Run command line as domain user – Incorrect Function Error

When deploying Windows clients using Configuration Manager 2007 and MDT 2010 Update 1, there is often a requirement to run task sequence actions as a domain user as opposed to the local system account. For example, in order to perform actions on a computer object in Active Directory (such as moving the computer object to a different OU). Usually, the OU security will be configured with the necessary ACLs to allow specific users or groups to perform computer object operations. Therefore when we attempt to automate this as part of the deployment process, it will fail as the action will be executed by the system account which will not hold the necessary privileges (default behaviour in Configuration Manager 2007).

Therefore the “Run Command Line” task sequence action provides the functionality to execute the command as a domain user account that will have the necessary privileges.

This has always worked perfectly for me, until recently when working on a Windows 7 deployment. The issue was that the task sequence would fail when attempting to run the command line action as a domain user. The error logs revealed the error “Incorrect Function”:

 

Capture

 

This is quite a generic error and can be caused by many different things, including a syntax error in the script or cscript unable to locate the script specified. However, in this instance this error occurred due a combination of Microsoft .NET Framework 1.1 installed on the system and the attempt to run the command line as a different user. More specifically the error was caused by the configuration of the following registry key:

HKLM\Software\Microsoft\COM3\REGDBVersion

The default value for this key is 1, however the installation of.NET Framework 1.1 modified the value. The solution is to re-configure the REGDBVersion DWORD value back to 1 during the task sequence, which will result in the command line action running correctly. This can be easily automated during the deployment process by creating a collection of actions to first backup the key, then modify the value and finally restore the original value as illustrated in the following steps.

Step One: Backup the existing registry values

backupkey

Step Two: Set the REGDBVersion value to 1

changevalue

 Step Three: Run the desired script as the domain user

MoveObject

Step Four: Restore the previous registry values

restorekey

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

This post was contributed by ­­­­­­­­­­­­­­Matt Bailey , a Consultant with Microsoft Services - UK .

Comments

  • Anonymous
    January 01, 2003
    Hi Scott. If you look at step three of the process you will see the "Run this step as the following account" option at the bottom of the window. Configure this field with the domain user credentials and the action will run under that account. Matt

  • Anonymous
    November 21, 2012
    Curious about something Matt, when in the deploy TS do you have your TS step to move the computer to the target OU?  When running the script to move the computer to a new OU, how do you "tell" MDT that it is to run the script in the context of the Domain User account and not as local system account? cheers scott

  • Anonymous
    November 21, 2012
    I think I answered my own question regarding "how do you "tell" MDT that it is to run the script in the context of the Domain User account and not as local system account".....I guess you just use the "run this step as the following account" option.