[MDT] Trying to install application without the Administrator account

Question

Hi,
During my deployment, I want to install the applications with another account than Administrator. I set the autologon with a local account created in my unantted.xml file and I added this account in the Administrators group. But after the first login, the applications doesn't install until I log on with the administrator account. (I'm not in a Domain)
My question is: Is there a way to install the applications without another account than the Administrator account?

PS : English is not my mother tongue, sorry

OnError

0
1

.\Operating Systems\Windows 10 Pro\install.wim

/IMAGE/INDEX
1

OnError

true

fr-FR

fr-FR
fr-FR
fr-FR
fr-FR

true

WORKGROUP
User
true
Pacific Standard Time

about:blank

EnableAdmin
1
cmd /c net user Administrator /active:yes

UnfilterAdministratorToken
2
cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /d 0 /f

disable user account page
3
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\OOBE /v UnattendCreatedUser /t REG_DWORD /d 1 /f

disable async RunOnce
4
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer /v AsyncRunOnce /t REG_DWORD /d 0 /f

0409:00000409
en-US
en-US
en-US

0

""
1
9
9
1
""
""
""
Default

1

true
User
.

false</PlainText> </Password> <LogonCount>999</LogonCount> </AutoLogon> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <CommandLine>wscript.exe %SystemDrive%\LTIBootstrap.vbs</CommandLine> <Description>Lite Touch new OS</Description> <Order>1</Order> </SynchronousCommand> </FirstLogonCommands> <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <HideLocalAccountScreen>true</HideLocalAccountScreen> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> </OOBE> <RegisteredOrganization>WORKGROUP</RegisteredOrganization> <RegisteredOwner>User</RegisteredOwner> <TimeZone></TimeZone> <UserAccounts> <LocalAccounts> <LocalAccount wcm:action="add"> <Password> <Value></Value> </Password> <Name>User</Name> <Group>Administrators</Group> <DisplayName>User</DisplayName> </LocalAccount> </LocalAccounts> </UserAccounts> </component> <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <InputLocale>fr-FR</InputLocale> <SystemLocale>fr-FR</SystemLocale> <UILanguage>fr-FR</UILanguage> <UserLocale>fr-FR</UserLocale> </component> </settings> <settings pass="offlineServicing"> <component name="Microsoft-Windows-PnpCustomizationsNonWinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <DriverPaths> <PathAndCredentials wcm:keyValue="1" wcm:action="add"> <Path>\Drivers</Path> </PathAndCredentials> </DriverPaths> </component> </settings> <cpi:offlineImage cpi:source="catalog://srv-atelier/deploymentshare$/operating systems/windows 10 pro/install_windows 10 pro.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend>

Answer

Hi, @madki
Thank you for posting in Microsoft Q&A forum.

You may try to change the user that the MDT task sequence is running as, install the application(s) using the InstallApplication task sequence step, then return the task sequence to running as the regular local admin user.

We may refer to the article for the steps:
https://www.deploymentresearch.com/running-the-mdt-2013-update-2-task-sequence-as-a-different-user/
(Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer

Hi @madki

User accounts can have local admin rights on workstations (or any computer) without being anything near a domain admin - check the computers Administrators group. It is also possible that the program installs to the profile, which does not require admin rights.

You can do a number of things.

Make a local administrators group and add it to all the desktops and add users to it. They'll have Admins on the desktops but not the domain or any resources not directly granted access:

so you can try to use Group Policy to automatically distribute programs to client computers or users:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software

In some cases the user will have a program that writes to the Windows or Program Files directory or even to the registry. In these cases create a security group and Group Policy for that program. Then find the smallest directory and/or registry key required to enable the program and grant the security group full access to just that in your new policy. Add the users of this program to the security group and then apply the GPO to the appropriate OUs.

Hope this helps with your query!

--If the reply is helpful, please Upvote and Accept as answer--

[MDT] Trying to install application without the Administrator account

2 answers