Microsoft Deployment Toolkit
Documentation Library Delaying Domain Join to Avoid Application of Group Policy Objects |
Group Policy is a rich and flexible technology providing the capability to efficiently manage a large number of Active Directory Domain Services (AD DS) computer and user objects through a centralized, one-to-many model. Group Policy settings are contained in a Group Policy object (GPO) and linked to one or more AD DS service containers—sites, domains, and organizational units (OUs).
Some organizations have Group Policy settings that are restrictive and could cause problems during operating system deployments. For example, the following Group Policy settings can interrupt an automated logon process:
· Autologon restrictions
· Administrator account renaming
· Legal banners and captions
· Restrictive security policies (for example, the Specialized Security – Limited Functionality [SSLF] policy)
One option to overcome the issues that a GPO might cause during deployment is to join the computer to the domain as late as possible in the deployment process. This join can be done using a custom task sequence step that runs the ZTIDomainJoin.wsf script.
To join the target computer to the domain, the ZTIDomainJoin.wsf script uses the DomainAdmin, DomainAdminDomain, DomainAdminPassword, JoinDomain, and MachineObjectOU properties. You can declare these properties using the Windows Deployment Wizard, deployment share rules, the MDT DB, and Configuration Manager 2007 R3 computer and collection rules. The account used must have the rights required to create and delete computer objects in the domain.
Typically, the ZTIConfigure.wsf script updates the Unattend.xml or Unattend.txt file with the values that these properties specify. These settings are then parsed by the Windows Setup program, and the system attempts to join to the domain early in the deployment process. Doing so subjects the target computer to settings specified in domain GPOs and can possibly cause the deployment process to fail.
To intentionally delay joining the target computer to the domain during the deployment process, you can remove certain elements from the Unattend.xml file. The ZTIConfigure.wsf script will skip over writing properties to the Unattend.xml file if the associated property element is missing from the file.
Note This sample work-around is only valid when deploying the Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 operating systems.
Prepare the unattend.xml file so the target computer does not attempt to join the domain during Windows Setup
1. Click Start, and then point to All Programs. Point to Microsoft Deployment Toolkit, and then click Deployment Workbench.
2. In the Deployment Workbench console tree, go to Deployment Workbench/Deployment Shares/deployment_share/Task Sequences/task_sequence (where deployment_share is the name of the deployment share and task_sequence is the name of the task sequence to be configured).
3. In the Actions pane, click Properties.
4. On the OS Info tab, click Edit Unattend.xml.
The Windows System Image Manager (Windows SIM) starts.
5. In the Answer File pane, go to 4 specialize/Identification/Credentials. Right-click Credentials, and then click Delete.
6. Click Yes.
7. Save the answer file, and then exit Windows SIM.
8. Click OK on the task sequence Properties dialog box.
With the Credentials elements missing from the unattend.xml file, the ZTIConfigure.wsf script is not able to populate the domain join information in the Unattend.xml file, which will prevent Windows Setup from attempting to join the domain.
To add a task sequence step that joins the target computer to the domain
1. Click Start, and then point to All Programs. Point to Microsoft Deployment Toolkit, and then click Deployment Workbench.
2. In the Deployment Workbench console tree, go to Deployment Workbench/Deployment Shares/deployment_share/Task Sequences/task_sequence (where deployment_share is the name of the deployment share and task_sequence is the name of the task sequence to be configured).
3. In the Actions pane, click Properties.
4. On the Task Sequence tab, go to and expand the State Restore node.
5. Verify that the Recover From Domain task sequence step is present. If yes, proceed to step 9.
6. In the task sequence Properties dialog box, click Add, go to Settings, and click Recover From Domain.
7. Add the Recover From Domain task sequence step to the task sequence editor. Verify that the step is in the desired location in the task sequence.
8. Verify that the settings for the Recover From Domain task sequence step are configured to meet your needs.
9. Click OK on the task sequence Properties dialog box to save the task sequence.