User context (and elevation status) of the Post-Setup commands

[Hvergelmir]

I'll admit that since the days of winnt.sif I have been slacking off a bit keeping up with the details of the setup process. However, since the respective feature isn't in the Unattended "tab", I thought it best to ask -- after searching for applicable threads -- what it is to expect.

So, suppose I am adding commands in the Post-Setup "tab", what is the user context (in terms of whoami /all) that I should expect from (my guesses in parens):

• Before logon (NT AUTHORITY\SYSTEM, seemingly confirmed by garlin in an earlier post)
• After logon

I have no idea for "After logon", because it would encompass a variety of options. Example: on Server it'd be BUILTIN\Administrator which is typically exempt from UAC elevation; and whatever the logged user happens to be otherwise. But it's not clear if elevated or not. I would hope so, though.

What's also not clear is how this behavior "scales" when multiple users could be logging on. Will every new user re-run these commands, or do they indeed only happen once for anyone who happens to be member of BUILTIN\Administrators?

 

[garlin]

When using a custom unattended file, commands in the specialize pass execute as SYSTEM.

(Before logon) tasks are written to SetupComplete.cmd. Windows will normally call SetupComplete immediately after OOBE exits, except when you own a PC that has an OEM product key in the BIOS. In those cases, it skips running SetupComplete.

To get around this problem, and make it equal for all PC's, NTLite creates a SetupComplete.cmd but calls it from a post-OOBE task so it doesn't depend on Windows checking for a product key. This task also runs as SYSTEM.

(After logon) tasks are created as RunOnceEx tasks, which execute immediately after the primary user logs on the desktop for the first time. While the tasks run as your user account, because you're the primary user (and therefore a member of Administrators), it has Admin rights. RunOnceEx tasks are cleared by Windows after they're successfully executed.

So this only works for the first user who logs on, and not for any other user or for future users not yet created. If you need that, you must modify the Default User's profile and add any RunOnce tasks to it. Any new users which are provisioned will clone the Default User's profile, and copy any RunOnce tasks that are registered to the profile.

 

[Hvergelmir]

Thank you for the clarifications, this helps a lot. In fact I don't want it to run for every user, so I guess this is fine. Also reassuring to know that it will run elevated as long as the user is member of BUILTIN\Adminstrators.