How do I: Install Windows without a username?

[xyeLz]

I have a bit of a dilemma. I am trying to learn "best practices" and I am finding it quite difficult to find help in specific areas of systems administration.

Here's my current issue:

I am going to reformat my computer using Windows 7 Ultimate. I would like it so that when I set it up, I do not need to create a username. The reason for this is that once Windows is installed, I will be connecting the computer directly to a domain - hence no reason for a local account. Is this possible? Would I need to utilize Shift+Ctrl+F3 for this (I have never done this before) and how would I go about this process?

 

[Exavior]

don't think that is possible. by default with vista and 7 the local administrator account is disabled and what you are creating during setup is the local admin for the box.

you are going to want to have some type of local admin account to ensure that if the network card ever fails or something happens where it can't log into the domain you still have a way to log in as a local admin.

 

[thefreeaccount]

It's actually an excellent question. You need to use the Microsoft Deployment Toolkit (administrator account will default to enabled when MDT is used):
http://blogs.technet.com/b/danstolt...using-wds-mdt-and-aik-step-by-step-video.aspx

Best practice is to have at least one local admin other than the built-in administrator account in case one of them is accidentally disabled.

 

[jiminator]

No idea on best practices. I do know however you can add login credentials to the registry that would solve the issue.

 

[Exavior]

best practice would actually be not have use the administrator account at all but to have another one. Or to rename the default one. By having administrator be a valid account you have already given somebody one of two pieces of information they need to try to crack their way into your computer, a username, all they need then is the password. By having it named something else they would have to figure out both the name and the password.

through group policy you can change its name or create a new local account.

 

[xyeLz]

Thanks for the answers guys, I actually didn't think I would get any.

This begs a few more questions, I apologize:

#1) Not using the default administrator account but having a user-created one to manage local functions: Is it really that important to have a local administrator other than the built-in administrator? From what I read above, this is best practice, but doesn't it just add another account to make vulnerable? I also read somewhere that some company has only the two built-in accounts enabled and nothing else. But then how do they manage the local functions of the computer? Either way, whatever is best practice is what I am aiming for. Perhaps there are more than one "best practices" here, or it's debatable? Is this the case or is the above "the" best practice?

#2) Rename default administrator account without having another one: It makes sense to me to rename the Administrator account anyways. So for example if I renamed the default Administrator account to the username I wanted to use and didn't create another administrator, would this work? I know it would mean that the built-in administrator account is not disabled and is being used...so I am going to assume this is not the way to do things? Or is best practice having three accounts (guest, admin, user-created admin) or perhaps just the built-in accounts?

#3) Renaming accounts: Do I rename the Guest account too? What should I rename the Administrator account to - something completely random like 1Xy7#3zK or something that appears to be another user (remember this is the LOCAL side so only one extra user might be obvious)?

#4 Creating a fake administrator: In this case, I assume I should create a "honey-pot" fake administrator account with Guest privileges so that when a simple hacker might just be wondering why, once they finally gained access to the administrator account, they can't do anything? This as opposed to realizing right away there is no Administrator account and moving onto the next solution.

Clearly I would take steps to disable the built-in Administrator and Guest accounts so that is a given. I guess my primary concerns here are whether or not I make another built-in admin to manage the computers functions or just have none at all since it will be managed by the domain anyways?

Am I missing something?

 

[thefreeaccount]

#1) Not using the default administrator account but having a user-created one to manage local functions: Is it really that important to have a local administrator other than the built-in administrator?

Shrug...up to you, but what if accident (only takes 1 wrong click) or malice (spyware) causes the built-in admin to be disabled?

#2) Rename default administrator account without having another one: It makes sense to me to rename the Administrator account anyways.

To my knowledge, you can't rename the administrator account during deployment (MDT uses it).

I guess my primary concerns here are whether or not I make another built-in admin to manage the computers functions or just have none at all since it will be managed by the domain anyways?

Err...when the machine losses network connectivity, how do you plan to fix it?

 

[bigdogchris]

I have a bit of a dilemma. I am trying to learn "best practices" and I am finding it quite difficult to find help in specific areas of systems administration.

Here's my current issue:

I am going to reformat my computer using Windows 7 Ultimate. I would like it so that when I set it up, I do not need to create a username. The reason for this is that once Windows is installed, I will be connecting the computer directly to a domain - hence no reason for a local account. Is this possible? Would I need to utilize Shift+Ctrl+F3 for this (I have never done this before) and how would I go about this process?

You need to install Windows, reboot into Audit mode, install software, then do an unattended sysprep that will join the system to the domain when it boots up. Make sure that the DHCP is giving out a DNS that is for the domain. Windows System Image Manager is how you create unattended's.

 

[xyeLz]

Shrug...up to you, but what if accident (only takes 1 wrong click) or malice (spyware) causes the built-in admin to be disabled?

True.

To my knowledge, you can't rename the administrator account during deployment (MDT uses it).

But you would certainly use GPO to rename it after, correct? Any particular naming pattern involved? What about the Guest account?

Err...when the machine losses network connectivity, how do you plan to fix it?

Hah, very true. So it appears as if having a local administrator and disabling the built-in accounts is the way to go here. That's a statement, not a question! What should I name the "user-created admin" account? What should I rename the built-in admin account? What should I rename Guest if anything?

See above please.

 

[CrimsonKnight13]

You could follow US Department of Defense STIGs to lock down your system. Your call.

My advice - Rename Administrator & Guest to something else & disable them. After that make a new admin account with a completely different name.

 

[thefreeaccount]

What should I rename the built-in admin account? What should I rename Guest if anything?

Too much work for me, personally. Renaming the account without also disabling non-admin SSID lookups is mostly pointless. Disabling non-admin SID lookups will make some programs break.

Go with what you want. It's not an important decision.

 

[TRex]

Here is how we are renaming the built-in admin account in our Windows 7 image.

http://social.technet.microsoft.com/Forums/en-US/mdt/thread/edc88cb5-f9b0-4862-adf9-bb2b73940ee7/

 

[xyeLz]

What would be the name that an organization typically renamed the built-in Administrator to? Would it be the same across each PC? Would you name it something random or something that you could remember, such as a username.

For example:

Random: 1x4hjFFA2a
Username: JDoe or JSmith (a random username not being used by any user)

??

 

[Exavior]

As I said above, by default with Vista and 7 the built in Administrator user will be disabled.

I myself leave it disabled, disable it on XP and then have a GPO that created a new local administrator account on every computer with the same name and password that is used as the local administrator account when one is needed.

You can do it however you want though. you can re-enable the account on every computer and rename it to gibberish although I'm not sure what that really gains you. Or you can re-enable it and rename it on every computer to the same thing to be able to use it. Or you can just leave it disabled and create a new account on every machine to use as administrator.

 

[JimmyNeutron]

don't think that is possible. by default with vista and 7 the local administrator account is disabled and what you are creating during setup is the local admin for the box.

This is something I never understood. Why create a new user account that wiill have Administrator's privileges when you should just be able to log in with the Administrator account?

I understand it's one more road block for hackers to figure out the new administrator account name, but why not do what Windows server does, forces the Administrator account to use a complex password during setup?

If the user is dumb enough to forget the password before he/she gets a chance to change the password once he/she logs in, he/she should be using a Mac.

 

[Exavior]

This is something I never understood. Why create a new user account that wiill have Administrator's privileges when you should just be able to log in with the Administrator account?

I understand it's one more road block for hackers to figure out the new administrator account name, but why not do what Windows server does, forces the Administrator account to use a complex password during setup?

If the user is dumb enough to forget the password before he/she gets a chance to change the password once he/she logs in, he/she should be using a Mac.

Gives them an extra step to go through. Not only do they have to set there and try to crack the password but first have to guess the username also. For the same reason that Linux doesn't allow you to log in as root or at the very least that is greatly frowned on.

you should do the same with your server and not use the administrator account either. More so on one that has direct access to the internet.

For the client OS, the built in administrator account is now left for safe mode only. That way if you get something that screws up that local admin you are using you still have a clean account that can't be touched during normal computer usage and might be able to be used to get it back to working. Which is more likely to happen on a client OS than a server.

 

[bigdogchris]

What would be the name that an organization typically renamed the built-in Administrator to? Would it be the same across each PC? Would you name it something random or something that you could remember, such as a username.

For example:

Random: 1x4hjFFA2a
Username: JDoe or JSmith (a random username not being used by any user)

??

The built in Administrator account is disabled by default on 7. If someone is knowledgeable enough to enable the account against your will, what it's called is irrelevant.

What I did is use a little script on my unattended that creates a local administrator account with a unique name for my organization. That leaves the default Administrator disabled, but I still have a local admin account on the computer.

 

[xyeLz]

Hey all,

Sorry to dig this back up but I'm trying to set my netbook up now. The domain isn't fully set up but I would like to get things going in preparation for it.

Is there a way I can install Windows without making an account? I guess I would have to use the Administrator account? Then come time to join the domain, I could?

I'm just confused as to how this all works. If there is to be any local profile, I don't want there to be any settings saved unless I save them to all systems Administrator accounts.

 

[bigdogchris]

I already answered your question. You need to install the OS and where you create the first username, reboot into audit mode by pressing ctrl+shift+F3. In Audit mode you are logged into the default administrator account (which you cannot delete and which is disabled when not in audit mode). Install software and what have you, then sysprep with an unattended xml configuration to join it to the domain. You then clone the machine out. Each time the new computer boots up, on the first boot, it will join the domain. The only local account will be the default Administrator account, which is disabled by default.

 

[xyeLz]

I already answered your question. You need to install the OS and where you create the first username, reboot into audit mode by pressing ctrl+shift+F3. In Audit mode you are logged into the default administrator account (which you cannot delete and which is disabled when not in audit mode). Install software and what have you, then sysprep with an unattended xml configuration to join it to the domain. You then clone the machine out. Each time the new computer boots up, on the first boot, it will join the domain. The only local account will be the default Administrator account, which is disabled by default.

Thanks for helping Chris. I guess I'm just confused. What CTRL+SHIFT+F3 also helps as I didn't know how to boot into audit mode so thank you.

So basically once I get to where it asks for a username, I don't follow that step and instead do the above. Then does it load up Windows as usual, except into Administrator mode? This is where I install every piece of software required, as you mentioned?

I get a bit lost after this point with sysprep and unattended XML. I kinda need to be babysat I guess.

 

[bigdogchris]

Thanks for helping Chris. I guess I'm just confused. What CTRL+SHIFT+F3 also helps as I didn't know how to boot into audit mode so thank you.

So basically once I get to where it asks for a username, I don't follow that step and instead do the above. Then does it load up Windows as usual, except into Administrator mode? This is where I install every piece of software required, as you mentioned?

I get a bit lost after this point with sysprep and unattended XML. I kinda need to be babysat I guess.

Install the OS. At the screen where it prompts you to create a username and computer name, press the keystroke I told you. You'll reboot in Audit mode. Then install the software you need. Then run a sysprep with an unattended xml configuration file.

You create the configuration file using the Windows System Image Manager. It's not exactly something I can tell you how to use. You're just going to have to download it and watch or read tutorials on it. It took me a few weeks of trial and error to get it working just how I wanted.

 

[xyeLz]

Did the first few stages. Here's a quick documentation:

#1) Installed Windows 7.

#2) CTRL+SHIFT+F3 at "Username" screen which rebooted into the Administrator at the desktop.
I made changes to pretty much everything I would as if I was setting up the desktop for myself, including but not limited to color schemes, installed software and preferences (such as default homepage for web browsers), firewall settings, etc. I also installed all patches and rebooted.

#3) I used netplwiz to enable CTRL+ALT+DELETE logon and I also set a password for the Administrator account. I rebooted to see what would happen if I did this. When Windows loads up, it says "Invalid Password". I click okay and it brings me to the logon screen so I enter my password for Administrator and all works perfectly fine.

The reason the above is important is because I don't currently have a domain to connect to, so essentially I am using the Administrator account as a placeholder until everything is set up.

What is the extent to which I can change software settings? Will it literally copy every single aspect of what I changed or will it only copy certain settings? For example and to get into extreme detail, will it copy over my MSCONFIG settings for startup programs? Will it copy over the amount of memory used in a swap file, etc?

I don't have another computer to fall back on if I mess this one up so for now I will probably leave it at this and not mess with the XML file just yet since I haven't a clue what to do. When Windows boots the first thing that pops up is the OOBE manager. I'm not sure what to do here. Can you link me to a tutorial or whatnot at this point? Thank you so much for your help and sorry I'm an idiot.