How to create local user groups in answer file

Hello,

As part of preparing a standardized IoT / embedded installation starting point, I'd like to create a new local user group in the answer file so that I can have an imported security setting that grants a certain permission based on that group.

Is the only way to do this through the FirstLogonCommands of the OOBE? Is there no way to specify the group in an earlier pass (like specialize) so that the group can be specified for a user in local accounts setup?

Thanks in advance!

RunSynchronous commands in specialize. Credentials are optional if it's a local operation (no domain).

Code:

    <settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Order>1</Order>
                    <Description>Add local group</Description>
                    <Path>net group exec estherv ralfr stevent /add</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>

garlin said:

RunSynchronous commands in specialize. Credentials are optional if it's a local operation (no domain).

Code:

    <settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Order>1</Order>
                    <Description>Add local group</Description>
                    <Path>net group exec estherv ralfr stevent /add</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>

Hmm...that doesn't seem to work. (I used localgroup instead of group, since I'm not working on a domain controller.)

Usually what I do for a sanity check (to see if Windows is skipping my command) is redirect output to a log file, on the same <Path> line.

I don't think it's path issue. Check the full XML formatting, since I didn't include a full autounattend file. Most of the time when nothing runs -- the XML is missing something, or I've copied the block to the wrong place.

OK, it seems to be working now...weird that it didn't before. For your amusement, I went through the following sequence of tests. (By the way, I'm using WSIM to manage the answer file):

1. What you indicated - didn't work.

2. Added redirect to log file - didn't work and no log file created

3. Added full path to net.exe - didn't work.

4. Removed everything and added "cmd.exe /C mkdir c:\test" - just to see if it ran - that worked - Good

5. Added the following sequence of commands (each a separate synchronous command, of course):

cmd.exe /C mkdir c:\before
cmd.exe /C net localgroup Application /ADD
cmd.exe /C mkdir c:\after

And it worked! Both directories created and the local group was added.

6. Removed the surrounding "mkdir" commands - works - local group is added.

7. Removed the "cmd.exe /C" - so now we're back to exactly what you suggested - and now it works.

...weird.

But thanks for pointing me that direction. (I am not a Windows administrator and was barely aware of the "net" command.)