News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Setup Multiple computers with Win10

    Posted on major4579 Comment on the AskWoody Lounge

    Home Forums Admin IT Lounge Setup Multiple computers with Win10

    Tagged: 

    This topic contains 14 replies, has 8 voices, and was last updated by  Paul T 2 weeks, 2 days ago.

    • Author
      Posts
    • #2007343 Reply

      major4579
      AskWoody Plus

      I manage about a dozen small businesses in my area. I’m upgrading them all to Windows 10 (they are currently on Windows 7), because of insurance and liability they cannot stay on Windows 7.

      I’m planning on using the same approach as I did when I installed Windows 7. These businesses have 3-10 computers each, all are running peer-to-peer using a standalone Windows 7 acting as the server. It’s never been clean or easy to change the name on a user account, so to save a lot of installation time I came up with this process.

      All desktops are exactly the same – model, hardware, etc.

      All Laptops are exactly the same.

      I will be installing Windows 10 with a local account NOT a Microsoft Account.

      Below where I refer to one system – I actually mean 2 – one desktop and one laptop.

      1. What I do is setup a system: I create a standard user called “USER” and install all appropriate apps, updates, drivers, etc. I then make an MASTER image of the disk.
      2. I use that image to create a new system and configure that for a particular business – special software, printers, etc. I make another image – BUSINESS MASTER.
      3. I use this second image to create each user’s computer. I change the computer name and activate and license the software for each user (yes they are in compliance with licenses). Each computer has the same user name: USER, but since this is a peer-to-peer, it’s never been a problem in the past. Each computer will end up with a different password. I do assign the individual’s name to an environmental variable so I can track things like backing up data from a workstation (most is stored on the pseudo server). I make an INDIVIDUAL image .

      All these images (Master, Business-Master, and Individual) get stored on duplicated external HDs.

      Now it may seem a little strange to have all user accounts with the same name, but being a peer-to-peer network, this hasn’t caused any problems.

      The questions I have are:

      1. Will this work with Windows 10?
      2. Are there any changes I should make to my process?

      Thanks,

      Marc

       

    • #2007648 Reply

      Kirsty
      Da Boss

      Am I understanding correctly that you do not have an Administrator user account at all? (pardon me if I have not understood this).

      • #2007665 Reply

        b
        AskWoody Plus

        As mentioned in today’s newsletter, it’s not possible to not have an admin account on any Windows version:

        Every Windows installation must have at least one administrator account; if there’s only one such account on a machine, Windows won’t let you remove or demote it.

        WINDOWS: Working outside an admin account: Safe but annoying

        Windows 10 Version 1909 (Group ASAP)

        • #2007875 Reply

          mn–
          AskWoody Lounger

          Actually, well, slightly more complicated than that.

          The “Administrator” account on desktop versions of Windows, by default, does exist but is disabled. Deleting this account isn’t supported but you don’t have to enable it.

          During normal interactive install you get to create an account, this can be named anything you like – doesn’t have to be “Administrator” – and it becomes a member of the Administrators local group.

          It is indeed possible for this account to become disabled as well, such as due to running into the “too many wrong passwords” limit.

          Also you can for example join the system into a domain and then remove the “User” account from local Administrators group. It is allowed that the only enabled admin accounts be through domain authentication.

          There are all kinds of ways you can lock a computer so that no one can get in normally, messing with this without knowing what you’re doing is a good way to get there. Like requiring domain auth for admins and then requiring fresh enough domain credentials before being allowed to authenticate to domain, and allowing them to time out once. (Or as it may happen, failing an update and getting pulled back to a restore point…) Actually, I even know people who do that on purpose.

          • #2008110 Reply

            b
            AskWoody Plus

            Actually, well, slightly more complicated than that.

            Hmm, well, not really!

            Unless you know of a method to remove or disable the last local admin account on any version of Windows? (And some magic to replace or re-enable it?)

            It is indeed possible for this account to become disabled as well, such as due to running into the “too many wrong passwords” limit.

            What’s the default local account lockout threshold for any version of Windows?

            Windows 10 Version 1909 (Group ASAP)

            • #2008163 Reply

              mn–
              AskWoody Lounger

              Unless you know of a method to remove or disable the last local admin account on any version of Windows? (And some magic to replace or re-enable it?)

              Go in with a domain-granted admin account and set it as disabled? Worked last time I tried. As in 5 or so minutes ago.

              Wasn’t all that long ago that I last had to fix a server where all accounts had gotten disabled due to excessive bad passwords. (As to how it got that way, that’s a long story … also a bit of a distance as the local help they got couldn’t get it open.)

              Booted a Linux live-usb and used chntpw to re-enable… easier to get write access to the RAID array contents that way than building a suitable Windows-based recovery setup would’ve been. Yes, hardware-specific issues too.

              (For the curious – yes, if you have the recovery key, there’s a Linux tool to open BitLocker too)

              What’s the default local account lockout threshold for any version of Windows?

              Default is 0, as in don’t do it. Also MS documentation recommends setting a reset timer for that so it’ll re-enable automatically after a given time.

              Well, on that one server, someone had set a max attempts number but left the re-enable at 0.

              Wasn’t the first time I’d seen that, either….

            • #2008164 Reply

              jabeattyauditor
              AskWoody Lounger

              Go in with a domain-granted admin account and set it as disabled? Worked last time I tried. As in 5 or so minutes ago.

              Can’t you just disconnect it from the  network and use cached credentials?

            • #2008168 Reply

              mn–
              AskWoody Lounger

              Yes. For the accounts that are still enabled. Local now-disabled admin account isn’t cached because it’s local.

              Then by default you need to have …25? non-admin domain users log in to rotate the cached admin credentials out.

              That number can be changed, or caching disabled altogether.
              Or you could just go and delete the cached credentials with regedit if you’re sure you know how.

              Or you could revoke the user’s membership in the domain group that confers admin rights and log in again with a server connection. Cache updated, admin rights lost.

              Really, Windows authentication does have ways to shoot yourself in the foot if you REALLY want to.

              Yes, some security-paranoid people do set them up that way on purpose. Don’t ask.

    • #2007988 Reply

      major4579
      AskWoody Plus

      I left out a lot of details as I was looking for suggestions about my overall approach or one that doesn’t require me to set up each person’s account individually. I know I could use Sysprep, but it doesn’t save all the settings, so there is still more work to do on each computer.  Yes of course I have an Admin account, it’s been enabled and password protected. I then create the USER account for the end-user as another Admin account and will demote it to standard when all is done.

    • #2008062 Reply

      wavy
      AskWoody Plus

      I seem to remember that you could in one version of windows copy an account profile. Did this disappear after XP? I see in my W10 one can only copy the default to another profile.

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
    • #2008099 Reply

      BobbyB
      AskWoody Lounger

      All desktops are exactly the same – model, hardware, etc. All Laptops are exactly the same.

      The easy way would be to use one of each type and do a straight upgrade with Win 10 (generic image) and (either boot from USB or run from the Desktop) see what problems develop.
      Big caveat with this approach there have been problems in the past, settings not migrated, software installed not working correctly but at least you will know what your dealing with before rolling out on other machines.
      As for SYSPREP well I have never installed a prepared Win10 image over an existing installation with like software already installed, albeit installed on Win 7, so not sure if or what problems that will bring. Another reason maybe try this out in a test environment.
      Creating a SYSPREPed image of Win 10 is a real pain, its not as easy as Win 7 or Win 8.1, since the advent of UWP and Metro Apps you have to stop them updating otherwise it’ll stop the shutdown (OOBE) and generalise process in a never ending run mode.
      Basically you have to stop the Apps updating, and remove them, not a biggie as they are “Staged” and will or should come back.
      Maybe one or two can suggest another way here but it may mean serendipity or “Trial and error” on your part, and a lot of legwork alas.
      Hopefully your licensing will allow you to get Professional and above, its my long time assertion that networking reliably has been broken on the Win10 Home version since M$ removed Home Groups with 1709.

    • #2008201 Reply

      major4579
      AskWoody Plus
      1. This is a workgroup situation – there is no domain.
      2. I am NOT upgrading from W7 to W10, I’m installing a new clean version of W10 PRO and then re-installing ALL the software, printer drivers, etc.
      3. Yes in XP you could copy a profile to a new user with all the programs and settings getting copied, but references to the old user name would still exist. There was a useful free utility called COA (Change of Address) that would go through the new profile changing all references for the old user name to the new user name, including the user directory name. It would search the registry, shortcuts and win.ini if I remember correctly. There is a way to manually do this in Windows 7 and that did work (actually the COA utility worked on Win7-32). I don’t know if this would work in Windows 10.

      So back to my original question, which I can express a little more clearly. What is the easiest/fastest/cleanest way to deploy a new copy of Windows 10 with programs, printers, and other customizations to a number of identical computers in a NON-Domain, i.e., Workgroup environment? I know there will always have to be some work on each computer, entering licenses and activating programs – but I want to keep it at a minimum.

      Thanks,

      Marc

    • #2008332 Reply

      Paul T
      AskWoody MVP

      Sysprep is the best method IMO as it allows all the user / machine setup / licensing.
      It does take time to set up but well worth it.

      cheers, Paul

    • #2008525 Reply

      major4579
      AskWoody Plus

      Paul,

      The problem I’ve had with Sysprep is that I set up Windows 10 to look as much like Windows 7 as possible (my clients prefer this), and all that work personalizing the UI gets lost with Sysprep. So it still takes a lot more of my time. The main advantage of Sysprep is it works with different hardware – I don’t have that issue. Restoring an image outs me 10 steps closer to finishing, it seems to me.

      Thanks,

      Marc

       

    • #2008549 Reply

      Paul T
      AskWoody MVP

      Surely you can script the last bit at the end of the install?

      cheers, Paul

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Setup Multiple computers with Win10

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.