PW error at Windows 10 login + Domain Join

M

Marconino

New Member
Hi,
I'm new here, i'm using your software by 2 days and i already managed to deploy my costumized w10 iso with drivers, partition changes etc.
everything it's working fine for me except one single thing, the windows password for access the standard User i created in the unattended menù .
If i set my password to "password" i can log in, if i set my password to "Password!" it shows wrong password. I have to enable some special characters feature somewhere in the sub menù? I didn't find any similar thing to enable.

I attach my unattend file, as you can see i created a domain profile and a standard profile, the password in the domain profile pops up but in the standard there is a long string of characters, it's this the error? I have to replace it manually with my password?

Thanks
 

Attachments

  • autounattend.xml
    6.7 KB
  • Autosalvataggio 0eb5e490.xml
    8.8 KB
Passwords in the unattend file are Base64 encoded (not encrypted). PowerShell can reverse it.

autounattend.xml:
> $EncodedText = “VQBBAEIAaABBAEgATQBBAGMAdwBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwBFAEEAVQBBAEIAaABBAEgATQBBAGMAdwBCADMAQQBHADgAQQBjAGcAQgBrAEEAQQA9AD0AUABhAHMAcwB3AG8AcgBkAA=="
> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
UABhAHMAcwB3AG8AcgBkACEAUABhAHMAcwB3AG8AcgBkAA==Password
Click to expand...

Did you import the Base64 string from another preset or unattend file?
> $EncodedText = "UABhAHMAcwB3AG8AcgBkACEAUABhAHMAcwB3AG8AcgBkAA=="
> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
Password!Password
Click to expand...
Autosalvataggio.xml: Password!Password

Make sure you're typing the original password in the NTLite window.
This trick is why we remind users to remove passwords before sharing any preset on this forum (unless you don't care).
 
I tried some fresh installs, now i'm able to log into windows after a full cleanup of all the images in the ntlite program and a reboot, thanks.
This mean that the software read both autosave and autoattend file during installation? Should i save autosave.xml outside installation folders in your opinion?
Can i take advantage for another question? I bought the license for commercial use and now i'm looking at the domain auto-add feature, could be usefull for me but i can't let it work properly.
After the PC name prompt in the installation process (set it in the autoattend pc name [Prompt]) the machine stay in a loop situation of windows loading screen after install.
If i disable the domain add feature the same iso installs faster, it's possible that it's maybe making a loop for connect to our domain through lan port but it's not receiving lan drivers in time and it's going in a sort of "freeze" mode?
I'm not receiving any kind of error feedback but when i'm in the system i go to system advanced settings and the machine is still in workgroup.
Attached there is the unattended file from new working iso.
Thanks for time and pathience.
 

Attachments

  • autounattend.xml
    6.4 KB
Just for info, adding the machine to the domain with thoose user and password works if i do it in windows manually.

---I want to report instead a little bug, probably. When you choose in the post setup page the cmd themplate for the unlimited pw time the script does the job but its not making the ✔ on the user settings --Password never expires--. Don't know if it's correct or not but when i run net accounts command i can see the password has no time limitation even if in the "user gui" it's not flagged.
I did this on multiple fresh installations and it's making the same thing.----

After some troubleshooting i found in the functionalities tab "active directory Lightweight directory service" Not Flagged. Its actually Flagged in components, netlogon instead. I will try tomorrow on my image
 
Last edited:
Marconino said:
I tried some fresh installs, now i'm able to log into windows after a full cleanup of all the images in the ntlite program and a reboot, thanks.
This mean that the software read both autosave and autoattend file during installation? Should i save autosave.xml outside installation folders in your opinion?
Click to expand...

When using a preset, NTLite will create autounattend based on the Settings, and whatever XML code is inside. One trick to extend Setup's functionality is to carefully insert extra XML into the preset file. NTLite will copy anything not overwritten to the new autounattend.

When not using a preset, NTLite scans the ISO folder to recreate the previous unattend and Post-Setup items. In several cases, NTLite gets confused and parses it wrong. I believe that may have been your problem.

The safe strategy is always begin with a clean image and apply a preset. NTlite will always do the right thing. Re-using a previously edited image can lead to unattend or Post-Setup problems.

Marconino said:
After the PC name prompt in the installation process (set it in the autoattend pc name [Prompt]) the machine stay in a loop situation of windows loading screen after install.
If i disable the domain add feature the same iso installs faster, it's possible that it's maybe making a loop for connect to our domain through lan port but it's not receiving lan drivers in time and it's going in a sort of "freeze" mode?
Click to expand...

All this depends on whether if your network device is already configured. I would integrate any network drivers into the base image, especially for machines inside a domain. Don't forget the shift-F10 trick to open a CMD shell.
 
Marconino said:
After the PC name prompt in the installation process (set it in the autoattend pc name [Prompt]) the machine stay in a loop situation of windows loading screen after install.
If i disable the domain add feature the same iso installs faster, it's possible that it's maybe making a loop for connect to our domain through lan port but it's not receiving lan drivers in time and it's going in a sort of "freeze" mode?
I'm not receiving any kind of error feedback but when i'm in the system i go to system advanced settings and the machine is still in workgroup.
Attached there is the unattended file from new working iso.
Thanks for time and pathience.
Click to expand...

Probably didn't enable the user account to be allowed to add new machines to the domain.

For Domain join there are two options in Unattended page - Join Network.

- Unsecured
When you don't want to use the username and password to join a user, but want to add his machine to the domain.
Created a computer account in the server active directory, reset the account.
Then in Unsecured Join - Machine Password entered computer name in lowercase (first 15 characters are what you need max). That is how Windows does it to find a computer account to tie it with.
Then the computer would be domain joined after install and I could login with a active directory user.

- Secured
When you have a username and password for the domain joined account.
Tool will also warn during secured join:
"Make sure to allow this user on the server active directory to 'Join a computer to the domain', and you must specify a computer name on the Unattended page. Computer name can also be randomly generated, more info in the Computer Name option description."

So there is no way to add machine to the domain without a computer name and without user credentials, that would not be safe.
More info here on these two options.
 
Marconino said:
---I want to report instead a little bug, probably. When you choose in the post setup page the cmd themplate for the unlimited pw time the script does the job but its not making the ✔ on the user settings --Password never expires--. Don't know if it's correct or not but when i run net accounts command i can see the password has no time limitation even if in the "user gui" it's not flagged.
I did this on multiple fresh installations and it's making the same thing.----
Click to expand...
You mean in the lusrmgr.msc?
Seems like that checkbox has no effect once the command is done on a global (accounts) level.
They should have made it gray/disabled, indeed it looks a bit confusing, is it enabled or not.
net user [name] is the best indicator.

Seeing the same on the full, intact Windows as well. Only the net command to disable password age applied.

Let me know if you see it as important to move password age option per user, instead of a global level.
 
nuhi said:
Probably didn't enable the user account to be allowed to add new machines to the domain.

For Domain join there are two options in Unattended page - Join Network.

- Unsecured
When you don't want to use the username and password to join a user, but want to add his machine to the domain.
Created a computer account in the server active directory, reset the account.
Then in Unsecured Join - Machine Password entered computer name in lowercase (first 15 characters are what you need max). That is how Windows does it to find a computer account to tie it with.
Then the computer would be domain joined after install and I could login with a active directory user.

- Secured
When you have a username and password for the domain joined account.
Tool will also warn during secured join:
"Make sure to allow this user on the server active directory to 'Join a computer to the domain', and you must specify a computer name on the Unattended page. Computer name can also be randomly generated, more info in the Computer Name option description."

So there is no way to add machine to the domain without a computer name and without user credentials, that would not be safe.
More info here on these two options.
Click to expand...
I think i did all the job correctly, we setup our environment for test and its working on our side. If i add the machine in the domain manually it works and ask me for reboot.
Now, i attach some photos for let you see what i'm doing.
1) Components loaded, should be fine
2) SCCM drivers, lan included, for hp 800 G6 workstation tower
3)4)Local admin user called User
5) Domain setup (i tried with user account "boss" and not with "vmware\boss" just for test, because i tried already "vmware\boss" in a previous installation and it wasn't working )

I skip all other info about disk partiotioning etc.
Am i missing something on program side?
 

Attachments

  • Cattura.PNG
    Cattura.PNG
    58.1 KB
  • Cattura2.PNG
    Cattura2.PNG
    113.5 KB
  • Cattura3.PNG
    Cattura3.PNG
    20.2 KB
  • Cattura4.PNG
    Cattura4.PNG
    53.1 KB
  • Cattura5.PNG
    Cattura5.PNG
    56.1 KB
nuhi said:
You mean in the lusrmgr.msc?
Seems like that checkbox has no effect once the command is done on a global (accounts) level.
They should have made it gray/disabled, indeed it looks a bit confusing, is it enabled or not.
net user [name] is the best indicator.

Seeing the same on the full, intact Windows as well. Only the net command to disable password age applied.

Let me know if you see it as important to move password age option per user, instead of a global level.
Click to expand...
I mean the checkbox in the photo, password never expires. I usually set it manually on my local machine. Never heard about net accounts command but i can see that after executing it the result it's the same without checkbox feedback. Thanks for info, need anything else on this.
 

Attachments

  • Cattura6.PNG
    Cattura6.PNG
    164 KB
garlin said:
When using a preset, NTLite will create autounattend based on the Settings, and whatever XML code is inside. One trick to extend Setup's functionality is to carefully insert extra XML into the preset file. NTLite will copy anything not overwritten to the new autounattend.

When not using a preset, NTLite scans the ISO folder to recreate the previous unattend and Post-Setup items. In several cases, NTLite gets confused and parses it wrong. I believe that may have been your problem.

The safe strategy is always begin with a clean image and apply a preset. NTlite will always do the right thing. Re-using a previously edited image can lead to unattend or Post-Setup problems.



All this depends on whether if your network device is already configured. I would integrate any network drivers into the base image, especially for machines inside a domain. Don't forget the shift-F10 trick to open a CMD shell.
Click to expand...
Thanks for info.
I integrated all the sccm drivers package for the machine, lan included.
"Don't forget the shift-F10 trick to open a CMD shell." sorry i don't get it, for what can i use this trick for?
 
Last edited:
Found the issue, changed domain username access from vmware\boss to only boss and enabled active directory service in components. Prob. the second one fixed it, now i can make the auto domain join.
Thanks guys
 
You must log in or register to reply here.
Back
Top