What is your environment, domain or workgroup? If the former, why not use a different account like a domain join account? Also, something does not seem to add up when you say MDT is using the local account to build machines, please elaborate. Where is MDT pulling these creds from? When you say local admin account, in my mind, I am thinking an account local to the computer. Also, if these are new computers being built, then by design there is no "previous" account to reference that MDT should be using to throw a password error. Forgive me, just trying to wrap my head around your process. However, as already pointed out, the local system account does everything, it is only if there is domain join step that specific creds are needed. If a workgroup, then based on either a step in the TS or the customsettingings.ini, local accounts will get created as definedI want it to run when anybody but the built in administrator is logged on. This is LAPS install and it will disrupt the build process if it changes the password during the build. So I want it to run after the build is completed and a user logs in. So I was wondering if using a WMI query could be the answer to this.