I have tried with the template on the domain and on a workgroup, each have the same result.

If I manually (windows gui) add the created computer to the domain over an existing computer account, it also disables the computer account in AD. But the difference with this is, then the computer can successfully access domain resources. Which strange, because if a computer account is disabled in AD you'd assume it couldn't access domain resources.

I've appended the bottom of the guestcust file. It appears the customization did add the computerr successfully to the domain, but for some reason the domain disables the account afterwards.

Successfully opened key SOFTWARE\VMware, Inc.\Guest Customization\

Size of reg_multi_sz 21.

Read multi_sz value from registry autocheck autochk *, size 21.

string value from registry autocheck autochk *.

Returning 1 elements

Successfully opened key SYSTEM\CurrentControlSet\Control\Session Manager\

Size of reg_multi_sz 22.

Read multi_sz value from registry sysprepDecrypter.exe, size 22.

string value from registry sysprepDecrypter.exe.

Returning 1 elements

Going to delete file C:\WINDOWS\system32\sysprepDecrypter.exe

Deleted file C:\WINDOWS\system32\sysprepDecrypter.exe

Creating object for MAC: 00:50:56:9e:16:eb

SELECT * FROM Win32_NetworkAdapter WHERE MACAddress = '00:50:56:9e:16:eb' and Manufacturer != 'Microsoft'

Found 1 objects. Pointer 7a0308. return code 0(0x0)

Found 0 objects. Pointer 0. return code 1(0x1)

Returning value
TESTF1\ROOT\CIMV2:Win32_NetworkAdapter.DeviceID="1" for system property

ASSOCIATORS OF {
TESTF1\ROOT\CIMV2:Win32_NetworkAdapter.DeviceID="1"} where ResultClass = Win32_NetworkAdapterConfiguration

Found 1 objects. Pointer 7a04a0. return code 0(0x0)

Found 0 objects. Pointer 0. return code 1(0x1)

Setting tcpip netbios options to 0

Getting method object for method name SetTcpipNetbios

Set status called with flag 0, result 0

Returning value
TESTF1\ROOT\CIMV2:Win32_NetworkAdapterConfiguration.Index=1 for system property

Joining domain domain using account domainadmin and password '*****'

Unable to update the password. The value provided as the current password is incorrect.

Retrying join operation with user = domainadmin@domain

Successfully joined domain on second try.

Customization in progress set to 0 at 2008-Jun-24 08:28:49

Rpci: Sending request='deployPkg.update.state 5 0 C:\WINDOWS\TEMP\vmware-imc\guestcust.log'

Rpci: Sent request='deployPkg.update.state 5 0 C:\WINDOWS\TEMP\vmware-imc\guestcust.log', reply='', len=0, status=1

SysprepDecrypter has unobfuscated the password successfully

I'm working on using netdom to get around it. If I use a script that run the netdom join command on first log then reboots, it seems to take care of the issue. It's strange how netdom join would work perfectly, but the customization wouldn't - they must not work the same way.

Thats cool... but my issue will be running additional scripts after joining domain.. So will have logon twice to run scripts... It would be easier for me to enabled the computer account.

Not if you configure the customization wizard to automatically login 1 time after it's created. No?

Not sure.. Do you know how to modify the sysprep.inf VMWare is using? We can proberly add server to domain and specify the exact OU to add server.. So we don't have to pre-create computer account..

when you use netdom join, you can specify the OU it joins the computer to.. and it actually works i was amazed. i don't modify sysprep, you can add run-commands via the customization wizard. You can specify the computer to login 2x times if you need to, then have a script reboot afterwards. when using non-persistant pools i can't be concerned with enabling all the computer accounts, so i need it to be automated.

I personally didn't modify the sysprep, but you can do it fairly simply when you create a customization. It will allow you to paste in the contents of the sysprep.ini as an unattended installation

Sorry.. I understand what you are doing... But @ what point are you running your netdom script? Are you setting the script to run before you convert to template..

Yes, I set my script to run once then delete itself since it has credentials in it. It's very crude, but it works. Alternatively I could probably just run it from a network location.

I tried the "Run" section of the customization wizard, but it didn't work consistantly.. a batch script is fairly bullet proof. I'm still disappointed the customization wizard wouldn't properly add computers to the domain over existing computer accounts, hopefully domain-joining/cleanup will be improved in future releases.