Secure Task Sequence derps

A while back I didn’t know better and I derped up my task sequence by putting credentials in clear text in all of my OSD scripts. But, I’ve learned from my derp and found a better way.

If you’re like me you have scripts in your OSD task sequence that handle tasks such as joining the computer to the domain, moving the computer to a specific OU, or maybe even creating user accounts in AD. Scripts like these require credentials to connect to AD. Yes, you can use the ‘Run this step as the following account’ option, but that has it’s drawbacks as well. Using the ‘Run this step as the following account’ option along with the ‘Timeout (Minutes)’ option will likely cause the step to fail. In addition, if/when you change the password to the run-as account, you have to find all of your steps that use that option and change the password.

Luckily, there is a better way to securely use credentials within your task sequence scripts without using clear-text credentials. It’s called the NAA (Network Access Account). If you’ve configured the NAA in SCCM, you can use this account in your scripts without ever displaying the username or password. The NAA is actually set as a task sequence variable during OSD as:

UserID

UserPassword

So in your script you can call these variables.

**NOTE – I have only tested this with an MDT integrated task sequence. If you don’t have MDT integrated with SCCM for OSD, well…. You’re doing it wrong.

An advantage to integrating MDT with SCCM OSD is the ability to utilize the ZTIUtility.vbs script. I write most of my OSD scripts in .wsf which then allows me to source the ZTIUtility.vbs script and use all of it’s glorious built in functions.

First I set two variables, NAAUser and NAAPass as the following

NAAUser = oEnvironment.Item(“UserID”)
NAAPass = oEnvironment.Item(“UserPassword”)

 

Now I have credentials stored as variables within my script that hold the credentials I need to connect to AD or a network share etc.. Do make sure you give your NAA account proper rights in AD or the network shares you’ll be accessing or your scripts will fail.

Comment below

 

Leave a Reply

Your email address will not be published. Required fields are marked *