forums.wsusoffline.net

[Karthigan]

Hi All,

I have a question: does WOUTempAdmin A/C created when you select "auto-login / reboot" option when running UpdateInstaller, does it not work for domain-joined (AD) laptops?

Our environment is unique, in which we have a "legal" login disclaimer that the user must acknowledge (click on the OK) button prior to logging into the Windows Environment, plus, our login format for user name is (as an example): thecompany.net\jsmith, password: Password123$

Is there anything that I can accomplish to fix the login issue? Or should I proceed with the local admin A/C for manually running the UpdateInstaller program?

[Karthigan]

Hi again,

It appears that the auto login is working on a AD domain joined laptop with the WOUTempAdmin account that is created by the WSUS tool.

Now, I only got it to work on one Lenovo T430 series laptop. Another identical one from another employee - it does not.

This leads me be believe that it has to do something with the Domain Configuration - our company has lot of GPOs (e.g. disable other A/Cs from having local admin authority - which would eliminate WOUTTempAdmin administrative access), possible auto-login disabled, complex password requirements or something else*

Question: does anyone know what the auto generated password for the WOUTTempAdmin A/C is?

If anyone was able to deploy this tool on a domain joined laptop in their environment - any feed back would help.

I am going to work with my System Administrator and rule out one GPOs at a time (Group Policies) - perhaps one would trigger the failure and I'll know what it is.

[WSUSUpdateAdmin]

Hi.

Concerning the password for WOUTempAdmin, please see ...\client\cmd\CreateUpdateAdminAndEnableAutoLogon.vbs:

Code: Select all

  strResult = "!Wou_" & Int(90000 * Rnd) + 10000
  objWOUTempAdmin.SetPassword strResult


This probably may not match your password complexity rules, of course.

Regards
Torsten Wittrock

[Karthigan]

Thanks.

Just a follow-up: we started to deploy this tool across various other laptops that are AD domain joined, out of 4 laptops, 2 was able to auto-boot and auto-install, and 2 didn't.

Still looking into it.

[aker]

@WSUSUpdateAdmin
Could we write WOUTempAdmins password to the command line or to the log, to be able to manually continue the update without having to cancel it?

[boco]

I disagree. Writing the password of an account with Admin rights in clear text into a log that about everyone can read? Please don't (or only on request).

A better way would be to mail the password to an admin-configured mail address, using a command-line mailer (or a solution likely already present in A/D environments). That way the Admin, and only the Admin, could continue.

[aker]

Then to cmdline on creation would be the best idea. The script has to be run as admin, so no security impact.

[boco]

Yes, but... Upon restart the commandline will be closed. If admin returns and is faced with blocked login, the fact the password once was written to the commandline is, well, funny.

How about asking for the password (or source passphrase to generate a password hash) to be used for the WOUTemp account, upon checking the box? Would that be acceptable?

[aker]

The first run doesn't take that long; it would be OK to wait for the output. But a TextBox would solve the problem in a nice way, too.