Fog Client - Adding Domain User to Local Administrator Group

RobertD

Server

• FOG Version: 0.32
• OS: Ubuntu 14.04
  (We will be upgrading once the finial version of 1.3 is released)

Client

• Service Version:
• OS: Windows 7, WIndows 10

Description

I’ve noticed during registration of a computer that one of the questions ask Which user is associated with the computer? (or something along those lines) Does the new fog client have the capability to add domain users to the local administrator group when answering this question during the registration? It would nice if when a computer is reimaged that it’s renamed, put on the domain, and the user of the computer is added to the local administrators group. We are still having to complete this final step manually.

There has been mention of doing this with the unattend file, however I much prefer not having to dynamically change that file prior to first boot. Thanks for any suggestions!

george1421

Does the new version of fog have that feature, no it does not. FOG can rename the computer (post OOBE) and connect it to the domain no problem. Adding domain users to local admin group is not supported (and even a bit questionable security wise IMO).

But with that said you can do what you ask in one of two ways but both require the use of a FOG post install script.

With a FOG post install script you can access device specific properties (like user name) and then interact with the target computer’s files or registry. In my company we have a post install script that alters the unattend.xml file with FOG host parameters just after the image is deployed to the client but before windows boots the first time.

You could use this concept to update the unattend.xml file to add the user to the local admin group. Just use sed with a string replace on the unattend.xml file to replace a key word with the assigned user.

If you didn’t want to touch the unattend.xml file you can use the setupcomplete.cmd file. Just use a fog post install script to append something like net localgroup administrators /add "domain\user" where domain would be static and user would come from the user field in FOG.

RobertD

Thanks for the suggestions, but now I have more questions =P

We currently have the fog service set to disabled on our images and a script that runs on first boot (which installs model specific drivers) enables this service. It then renames the computer and adds it to the domain. How can the setupcomplete.cmd file add a domain user to the local administrators group if this script is run before the fog client joins the computer to the domain?

george1421

@RobertD You are right, its a matter of timing. You can not do this in the setupcomplete.cmd file because it happens before the fog client runs. You can not use the first run section of the unattend.xml file either since the fog client hasn’t done its job by then either, unless you delay logging in as a local admin until after the system is connected to the domain.

We have the unattend.xml file name the system and connect it to the domain instead of the fog client (we don’t use these features of the FOG client). All of that happens way before the setupcomplete.cmd file is called, I didn’t take that into account before I posted.

Joe Schmitt

@RobertD You can also deploy a snapin to do this.Snapins run after domain binding.

george1421

@Joe-Schmitt said in Fog Client - Adding Domain User to Local Administrator Group:

@RobertD You can also deploy a snapin to do this.Snapins run after domain binding.

I thought about this too, the problem is how to get the snapin to poll the FOG server to pickup the username field from the FOG database for this specific host…

[edit] OK, just thought of a way. If you have a FOG post install script write the contents of the username field to a text file on the target computer, then with the snapin have that snapin (ps or vbs) read the content of that text file created by the FOG post install script. That would work.

Wayne Workman

I’ve been thinking on this for a bit, and have thought of some far more complex ways to do it. I think that George’s below post is the best out of all the things I’ve thought of.

Basically have the post-install scripts write a .bat file on the local hdd with the needed arguments. Then make a snapin that runs a .bat file - and that just execute the local .bat file.