Softgrid Documentation

Are you looking for the Softgrid 4.1/4.2 Documentation/Softgrid Admin installation guide? Well it is well hidden and oddly not linked from the Softgrid home page and you will be hard pressed to find it on Google. Anyway, it is here: http://support.microsoft.com/kb/940163

I hope that helps save someone a bit of time hunting around.

Master Site Directory in Sharepoint 2007 Error

I ran into an error when trying to assign a master site directory in MOSS 2007 Central Admin:

This not a valid site directory. Specify a URL to a site that is using the site directory template.

I checked that the URL was valid and that it was pointing to a Directory Site. I even created a new directory site and tried that with no luck.

I worked out that if I set the default public URL to be a simple name like site, instead of site.domain.co.uk, the master site directory page accepts the entry and it all works. However this is no good as we need a proper FQDN as the default public URL (and changing it back after setting the MSD breaks the MSD functionality).

I have a call open with Microsoft through ESCUK about this. This call has been dragging on for a long time and somehow Microsoft have not been able to reproduce the problem.

I'll keep this post updated as and when I hear something back from Microsoft. I would be very interested to hear if anyone else is seeing this problem so I can feed back to Microsoft. Thanks!

07/01/08

Microsoft have finally reproduced this problem and have acknowledged it as a 'possible bug', as such it has been escalated. No news as to a fix yet.

23/01/08

Today I had a call from a developer at Microsoft who has been looking through the code used by the Master Site Functionality and established that it first checks for the existance of the site in the configuration database. This is interesting because apparently if it does not find the exact URL in the config database it will reject it. This means that if you use a different default AAM to the URL you used when creating the web application that hosts your MSD, the lookup will fail. The only way I know of to fix this is to extend your web application and use the URL of your default AAM as the URL for your new IIS site and set this extended web app to use a different zone (i.e. Intranet). The default AAM URL will end up the default AAM for two different zones and will now appear in the configuration database (as it is added by Central Admin when you use it to extend the web app). This is not pretty and I don't advise you go ahead with it in the production environment without taking advice from Microsoft.

Fortunately our default AAM was also the URL that was used to create the original web application used to host the MSD. Therefore the work around above is not appropriate. Back to the drawing board......

Quick thought...... if using NetBios names fixes the problem, what could be happening differently for FQDNs. Perhaps a proxy issue. However I have made sure that our proxy is configured to be disabled for the application pool and service accounts. However each web application's web.config file by default sets the proxy to auto=true. The developer at Microsoft suggested changing this to false for the Central Administration web application. That did the trick! We now have a full functional master site directory. It was a very long time coming for a simple solution, but a good learning experience.

To make this change go to C:\Inetpub\wwwroot\wss\VirtualDirectories\****, where **** is the port number of your Central Admin site. If you are not sure which is the right virtual directory open IIS Admin, right click on the Central Admin site and choose Explore. Right click in the white space to the right and select properties to get the folder and path. Open the web.config and locate the following:

(system.net)
(defaultProxy)
(proxy autoDetect="true")
(/defaultProxy)
(/system.net)

Change to:

(system.net)
(defaultProxy)
(proxy autoDetect="false")
(/defaultProxy)
(/system.net)

You will also need to do this for any web applications that you want to create Site Collections from within a Site Directory page (and make use of the Master Site Directory feature). Hhowever if you do this you may want to use something more like below so that web parts like RSS readers can connect to external feeds.



This adds exceptions for *.domain.local.com and 198.168.*.*

I hope this saves someone a lot of time!

Sharepoint 2007 - Server Farm Configuration Not Complete

Along with many others my MOSS 2007 Farm has been running for some time saying that it's configuration is not complete.

This was starting to get annoying so I decided to investigate. I deleted all the Administrator Tasks and ensured all the services were running where they should be. I even went to the extent of ensuring everything that could be configured was configured. The only thing remaining was to switch on farm features that I did not want, so I switched on Excel Calculation Services and started the service on one WFE server. The message went away! I was then able to stop the service and switch off the feature and the message did not come back.

Sharepoint 2007 - Problem with Profile synchronisation and My Sharepoint Sites

We have another issue with Sharepoint 2007 in which one site collection and all of its subsites are not appearing in our My Sharepoint Sites list. I have run through all the basic tests and ensured that the right people are in the Site Members list and have even recreated the Site groups and added the members back in, but nothing works. More than this though, it seems that none of the profile synchonisation (a Sharepoint timer job) is being run against this site collection as any changes to users profiles from MySites/Profiles/directly on the SSP are not reflected in the people and groups pages on the problem site collection. For example if I delete my profile picture i.e.















This change is reflected everywhere but this site collection where it still attempts to reference it:


I used Quest Recovery Manager to restore this site collection so currently have an open call with them and depending on how things go will also open a call with Microsoft to see if they can offer a fix for this.


Any ideas or feedback greatly appreciated. As always I will update this post when I have a fix/workaround.

Office 2007 and Vista, persistent cookies do not work

I have run into another issue with SharePoint 2007 which specifically only affects Office 2007 running on Windows Vista.

We have SharePoint setup using ISA 2006 for forms based authentication. This works perfectly for XP/2003 with Office 2003/2007 and Vista with Office 2003. However when we open a document from SharePoint 2007 using Office 2007 on Vista, we are prompted for a password. This is rather annoying. I have opened a call with Microsoft to see if I can get to the bottom of this.

There are numerous articles out there saying that this is to do with IE Protected mode, but we have this switched off for the Intranet zone (hence it works fine in Office 2003 on Vista).

Even more worrying than the simple inconvenience of the prompt is that fact that WebDAV caches the users' credentials. Imagine the scenario that you go to a public access machine and log onto SharePoint using ISA FBA. You then open a document and enter your credentials. You then finish working and log off Sharepoint and close the browser. You would think you were now logged off, but you are not as WebDAV is still caching your credentials. Whoops!

04/01/2008

Following my call being escalated by the good guys at ESK UK to Microsoft, it has now been escalated within Microsoft. I've just been on a call with a very helpful escalation engineer at Microsoft who has confirmed that this issue is related to Office 2007 on Vista trying to use WebDAV and WebDAV trying to authenticate using Windows Auth, rather than using the persistent cookies. As our server is connected via ISA using FBA, Windows auth falls back to basic auth and then WebDAV caches the credentials (until the webclient service is restarted or the user logs off).

The engineer has provided a useful workaround: install the Web Client update for Vista (http://support.microsoft.com/default.aspx?scid=kb;EN-US;907306) and then set all Office Apps to run in compatibility mode. This has a couple of drawbacks other than the work involved. Firstly it loses the enhanced ability that WebDav has to be able to browse up and down SharePoint web applications and secondly it does not resolve the password prompt you get when when you try to use Explorer view (I don't know of a way of telling Explorer to run in compatibility mode). Nevertheless we will use this workaround on the few Vista machines we have, but will certainly have to think twice before rolling Outlook Vista and Office 2007 to our 12,000 desktops.

The following registry keys can be set to tell Office Apps to run in XP SP2 compatibility mode. Remember you can really mess up your machine by changing the wrong registry settings so back it up and go careful:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"winword.exe"="WINXPSP2"

SQL 2005 Reporting Services "The ReportServerVirtualDirectory element is missing"

I had this issue after a clean install of IIS followed by Reporting Services. I configured reporting services using the config tool and ended up with green ticks against all sections. The reportserver url worked fine and reports were accessible, however when accessing http://servername/reports, I received the error "The ReportServerVirtualDirectory element is missing".

Following looking around I found the following article:

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=741808&SiteID=1

This page provides the following fix which worked perfectly:

Open C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportManager\RSWebApplication.config using notepad or equivalent. Find the line and add "" so that it looks like:
"ReportServer"
Save the file and reload the page.

Citroen C4 Reliability

This is a big step away from my usual postings, but I had to share my experience of owning a Citroen C4 VTR with the wider world.

When I purchased the car I had a six week honeymoon period when I enjoyed driving it and loved the way it looked, I even managed to overlook the rattles and squeaks. After six weeks the pain began. I have had the car for 22 months now and in that period it has been in the garage for warranty repairs 22 times! In total it has cost me over £200 in costs of insuring courtesy cars and an untold amount of hassle, not to mention the fact that I hardly see my car these days, have to drive around in basic small cars and am generally sick and tired of it.

Well I have had a case open with Citroen for some time and am hoping to get some compensation and get rid of my C4 (which I have now not seen for three weeks). I have tried two garages who have both not yet been able to fix the issues. Citroen so far have said 'we want to restore your confidence in the Citroen and will work with the dealer'. Well times are well beyond that now and I want and expect a lot more. I spoke to a friend of mine yesterday who has a lot of experience of managing auto repair centres and he described Citroen technical (the guys that are supposed to help the garages with difficult problems) as hopeless. Even more worrying a technician I spoke to in a garage described the experience as sometimes as helpful as phoning a snowman (it was a cold day).

I'll see what happens over the next couple of weeks and keep this blog updated.

In the mean time, if you are thinking of buying a C4, don't!!!! Go and buy a Ford Focus instead, it may look bland but at least you will get to see it and it won't rattle and break all the time (and it handles better). If not the Focus and you want something that looks good go for the Seat Leon.

15/12/07
The saga continues. I again was told that the issue was fixed (I've lost count of how many times I have been told this now) so I went to the garage (not very optimistically), sat in the car and reproduced the problem immediately. So another week without my car and another £15.50 lost on covering the insurance on the courtesy car. I logged another call with Citroen Customer services who called me back within 2 days and told me that they were very concerned, would contact the garage and that the next step would be to send a Citroen engineer to look at it. About time I would say, after all two dealers have now had 11 opportunities to fix it. Why don't we have a law like Lemons law in the US? Anyway, Citroen Technical have another couple of ideas which parts are ordered for. If this does not help I don't expect any progress until the New Year as the Citroen Regional Customer Services Manager is on leave.

19/12/07
I was promised a call from Citroen customer services today. No call.

20/12/07
Still no call and no contact from the garage.

21/12/07
I called the garage and spoke to one of the really helpful guys on the service desk who told me they believe the issue was with the BSI (I think that's what it was called), the thing that interfaces to the ECU and connects the cables. Anyway apparently Citroen don't think this is the problem and have not authorised its replacement, even though the garage has ordered the part and has it in stock. The Garage have told me that they are going to try swapping the cables round coming from the BSI from the OF to NS doors and see if the fault follows the cable to the other door. If it does then they know the problem is with the BSI. Unfortunately with the Christmas period the engineer at the garage is quite rightly on leave until the 2nd of January so nothing will happen until then. Kindly the garage have allowed me to hold onto the courtesy car which is now beginning to feel like my own car as I have had it for five weeks!

04/01/08 AM
Awaiting feedback from the garage and still no courtesy call from Citroen. I have now spent in excess of £120.00 on insuring courtesy cars.

04/01/08 PM
I called the garage. The BSI cables have been swapped round and the problem remained with the passenger side window. Now all relevant parts have been replaced except the entire door and the ECU. I'm writing to Citroen today and seeking legal advice as this is ridiculous. As it stands the problem has changed again in that it now works OK from the passenger side control but not from the driver side and the issue with freezing after going up and down just twice (which the garage introduced early December 07) is still evident. The garage, who continue to try very hard with this, have been told to expect a call from someone at Citroen in France. I have had to extend the courtesy car cover by yet another week. Between two garages Citroen has now had nearly 8 weeks to put this issue right. I wish there was some proper legal advice on what do to in these situations. The problem is not with the seller as the issue was not there at the time of sale, so the sale of good act as far as I see it does not apply. However there must be some rules about a suitable level of warranty repair!

09/01/08
I've not heard anything more from Citroen or the garage so have now written a letter to Citroen customer services asking for a formal response within seven days with an action plan. I have told Citroen that I will be contacting a solicitor in seven days if I do not have a response or their response is unsatisfactory.

10/01/08
Still nothing from Citroen. I had a call from the garage though who asked me to pop by, so I did. They had the car stripped back when I got to the garage and showed me what they had been doing. The garage told me they had been chasing Citroen technical all week and they were not returning their calls. The garage have been suggesting replacing the BSI for a few weeks now and had the part ordered in, however Citroen would not authorise them to replace the part (presumably because they did not want to pay for it). Well the garage decided to cut their losses, as like myself they have lost money on this problem due to Citroen being hopeless and not giving them suitable advice and having to spend a huge amount of time on the problem. The garage decided to fit the BSI and potentially take on the cost themselves. This has resolved the problem. The window still does not work perfectly due to an over-sensitive window switch on the driver's side, but I can live with that.

13/01/08
Window still working ok, fantastic! I took some chocolates into the garage to thank them for their great work and for going beyond the book. I am pursuing my case with Citroen and have not heard anything back yet. I am bitterly disappointed with Citroen and want to see some financial compensation for the way I have been treated and the hassle I have been put through. Seems like they may be busy though as the C4 seems to be full of electric problems from the stereo switching itself off after 2 minutes if then engine is not running (Citroen's response: go for a 2 hour drive and then try again; how ridiculous) to not being able to get into the car due to a failure in the locking electricals, all within the warranty period. I dread to think what will happen after the three year warranty. The car has to go!

14/01/08
I recieved a call from Citroen customer services regional service manager today who asked me to put together some rough costing of my expenses incurred as a result of warranty repairs. I calculated £280 if you don't take into account by time and £470 if you do.

17/01/08 AM
My Window still works but the new seal they have put on is not tight so there is a lot of wind noise on the motorway. Therefore it is going back into the garage again soon !!!

17/01/08 PM
Today I received a letter from Citroen sincerely apologising for the inconvenience and offering me a 12 month extension to my manufacturer's warranty. I think this is a big step in the right direction, although I'm not sure if it goes far enough to making up for my expenses. However this is not a perfect world and to be fair to Citroen it does show willing to help and that they acknowledge that the experience I have had is not acceptable. I'm inclined to accept the offer and keep the car for another year to take advantage of it. My colleagues are telling me to seek legal advice and push for more. I'm just not sure if I can be bothered.

22/01/08
Well it did not last long. I took the car for a long drive and it has four new problems. The seal on the passenger's window is knackered so it sounds like the Window is open all the time - very annoying on the motorway. The passenger door is no longer aligned with the car body, the internal light will not stay on and the car no longer knows that I have front fog lights! Booked back in for the 04/02/08.

31/03/08
I've not updated this for a while as I lost heart with it all. Since my last post the garage have (across three further visits) managed to fix all issues including cruise control failures, fog lights, wind noise, internal light and another safety recall. Now the car is working 100% I'm quickly getting rid of it. Because I don't want any responsibilty for future problems I have cut my losses and am trading it in. I'm getting myself a Fiat Bravo Dymanic 150T. Can't wait. Hopefully it will be as reliable as the last Fiat I had.

Sharepoint 2007 - Set MySite Locale (Regional settings) to UK (EN-GB)

I spent much time recently investigating how to set regional settings (locale) on a MOSS 2007 Web Application level so that any new site collections inherit the appropriate regional settings (in my case EN-GB).

It is possible to set regional settings at site collection level and inherit down to all subsites, which works fine when you do not use self-service site creation, but not otherwise, especially for MySites. Back in May 2007 I opened a call with Microsoft about this (via the Education Support Centre http://www.escuk.net/) and recently received the news that Microsoft have identified this as a code change and the developers are considering the change. As it stands Microsoft may well need more persuasion in order to make this change, so if you are having this trouble please get in touch with me and we can build a case.

There are some work arounds to this if you are prepared to forefit Microsoft support for your Sharepoint implementation i.e.

1. Alter the Store procedure proc_CreateSite which performs the site creation process and accepts language and locale as parameters, to always use locale 2057 (English UK) for each portal (In the relevant _site database). Currently it will be set with no default, so will always use the 1033 locale (English US). If you were to do this, you could be asked to remove the setting from the settings from the store procedure and more importantly revert back any portals to before the changes were made.
2. Bulk update the webs table in the _site database for each Portal to have a locale of 2057 instead of 1033. This has the effect of changing all the sites to UK English.

Naturally I DO NOT recommend these changes due to supportability issues, but support from Microsoft may not be of concern in all implementations.

Another better workaround is to use feature stapling to provision a masterpage to new mysites by adding the regional settings to the featurereceiver (credit to Esben Kolind of Netcompany IT and Business Consulting for this suggestion):

mySiteWeb.RegionalSettings.LocaleId = 1030; //Danish
mySiteWeb.RegionalSettings.Time24 = true;
…
mySiteWeb.Update();


Microsoft have now developed a fix for this that has gone through testing, has been approved and is being rolled into a hotfix.

07/01/08
The initial fix released in October 07 broke the creation of MySites in my farm so was prompty uninstalled. A new version has now been released for pre-SP1. I'm awaiting Microsoft to send it to me. Microsoft plan to release a post-SP1 update in about eight weeks.

14/01/08
The second release of the fix works a treat and allows the administrator to set the locale in https://MySiteURL/_layouts/settings.aspx (the Personal Site Provider site) to whatever they want ie. UK and then this will be inherited to new My Sites.

08/02/08
A third release of the fix is now available for post SP1. Because this fix has not undergone full regression testing it is not available for general download. To obtain, contact Microsoft and quote KB942819.

MOSS 2007 Installation - Could not access the Search service configuration database

I had some trouble configuring the Windows SharePoint Services Search Service during a MOSS 2007 installation. When starting the service I hit the following error message:

Could not access the Search service configuration database

In the Application Event log the following error was shown:

The filename or extension is too long. 0x800700ce

This problem is caused by the server names in use being too long. It is no good trying to change the name of the database server to be the Netbios name (rather than FQDN) within the Windows SharePoint Services Search Service configuration, you need to change the name of the server registered to perform the Search service.

Before doing this please ensure you take a full backup of your MOSS site collections (if you have any, in my case I didn't as it was a clean install):

stsadm.exe -o backup -url <http://hostname> -filename backup.dat
http://support.microsoft.com/default.aspx/kb/889236

After the backup perform the following steps to register your search (perhaps also WFE/Index) server using stsadm.exe to invoke the "renameserver" command option.

Open a command prompt window and navigate to the folder where stsadm.exe sits. Normally "C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN".

Use the renameserver command as follows, replacing and with the new and old names of your server:

stsadm -o renameserver -newservername -oldservername

That should do it.

I am told that this command is safe to run as part of your configuration if necessary, although I would recommend you follow the setup procedure in the following site though to avoid it.
http://mindsharpblogs.com/bill/archive/2006/06/27/1153.aspx

Multiple Languages/Invalid Characters in RSOP of Windows 2003

When you run RSOP on Windows 2003 SP1/SP2 and you have Group Policies that modify the Error Reporting settings, you may notice that under Computer Configuration\Administrative Templates\ there are a lot of random languages that appear to be related to Application Error Reporting.

This is caused by RSOP quering the applicable settings for Application Error Reporting in local ADMs. All local ADMs named AER_xxxx.adm in the %Systemroot%\INF folder are parsed to see if there is a match for the error reporting policy setting. If there are multiple AER_xxxx.adm files that match the error reporting policy, they are all displayed in the RSOP result. These ADM files are installed by .Net Framwork 2.0. as Microsoft have not released language specific versions of .Net 2.0.

This is not by design, but there is no current fix.

To workaround this issue you can either happily ignore it, or on the machine where RSOP mmc is being run (this does not need doing on all machines if you query them from a central server) have a look in the %Systemroot%\INF for any ADM files that begin with AER_xxxx.

If you find multipleAER_xxxx.adm files, then (after backing them up) remove all but the AER_1033.adm (English).

Run Rsop again.

VMWare Server: Virtual machine config file is invalid

Have you experienced this error after a host lock up on VMWare Server? This can be caused by a number of things from duplicate/invalid entries in the config .vmdk file (compare it to others), missing files, corrupt disk volumes or corrupt memory files. In my case the problem was with corrupt memory files and the following steps resolved it:

Reboot the host server to remove any file locks
Delete the .vmem and .vmem.lck files in the faulty VM's working directory.

The virtual machine can then be powered back on.

Please approach this with caution on production VM servers as any transactions that are in memory and not committed to disk will be lost.

Automatically update and reboot Citrix Presentation Servers on a schedule

When we originally set up our Citrix PS 4.0 farm we needed to establish an efficient method of patching our servers without any maintenance windows or visible downtime. This method of patching needed to tie in with our use of WSUS and not add any administrative overhead.

The answer seemed easy, we need a system that detects if there are any outstanding patches (those approved for installation on WSUS, or available from Microsoft Update depending on environment), if there are outstanding patches it then needs to stop subsequent TS/Citrix logins, wait for everyone to log off, download and install the patches and then reboot.

I was sure that there would be plenty of people who need a similar solution but having spent some time looking all I could find were scripted methods for installing patches, tools that rebooted servers when there were no remote logons (all of which I found inconsistent) and the obvious change logon /disable command. I needed a way of pulling this together so I wrote a number of batch files and VBScript (I can't claim credit for all the VBScipt as I downloaded it from http://www.wsus.info/).

We set WSUS setting via GPOs to check for updates every night and install between 04:00 and 06:00. Therefore, if we approve a WSUS update to a group the servers in that group will update that evening. The first step was to change this GPO for the Citrix PS servers so that the servers were set to only download the updates and not install (although you could set it to do nothing, the important thing is that the servers are set to look at the WSUS server for updates). the next step was to create a scheduled task to run my scripts, which I set to run every night.

Now to the scripts, the first of which determines if updates are available: if there are it calls a batch file, if not it quits and nothing happens until the scheduled task runs again the next night.

Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
Set searchResult = _updateSearcher.Search("IsInstalled=0 and Type='Software'")
Set File = CreateObject("Scripting.FileSystemObject")

Set LogFile = File.OpenTextFile("R:\Temp\WSUSUpdates\CheckForUpdates.log", 8, True)
LogFile.WriteLine("***************************************************************")LogFile.WriteLine( "START TIME : " & now)LogFile.WriteLine( "Searching for updates..." & vbCRLF)
LogFile.WriteLine( "List of applicable items on the machine:")

For I = 0 To searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
LogFile.WriteLine( I + 1 & "> " & update.Title)
Next

If searchResult.Updates.Count = 0 Then
LogFile.WriteLine( "There are no updates waiting to be installed, quiting.")
WScript.Quit
Else
LogFile.WriteLine( "There are updates waiting to be installed.")
LogFile.WriteLine( "Stopping the IMA service to prevent logons.")
dim shell set shell=createobject("wscript.shell")
LogFile.WriteLine( "Checking for logged in users....")
shell.run "R:\Temp\WSUSUpdates\CheckLoggedInUsers.bat 350"
set shell=nothing
WScript.Quit
End If

You will notice that if patches are available the batch file CheckLoggedInUsers.bat is called. This batch file disables new logins and checks for users logged in remotely using the ICA protocol and if there remote users it loops round until they are not! It takes the parameter from the first VBScript "350" as the number of times to retry before giving up and quiting. You will need PS Tools from: http://www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx installed for this to work and sleep.exe from the Windows 2003 server resource kit tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en.

@echo off
If "%1"=="" GOTO Parameter
set E2=0
set E1=0
set E0=0
%systemdrive%
cd %systemdrive%\temp\wsusupdates\
date /t >>CheckLoggedInUsers.log
echo Stopping logons >>CheckLoggedInUsers.log
echo Stopping logons
change logon /disable
goto firstrun
:loop
echo Users logged on, checking retry limit
echo Users logged on, checking retry limit >>CheckLoggedInUsers.log
echo Incrementing retry count >>CheckLoggedInUsers.log
echo Incrementing retry count
:E0
if %E0%==9 goto E1
if %E0%==8 set E0=9
if %E0%==7 set E0=8
if %E0%==6 set E0=7
if %E0%==5 set E0=6
if %E0%==4 set E0=5
if %E0%==3 set E0=4
if %E0%==2 set E0=3
if %E0%==1 set E0=2
if %E0%==0 set E0=1
goto DONE
:E1
set E0=0
if %E1%==9 goto E2
if %E1%==8 set E1=9
if %E1%==7 set E1=8
if %E1%==6 set E1=7
if %E1%==5 set E1=6
if %E1%==4 set E1=5
if %E1%==3 set E1=4
if %E1%==2 set E1=3
if %E1%==1 set E1=2
if %E1%==0 set E1=1
goto DONE
:E2
set E1=0
if %E2%==9 set E2=0
if %E2%==8 set E2=9
if %E2%==7 set E2=8
if %E2%==6 set E2=7
if %E2%==5 set E2=6
if %E2%==4 set E2=5
if %E2%==3 set E2=4
if %E2%==2 set E2=3
if %E2%==1 set E2=2
if %E2%==0 set E2=1
goto DONE
:DONE
If "%E2%%E1%%E0%"=="%1" GOTO RetryLimit
echo Sleeping for 60 seconds >>CheckLoggedInUsers.log
echo Sleeping for 60 seconds
sleep.exe 600
:firstrun
echo Checking for ICA Sessions >>CheckLoggedInUsers.log
echo Checking for ICA Sessions
query session FIND "ica-tcp#" >nul
IF NOT errorlevel 1 GOTO loop
:update
Echo Performing an update >>CheckLoggedInUsers.log
Echo Performing an update
InstallWSUSUpdates.vbs
psshutdown /r /f
:RetryLimit
echo Retry limit exceeded, script exiting >>CheckLoggedInUsers.log
echo Retry limit exceeded, script exiting
GOTO end
:Parameter
echo No retry limit entered (enter three characters i.e. 003), script exiting >>CheckLoggedInUsers.log
echo No retry limit entered (enter three characters i.e. 003), script exiting
GOTO end
:end

We now have no logged in users, new users cannot login and there are patches waiting to be installed. The third of the scripts installs the patches:

Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
Set searchResult = _
updateSearcher.Search("IsInstalled=0 and Type='Software'")
Set File = CreateObject("Scripting.FileSystemObject")
Set LogFile = File.OpenTextFile("R:\Temp\WSUSUpdates\InstallWSUSUpdates.log", 8, True)
LogFile.WriteLine("***************************************************************")
LogFile.WriteLine( "START TIME : " & now)
LogFile.WriteLine( "Searching for updates..." & vbCRLF)
LogFile.WriteLine( "List of applicable items on the machine:")
For I = 0 To searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
LogFile.WriteLine( I + 1 & "> " & update.Title)
Next
If searchResult.Updates.Count = 0 Then
LogFile.WriteLine( "There are no applicable updates.")
WScript.Quit
End If
LogFile.WriteLine( vbCRLF & "Creating collection of updates to download:")
Set updatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
For I = 0 to searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
LogFile.WriteLine( I + 1 & "> adding: " & update.Title )
updatesToDownload.Add(update)
Next
LogFile.WriteLine( vbCRLF & "Downloading updates...")
Set downloader = updateSession.CreateUpdateDownloader()
downloader.Updates = updatesToDownload
downloader.Download()
LogFile.WriteLine( vbCRLF & "List of downloaded updates:")
For I = 0 To searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
If update.IsDownloaded Then
LogFile.WriteLine( I + 1 & "> " & update.Title )
End If
Next
Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")
LogFile.WriteLine( vbCRLF & _
"Creating collection of downloaded updates to install:" )
For I = 0 To searchResult.Updates.Count-1
set update = searchResult.Updates.Item(I)
If update.IsDownloaded = true Then
LogFile.WriteLine( I + 1 & "> adding: " & update.Title )
updatesToInstall.Add(update)
End If
Next
logFile.WriteLine( "Installing updates...")
Set installer = updateSession.CreateUpdateInstaller()
installer.Updates = updatesToInstall
Set installationResult = installer.Install()
'Output results of install
LogFile.WriteLine( "Installation Result: " & installationResult.ResultCode )
LogFile.WriteLine( "Reboot Required: " & installationResult.RebootRequired & vbCRLF )
LogFile.WriteLine( "Listing of updates installed " & "and individual installation results:" )
For I = 0 to updatesToInstall.Count - 1
LogFile.WriteLine( I + 1 & "> " & updatesToInstall.Item(i).Title & ": " & installationResult.GetUpdateResult(i).ResultCode )
Next
'if installationResult.RebootRequired = -1 then
'LogFile.WriteLine( "reboot the server")
'strComputer = "."
'Dim refWMIService
'Set objWMIService = GetObject("winmgmts:" _
'& "{impersonationLevel=impersonate,(Shutdown)}!\\" & strComputer & "\root\cimv2")
'Set colOperatingSystems = objWMIService.ExecQuery ("Select * from Win32_OperatingSystem")
'For Each objOperatingSystem in colOperatingSystems
'ObjOperatingSystem.Reboot()
'Next
'end if
LogFile.WriteLine( "STOP TIME : " & now)
LogFile.WriteLine("***************************************************************")
LogFile.Close

You can comment back in the VBScript reboot command but I found using psshutdown /r /f within the calling batch file (script 2) much more dependable.

I also have a scheduled task to re-enable logins at bootup: change logon /enable

That is it. This has been running problem free for about six months and does not require any administrative overhead (any more than WSUS does anyway).

Suggestions and comments always welcome!