Ghost Solution Suite

Hoping someone can help....

Been messing with this for WAY too long and haven't seen an answer anywhere so here goes:

1. This is a W2K3 domain and I'm deploying XP SP2 clients to existing W2K Pro clients.

2. The XP image I'm deploying is Sysprepped.

3. I create the task to push the image and perform a configuration task that will rename the machine according to template settings, put the machine in a new OU, then join to the domain.

4. Everything works except the part where it's supposed to join the domain. The image gets pushed to the client, the old machine account is deleted from the existing OU, and the new machine account is placed in the new OU I setup for the new clients.

In the event log for the task, everything shows "success" except the part about joining to the domain which shows "warning." Inside the log, I get the message "Post configuration-Password doesn't meet complexity requirements. Check password length, history, etc." (This isn't verbatim, but pretty close as I don't have access to the server right now).

Now, I've tested this on a dev network, a separate test network, and the production network itself all with the same results. On the test network, I changed the password policy to basically allow anything and it still happens.

The Ghost service account is a member of the domain admins group and has even been explicitly been delegated full control over the OUs for both the existing machines and the new ones (this was in the troubleshooting stage in reference to a KB article on this site). The service account has a password that meets all complexity requirements and has been changed as well to a password that definitely doesn't match anything in the password history. And yes, like a lot of other posts on here, you can manually join the computer to the domain using the Ghost service account.

So, I'm guessing it's not the service account that's the problem...but what is it? The machine account password?

Anyone seen this before? Any ideas/suggestion greatly appreciated.

Hi LB,

As you correctly deducted, the problem is not with the service account. The service account is used to create the Computer account in the domain, which seems to be successful. But the client fails when it tries to join that account. I presume that your sysprep configuration does not include domain join, but it is done using Ghost Console. However, this is the first time I have seen this error message during post config phase.

Could you check the netsetup.log in the client's \Windows\Debug folder? This could have more information about the failure.

Did you use the same image when you try it in your test network?

Howmany characters do you have in the client computer name? Does it contain any special characters?

Krish

Thanks Krish,
No, nothing about joining the domain in the sysprep.inf file. Just using the console to rename and join the domain. There is a weak password in the sysprep.inf file though however, I can't see where it's being used. It's in the section under AdminPassword. However, that's not what gets used for the local admin password on the client so I'm not quite sure that's the culprit. The rest of the section is commented out.

The netsetup.log file shows some entries about joinging the workgroup but no mention of the domain at all. I've even tried just a simple configuration task (no cloning, etc) that only joins a machine to the domain and get the same "password complexity error." The local admin account on the client has a good password and meets the criteria for the domain.

Yes, used the exact same image on the test network and got the same results.

The computer accounts have 14 chars however, I've tried using 5-6 char computer accounts just to rule that out and still get the same problem... Sysprep does give them a default name of 14 aplha-numeric chars with a hyphen however, ghost doesn't seem to have a problem renaming the machine at all so I don't think that part of the task could be conflicting with sysprep. And when ghost does rename them, I only use alpha-numeric chars.

Just did a bit more looking about the password in the sysprep.inf file. In my case, it seems to be redundant since the local admin account on my client already has a password.

ref: http://technet2.microsoft.com/WindowsServer/en/library/1cd05ce1-7eaa-4b03-bef5-772bb2d799eb1033.mspx?mfr=true

Hi LB,

Thanks for the update. At the post config step, it should re-negotiate new credentials with the domain. I am still confused about how to get this error when negotiating new machine passwords.

Could you try running 'net accounts' in a cmd shell in the client and see if there are any unusual settings for the password requirement?

If you could check the netsetup.log file in the client you tried with only the domain joining task (without cloning/sysprep), there should be some entries about the domain joining. Could you double check that too?

Just to eliminate the infrastructure related issues, could you try joining another client to the domain using Ghost Console?

The other possibility is actually this failing in a previous step. Could you check the machine account created by Console in the domain for this machine and see if it is OK?

Did you use the same machine name all the time by any chance? If so, could you try using a completely different machine name when joining to domain?

Krish