Possible to Use Snapin Post Image to Join Domain?

  • FOG 1.5.3
    CentOS 7.5.1803

    Client: Windows 7 Pro x64 based image.

    Note: Installing the FOG client on hosts isn’t going to be an option for me unfortunately.

    I currently have an image I use across identical machines (Dell Precision 3620’s) that is Windows 7 with drivers, updates and some programs installed. I then take it off the domain (and delete ad user from machine) and sysprep it oobe/shutdown (sysprep fails with it domain joined, leaving domain was only solution I found). After sysprep/shutdown I capture the image.

    My unattend file really doesnt do anything. It only serves to allow sysprep to do what it needs. I pass a generic CD Key (official MS install key, which doesnt activate), give it a local user named ‘Temp’ and provide it a password for said local account.

    My typical process when deploying the image is to change the machine name, domain join (I setup an AD account just for this), reboot, delete temp local account, delete the unattend file, run gpupdate /force and logout/in (or reboot) and then activate Windows with a valid key. I do this all manually as of now.

    I am just starting to look at various forms of automation (previously I just wanted to confirm manual basics worked before trying to automate). I am wondering if its feasible to use a Snapin for this purpose?

    Could I do a .bat file as a snapin to have it run the batch file first boot to take care of the manual steps I mentioned? I am unclear if Snapins are meant to be run multiple times on a machine or 1 time use like I need.

    I have been reviewing documentation but most examples appear to be for installing programs, so not exactly an apples to apples comparison. Any input would be great. Thanks

  • @quinniedid which is what I guessed. 🙂

  • @Szeraax I appreciate you pointing that out. Normally this would be a concern but what we have found is when you install Windows 10 on a new hardware, even if the hardware is the same, Windows 10 will go into a getting your PC ready setup. EDIT (CORRECTION): When configuring the image we will not activate Windows with its key but continue to use the generic key that is associated with Windows 10 for our golden image. We also utilize MAK keys which is not a concern for us in that regard.

  • @quinniedid Dunno if you typically mention, but you should probably note that this is against the MS EULA for imaging. Some sectors care about that.

  • @quinniedid said in Possible to Use Snapin Post Image to Join Domain?:

    Our process is we have a domain account already setup on the “golden” image. All we do to prepare the OS for being imaged is simply remove it from the domain and pull the image.

    My process is basically this. However my machines need some coxing to pull gpupdate right away, idk why just how it is.

    I am aware of being able to login local with \username or computer\username, but thanks you for offering the info as well.

    Ive got FOG client setup now and it is joining domain, changing host name and activating Windows. I have created a batch file snapin that deletes the local account and does gpupdate /force then reboots.

    However since its logged in on the local account when deleting the account it does leave a small remnant behind. I have confirmed the same batch file properly clears out the local user when using a domain account instead.

    So the domain user I setup and have in FOG to join the domain with doesnt actually get logged into, just used as the account to join the machine to domain. Any way to get FOG to login to the domain account instead of using the local account?

    I am now researching adding the login as part of my snapin but wondering if I missing something more simple than this. Thanks

  • @Zer0Cool Our process is we have a domain account already setup on the “golden” image. All we do to prepare the OS for being imaged is simply remove it from the domain and pull the image. It is actually really nice this way. When the PC is joined back to the domain on whatever PC it gets put on all of the user settings and customization is still in place for that domain user. We have a local administrator account that we setup so that we can always login to the PC regardless.

    Also when you join a computer to the domain it will automatically perform a gpupdate. In fact this happens every time a PC is restarted. Also, unless you have a GPO that block you from being able to login to a local account, you can always login even after being joined to the domain. You can do this with either .\USERNAME or COMPUTERNAME\USERNAME

  • Looking like my issues with FOG client and domain join may be due to the computer being registered to the domain already and/or with a different AD account. When I tried manually I got an error message that seemed to indicate this.

    I am going to remove the machine from AD server side, reboot and see if it can join then.

    EDIT: it now joined domain, looks like a Windows issue in which it cant join (or re-join) domain using the same host name but a different AD account (initially).

    I removed the machine entry from AD and rebooted the machine, FOG client asked for a reboot and it had joined the domain.

    Oddly enough, logged into local account but domain joined, I was anticipating it either logging into or prompting to log into the domain account.

    In any case I logged off local user and logged into domain user and all is good it seems.

    I may be able to then use FOG client to change machine host name, activate Windows and join domain pretty easily and then maybe use a snapin to delete local user, clear out the unattend file and run gpupdate /force.

    I guess if I really had to, I could also remove FOG client after the staging process is complete but I may be able to keep it on systems after all.

  • Ok, so I am testing out FOG client, as I may be able to use it after all.

    I so far have an image with it installed and disabled, then have the SetupComplete.cmd to start the service (basically with the 2 lines the wiki has for it).

    I have in FOG for the host the Windows 7 product key, host names (obviously) and the domain, user and password.

    I believe I have set everything required to pass that along via the FOG client after deployment, but only 2/3 take effect.

    After booting Windows 7 post deployment, the machine reboots several times whereas it did not prior (without FOG client) and then I will get a notification from FOG client that it needs to reboot/shutdown the machine. I allow it to and it reboots.

    At this stage it has changed the hostname properly and activated Windows, but did not join the domain.

    I am wondering if this is because my unattend creates a local account and auto logs into it on first boot (after which reboots require login). Even rebooting manually after all of the above doesnt seem to have any effect. Leaving it sit for ~30 minutes doesnt see any action on joining the domain either.

    Trying to log out I dont have any option to log in as another user, so it seems to only be allowing local account login.

    Any advise/help for getting it to doamin join would be great. Thanks

    @quinniedid Interesting approach, but some of the stuff I install requires a domain connection. I actually do image it off domain. So Sysprep doesnt properly leave domain and fails. I have found I have to leave domain, delete domain account/folder from the machine prior to sysprep. I then image the machine and have so far deployed it, re-join domain, etc. I am hoping to be able to change the post deployment so that joining the domain again isnt a manual process. I also agree, Windows 7 seems to be very finicky where Windows 10 seems better able to handle sysprep.

    @george1421 Ill check it out, thanks for the info!

  • @Zer0Cool Have you thought about not using sysprep at all? Get a clean image without AD, and just take that base image and apply it to all your computers that are identical.

    We do this specifically with Windows 10 as we have applications that will not work with sysprep and we can put the image on whatever hardware we want; great feature to Windows 10. Windows 7 is a bit more finicky and that if too much is different it will just blue screen.

  • Moderator

    @zer0cool https://forums.fogproject.org/topic/11920/windows-10-1803-sysprep-problem/7

    Now in my case we have to image to a deployment OU because of the GPO polices defined on the eventual OU break image deployment. So we deploy to “ou=Domain Transfer,dc=domain,dc=com” and then use a first run step to run a vbscript to move the system to the proper OU (not shown in this file).
    I also use a post install script to replace the host name W10CBB in the unattend.xml file with the actual name of the system issued by fog.

  • @george1421 Would you mind sharing your unattend.xml (sanitized of course) or whatever script you are using to domain join (or both lol)?

    I couldnt get it to work when I tried, and at the time I gave up and just dealt with needing to do it manually.

  • Moderator

    @zer0cool why not just have sysprep connect the computer to AD. That is how I do it. I don’t have the fog client installed on any computer (well very few).

  • @wayne-workman Ah ok, makes sense. I then presume also that if I could use the FOG client many parts of my question wouldnt require a snapin as the client can change hostname, domain join and activate Windows right?

    My fallback was to have sysprep run a batch file on first login, seems I may have to go that direction.


  • @zer0cool said in Possible to Use Snapin Post Image to Join Domain?:

    Note: Installing the FOG client on hosts isn’t going to be an option for me unfortunately.

    Then using snapins isn’t an option for you either, since the fog client is what enables snapins.