with the unattend.xml script, but you can automate quite a bit using a FOG post install script.

I have some examples of post install scripts here. https://forums.fogproject.org/topic/7740/the-magical-mystical-fog-post-download-script/15 specifically look at part three in the tutorial.

Via the unattend.xml file you can add users to the target computer, connect it to the domain in different OUs (I calculate my target OU at the time the OS is deployed based on the image name and physical location the target computer is at when its deployed). You can also set the keyboard and geographic locations via the unattend.xml file. So you are not limited to what the FOG Client can do, but to what you can preset in the unattend.xml file.

Piplup

Thank you, but Christ, that’s a lot.
I saw a rough “workaround” that could work instead.
(I don’t want to come off as lazy, but I literally started with Linux and this job training this year, I still only understand half the things I read here)

I’d create an InstallUser for the AD with limited rights, which will be automatically joined to the Domain via a fixed entry in the “unattend.xml”. (?) Software will already come preinstalled with the image. From there on, the User manually Signs Out and Signs In via his given AD credentials.

“(?)” because I never actually saw this option. I just read it’s supposed to be possible. I’ll try testing again tomorrow. But with my limited time right now, that’s all I can do.
More importantly, what’s your opinion on this?

Edit: I just realized - Doesn’t an Active Directory Domain join require Administrator privileges from the Domain Controller in the first place? Wouldn’t I just create a security vulnerability…? If you have experience in this, please share your advice.

george1421

@Piplup said in Need urgent help on joining a domain automatically after installation:

Thank you, but Christ, that’s a lot.

Its not bad if you build it up, start with the basics and add on.

I’d create an InstallUser for the AD with limited rights, which will be automatically joined to the Domain via a fixed entry in the “unattend.xml”. (?) Software will already come preinstalled with the image. From there on, the User manually Signs Out and Signs In via his given AD credentials.

Yes that is how we do it. Here is an example of an sanitized version of our unattend.xml. https://forums.fogproject.org/post/87392 The point of the tutorial link I provided before was to show you if you have text in your unattend.xml file you can “tweak” it at deploy time. Its really NOT that hard. The bit I didn’t show you was the complete working model: https://forums.fogproject.org/topic/11126/using-fog-postinstall-scripts-for-windows-driver-injection-2017-ed This is the full working postinstall script it does more than what you need at the moment. The script you are interested in is fog.updateunattend

Doesn’t an Active Directory Domain join require Administrator privileges from the Domain Controller in the first place? Wouldn’t I just create a security vulnerability…? If you have experience in this, please share your advice.

Yes and no. Yes you need an elevated account but you can restrict that account to only add computer to ou. Its been a while since I set that up but I know with advanced acls you can restrict that account to only the task at hand. Also if you use the WAIK toolkit you can encrypt the password in the unattend.xml file so it can’t be hacked easily. Lastly in your setupcomplete.cmd batch file, you will have that nuke any unattend.xml file or another other setup files that are used during OOBE/WinSetup.