[razormoon]

OK THE FOLLOWING HAS BEEN TESTED AND WORKING!!!

HOW TO:

Renaming the god-mode Administrator account and Unattended Vista install.
You only need to do this once!
Do the following in the order shown!!!

First:
Click Start >> Run and type 'MMC' and Enter
Click File >> Add/Remove Snap-in...
In the left Window, scroll down and
double-click Security Configuration and Analysis
double-click Security Templates
Click OK
Second:
Create a new Security Template by:
Expand Security Templates
Right-click on default path (should be "%userprofile%\Documents\Security\Templates)
Click New Template...
Type "unattend.inf"
Hit Enter
Create a new database by:
Right-click Security Configuration and Analysis
Click Open Database...
Type "unattend.sdb" This directory is %userprofile%\Documents\Security\Database
Hit Enter
Type "unattend.inf" This directory is %userprofile%\Documents\Security\Templates
Hit Enter
Third:
Enter new Security changes:
Expand Security Templates >> %userprofile%\Documents\Security\Templates >> unattend >> Local Policies >> Security Options
Double-click Accounts: Administrator account status
Tic the box "Define this policy setting in the template"
Radio "Enabled"
Click OK
Double-click Accounts: Rename administrator account
Tic the box "Define this policy setting in the template"
Enter new Administrator name
Hit Enter
Make any other changes you wish:
UAC: Admin Approval Mode... = FilterAdministratorToken Should be disabled
UAC: Behavior of the elevation prompt for admin... = ConsentPromptBehaviorAdmin
UAC: Behavior of the elevation prompt for standard... = ConsentPromptBehaviorUser
UAC: Run all administrators in Admin Approval Mode = EnableLUA Should be enabled (Adversely affects Std Users!)
Close MMC
You don't have to save console settings if you don't want to, but you must save changes to template!
Remember, your new database and template should now reside in %userprofile%\Documents\Security\Database and
%userprofile%\Documents\Security\Templates respectively. Be sure to save the template changes.

Now you must edit INSTALL.WIM!
Mount INSTALL.WIM
imagex /mountrw x:\sources\INSTALL.wim 1 x:\temp "1" depends on your own image file
Copy the CONTENTS (ie; Database and Templates folders) of %userprofile%\Documents\Security folder to x:\temp\Windows\Security
Unmount and commit INSTALL.WIM
imagex /unmount /commit x:\temp
The above should be done before any unattend programs such as vLite and VistaUA.
Also, a pre-existing database file named SECEDIT.SDB exists in INSTALL.WIM. This is fine and you should not overwrite, delete or otherwise alter
this file!

HERE YOU MAY USE VLITE, VISTAUA, CUSTOMIZATIONS, ETC >>>>>>>>>>>>
WITH NO NEED FOR THE ABOVE REGISTRY TWEAKS

Add the following to setupcomplete.cmd (in \sources\$oem$\$$\setup\scripts\):

CMD /C secedit /configure /db %systemroot%\security\database\unattend.sdb /cfg %systemroot%\security\templates\unattend.inf /log %systemroot%\security\logs\unattend.log /overwrite /quiet


Add/Change the following to your PRE-EXISTING autounattend.xml !!!!PRE-EXISTING!!!!
If you already have an oobesystem pass in your autounattend, just add the items within.

<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserAccounts>
<AdministratorPassword>
<Value>"YOUR ADMINISTRATOR PASSWORD HERE"</Value>
</AdministratorPassword>
</UserAccounts>
<AutoLogon>
<Enabled>true</Enabled>
<LogonCount>3</LogonCount>
<Username>"YOUR RENAMED ADMINISTRATOR ACCOUNT HERE"</Username>
<Password>
<Value>"YOUR ADMINISTRATOR PASSWORD"</Value>
<PlainText>true</PlainText>
</Password>
</AutoLogon>
</component>
</settings>

NOTE: YOU DO NOT HAVE TO AUTOLOGON TO THE RENAMED GOD ACCOUNT, BUT THEN WHAT'S THE SENSE OF DOING ALL OF THIS?

If you have a better, faster and/or easier way of doing this, then I just wasted my time.
Brought to you by razormoon

This post has been edited by razormoon: 14 December 2007 - 05:21 PM

[razormoon]

If anyone can test if you can change the name in unattend.inf 'on the fly' (ie; if you can parse and edit name without going through the whole spiel) that would be greatly appreciated

[MAVERICKS CHOICE]

Just seems like a lot of c...ing around to me... hey but whatever does it for ya.

[razormoon]

MAVERICKS CHOICE, on Aug 16 2007, 02:04 AM, said:

Just seems like a lot of c...ing around to me... hey but whatever does it for ya.

Sure, it takes a lot, but once it's done to a fresh 'vanilla' image you don't have to do it again.

[razormoon]

I'm thinking that instead of injecting security folders into wim, one can conceivably store them in $OEM$\$$\Security. Much faster and easier. Also conceivable is that one can run the secedit command from AuditUser pass, no?

[MAVERICKS CHOICE]

razormoon, on Aug 18 2007, 06:17 AM, said:

I'm thinking that instead of injecting security folders into wim, one can conceivably store them in $OEM$\$$\Security. Much faster and easier. Also conceivable is that one can run the secedit command from AuditUser pass, no?

Sounds good here.

[Largo]

razormoon, on Aug 15 2007, 02:15 AM, said:

If you have a better, faster and/or easier way of doing this, then I just wasted my time.
Brought to you by razormoon

I tried several ways to do it (mainly with 3rd party tools and scripts) and arrived at the same secedit method.
During Vista deployment, the built-in administrator account is always renamed "administrator" or localized equivalent (administrateur in french), that's why one have to execute secedit after deployment.

I will try to use the SetupComplete.cmd file.

Razormoon> you should wrap your text in code tags to preserve your formatting with spaces/tabs.

Thanks for sharing your input!
Largo.

[razormoon]

Largo, on Aug 19 2007, 06:50 AM, said:

I will try to use the SetupComplete.cmd file.

Razormoon> you should wrap your text in code tags to preserve your formatting with spaces/tabs.

Thanks for sharing your input!
Largo.

Honest to goodness, I usually wrap my code. Thanks for reminding me!

The SetupComplete method works like a charm.

[razormoon]

$OEM$ folder method tested and not working.

This post has been edited by razormoon: 25 August 2007 - 03:31 PM

[MAVERICKS CHOICE]

Back to the drawing board then....

[razormoon]

Not so bad. Injecting into install.wim works fine it just takes a little more time...

[c2483]

Can someone help me?
I've followed this guide a few times but always get the same problem?
On first boot up, it can't log in. So I click ok and enter the password and still cannot log in.
The name I changed admin to appears right on the log in screen.

 
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
  <settings pass="windowsPE">
    <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <SetupUILanguage>
        <UILanguage>en-US</UILanguage>
      </SetupUILanguage>
      <InputLocale>00040408</InputLocale>
      <UserLocale>en-US</UserLocale>
      <UILanguage>en-US</UILanguage>
      <SystemLocale>en-US</SystemLocale>
    </component>
    <component name="Microsoft-Windows-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <UserData>
        <FullName>Charles Watson</FullName>
        <AcceptEula>true</AcceptEula>
      </UserData>
    </component>
  </settings>
  <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AutoLogon>
        <Password>
          <Value>......</Value>
          <PlainText>true</PlainText>
        </Password>
        <Enabled>true</Enabled>
        <LogonCount>3</LogonCount>
        <Username>Charles</Username>
      </AutoLogon>
      <OOBE>
        <HideEULAPage>true</HideEULAPage>
        <NetworkLocation>Home</NetworkLocation>
        <ProtectYourPC>1</ProtectYourPC>
        <SkipMachineOOBE>true</SkipMachineOOBE>
        <SkipUserOOBE>true</SkipUserOOBE>
      </OOBE>
      <TimeZone>Eastern Standard Time</TimeZone>
      <UserAccounts>
        <AdministratorPassword>
          <Value>......</Value>
        </AdministratorPassword>
      </UserAccounts>
    </component>
  </settings>
  <settings pass="specialize">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <ComputerName>charles-pc</ComputerName>
    </component>
    <component name="Microsoft-Windows-Security-Licensing-SLC-UX" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <SkipAutoActivation>true</SkipAutoActivation>
    </component>
  </settings>
  <cpi:offlineImage cpi:source="wim:D:/System/Vista/6001.16659.070916-1443_x86fre_Client_en-us-FB1CFRE_EN_DVD/sources/install.wim#Windows Vista ULTIMATE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend> 

[razormoon]

Are you sure you have defined your security policies in \Windows\Security? Checked all the necessary options? If so, did you inject into install.wim and made a call to secedit from setupcomplete.cmd? I've heard of some users having trouble with the setupcomplete.cmd method. What you can do is move that call from the setupcomplete.cmd and put it in your autounattend.xml as such in <settings pass="specialize">:

 
        
<component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Order>1</Order>
                    <Path>CMD /C secedit /configure /db %systemroot%\security\database\unattend.sdb /cfg %systemroot%\security\templates\unattend.inf /log %systemroot%\security\logs\unattend.log /overwrite /quiet</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
 

In the meantime, I'll just edit the above to make the call from autounatted.xml as opposed to setupcomplete.cmd.


EDIT: THE ABOVE DOES NOT WORK FOR ME SO REVERTING ORIGINAL POST TO SETUPCOMPLETE.CMD

This post has been edited by razormoon: 03 October 2007 - 04:54 PM

[godinger]

You could also call renuser.exe (not a MS utility, but free) via a sync script in OOBE phase. This avoids having to modify the original image. This is how I do it and it works without issue.

[oidicle]

Hi razormon, I've folowed your guide up to the part where I mount the Install.wim...
I can't seem to find that "x\temp" folder you referenced, I'm assuming the "x" is the the drive path or systemdrive... I've searched all my drives and there's no "temp", must I create it myself or what? I just need to drop those files I've created, the only thing that shows on the install.wim is "components" and "Packages"

please advise

nevermind, I've figured it out... but there's still one prob though, I don't have the "setupcomplete.cmd" file, is it really necessary, how do I create it?

This post has been edited by oidicle: 07 December 2007 - 07:34 AM

[razormoon]

Sorry 'bout that...

in \sources\$oem$\$$\setup\scripts\

SETUPCOMPLETE.CMD

 
@echo off

CMD /C secedit /configure /db %systemroot%\security\database\unattend.sdb /cfg %systemroot%\security\templates\unattend.inf /log %systemroot%\security\logs\unattend.log /overwrite /quiet

EXIT
 

Of course, you can add more commands here if you'd like.

This post has been edited by razormoon: 08 December 2007 - 01:03 PM

[oidicle]

Thanks man, In fact I did add more commands to the setupcomplete.cmd, since I mounted the install.wim to the "temp" directory you specified, I ended up using the setupcomplete that was already there(windows\setup...) and modified it accordingly to install apps and add that line that you provided... it all went well...

anyway, thanx for a great guide, I was strugling for two weeks to find a way to rename the "God Mode" administrator account, I thought I could do it without mounting the install.wim but I soon found out through unsuccesfull trial and error that it was seemingly impossible... but I guess it was a blessing that I had to download WAIK and do it through the install.wim because that enabled me to do my own customizations(drop new sidebar gadgets, change the default background, etc)...

CHEERS

This post has been edited by oidicle: 09 December 2007 - 11:52 AM

[razormoon]

One of the best things about WAIK? Removing stuff. Like those two icons on the quicklaunch bar (show desktop and switch desktop?)......grrr.

Glad it worked out!

This post has been edited by razormoon: 14 December 2007 - 05:27 PM

[jlombard]

Hi Razormoon,

I tried this with Windows 2008 R2 and it is not working. Have you tried this on 2008 R2?

After the new os is built the template inf file is in the templates directory but the database is not. I checked with mmc/gpmc and none of the settings are there.


Any help would be much appreciated.



Thanks,
Jonn