When deploying Windows clients using Configuration Manager 2007 and MDT 2010 Update 1, there is often a requirement to run task sequence actions as a domain user as opposed to the local system account. For example, in order to perform actions on a computer object in Active Directory (such as moving the computer object to a different OU). Usually, the OU security will be configured with the necessary ACLs to allow specific users or groups to perform computer object operations. Therefore when we attempt to automate this as part of the deployment process, it will fail as the action will be executed by the system account which will not hold the necessary privileges (default behaviour in Configuration Manager 2007).
Therefore the “Run Command Line” task sequence action provides the functionality to execute the command as a domain user account that will have the necessary privileges.
This has always worked perfectly for me, until recently when working on a Windows 7 deployment. The issue was that the task sequence would fail when attempting to run the command line action as a domain user. The error logs revealed the error “Incorrect Function”:
This is quite a generic error and can be caused by many different things, including a syntax error in the script or cscript unable to locate the script specified. However, in this instance this error occurred due a combination of Microsoft .NET Framework 1.1 installed on the system and the attempt to run the command line as a different user. More specifically the error was caused by the configuration of the following registry key:
The default value for this key is 1, however the installation of.NET Framework 1.1 modified the value. The solution is to re-configure the REGDBVersion DWORD value back to 1 during the task sequence, which will result in the command line action running correctly. This can be easily automated during the deployment process by creating a collection of actions to first backup the key, then modify the value and finally restore the original value as illustrated in the following steps.
Step One: Backup the existing registry values
Step Two: Set the REGDBVersion value to 1
Step Three: Run the desired script as the domain user
Step Four: Restore the previous registry values
This post was contributed by Matt Bailey, a Consultant with Microsoft Services - UK.
Curious about something Matt, when in the deploy TS do you have your TS step to move the computer to the target OU? When running the script to move the computer to a new OU, how do you "tell" MDT that it is to run the script in the context of the Domain User account and not as local system account?
I think I answered my own question regarding "how do you "tell" MDT that it is to run the script in the context of the Domain User account and not as local system account".....I guess you just use the "run this step as the following account" option.
If you look at step three of the process you will see the "Run this step as the following account" option at the bottom of the window. Configure this field with the domain user credentials and the action will run under that account.