Alexander’s Blog

A few years ago I wrote this article Deleting Old User Profiles in Windows 2000/XP/2003 about a User Profile Deletion utility called DelProf.exe. This tool is part of the Windows Server 2003 Resource Kit. Because it was written for older operating systems it won’t work on Windows Vista or later operating systems.

Lucky for us, Microsoft MVP Helge Klein has written a successor utility called DelProf2 that works with newer operating systems, such as Windows 7. DelProf2 works with Windows XP/2003/Vista/Windows 7/Windows 2008/Windows 2008R2.

DelProf2 will even handle profiles that use long paths (i.e. MAX_PATH values of longer than 260). This tool is great if you want to get rid of old profiles that are taking disk space. It will delete all profiles except the current profile. It will leave the necessary system profiles (e.g. Default profile) alone. Default profile is used by the operating system to create a profile for a new user by making a copy of the Default profile. You also have the option to delete locally cached copies of roaming profiles or delete older profiles that have not been used for a certain period of time, such as older than 90 days.

Here is the syntax used by DelProf2.

Usage: delprof2 [/u] [/q] [/i] [/p] [/r] [/c:[\\]<computername>] [/d:<days>]

       /u   Unattended (no confirmation)
       /q   Quiet (no output and no confirmation)
       /i   Ignore errors, continue deleting
       /p   Prompt for confirmation before deleting each profile
       /r   Delete local caches of roaming profiles only, not local profiles
       /c   Delete on remote computer instead of local machine
       /d   Delete only profiles not used in x days
       /l   List only, do not delete (what-if mode)

Helge has some nice examples on his site. You can use DelProf2 to delete inactive profiles remotely (including Windows 7 computers) using their IP addresses.

DelProf2 is a free utility that can be downloaded from Helge’s Web site here. While you are at it, you might want to check out some additional tools that he has written.

If you are having problems installing Service Pack or software updates on Windows Server 2008 R2, Windows 7 or Windows Vista you are not alone. There are lots of people facing the same issue, including me, and hopefully this article will be helpful in understanding and solving the problem. I should point out that I have encountered this problem of installing Service Pack 1 (SP1) on numerous servers (all new installation) as well as existing Windows 7 client. The focus of this article is on Windows Server 2008 R2 but you can apply the same techniques on Windows 7 and Windows Vista.

It took me three full days to find a solution that worked for me. Needless to say I was searching the Web all this time and trying various solutions but some worked and others didn’t. Unlike the old Windows NT days when the patches were considered a risky business, for the past decade or so Microsoft has done a great job to make the updates and security patches fairly reliable. It’s a daunting task to deal with a gazillion updates on various systems and gain the confidence of consumers. Microsoft gained enough of my confidence that I have been configuring all my computers, including servers, to download and install the Windows Update automatically. Even though I have occasionally encountered a few crashes, overall I have been fairly satisfied with the automatic Windows Update service. Well, lately things have not been so rosy. Windows Updates are causing more problems more frequently and therefore starting this year I decided to manually update my computers because of the fear of system crashes and other unexpected results. Microsoft has confirmed my fears of Windows Update by releasing a patch to fix the patches. The patch is called Windows System Update Readiness Tool, essentially a bug fix that fixes other bug fixes. But these days vendors don’t use the term bugs any more because that is admitting that there was a problem with the software in the first place. Instead they refer to them as “patches”, “updates”, “repairs”, “fixes”, and now there is a new term “tool.” Well, you tell me which one sounds better Windows System Update Readiness Tool or Windows Update Bug Fix? Exactly my point!

Microsoft is aware that even the Windows System Update Readiness Tool may not fix the Windows Update problems with Windows Server 2008 R2 and therefore they have posted an article on TechNet for advanced diagnosing and fixing servicing corruption. The article is listed under the Troubleshooting section as Known Issues with Windows Server 2008 R2. So now we know that Microsoft is aware of this issue and have released a bug fix for the bug fixes and also admitted that the bug fix for the bug fixes may not work and therefore we may need to rely on some advance diagnostics to fix the problems with the corruption in Windows servicing store (more on this servicing store in a minute).

Let’s get back to the problem of installing SP1. As I indicated earlier, lately I have been having lots of issues with installing Windows Server 2008 R2 SP1 on several servers. As far as I recall, I have experienced this issue mostly on new server installations. The problem is that the service pack hangs after a minute or so and the installation fails. After spending a lot of time I finally narrowed the problem down to one particular update (KB2620704). I installed all the updates on my new servers (92 to be exact) and then installed KB2620704 that was causing problems. On some servers KB2620704 failed while on others I was able to install it successfully. However, even after I was able to install all the updates, including KB2620704, I still wasn’t able to install SP1. In addition, I was not able to install SharePoint Server 2010 on one of the servers because when I tried to install the software prerequisites it failed.

At one point Windows Update offered me a new update called System Update Readiness Tool for Windows Server 2008 R2 x64 Edition (KB 947821) [August 2011].

According to Microsoft:

“This tool is being offered because an inconsistency was found in the Windows servicing store which may prevent the successful installation of future updates, service packs, and software. This tool checks your computer for such inconsistencies and tries to resolve issues if found.”

In case you are wondering about the Windows Servicing Store, it’s a component that is required to successfully install the service packs.

There is something very interesting in the above screenshot. Notice that the last update on the list Windows Server 2008 R2 Service Pack 1 x64 Edition (KB976932) is only 13.6MB. If you download SP1 from Microsoft here, the size is 903.2MB. The interesting part was that I was working on several newly installed servers and only one of them showed SP1 as 13.6MB. All the other servers listed KB976932 as 95.5MB – 892.6MB, as shown in the screenshot below.

After installing KB947821 I was still not able to installSP1. I went to the SUR log to see what’s going on. See this article for more information.

%windir%\logs\cbs\checksur.log

I noticed the log pointed to the KB2620704 which I knew was a problem right from the start. On the server where I was able to install KB2620704 everything was fine but on the server where I wasn’t able to install SP1 I knew I had to install KB2620704. I was left with only 2 updates (KB2620704 & the SP1 update KB976932) so I unchecked KB976932 and tried to install KB2620704 but it failed with the error Code 800F0818.

Now you may get lucky after installing KB2620704 but I wasn’t. Here’s what I did next. Per TechNet article Advanced guidelines for diagnosing and fixing servicing corruption I looked at the two files listed at the end of the checksur.log.

servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.mum
servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat

Next I started cmd.exe as an administrator and backed up the two files as a precaution.

copy %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.mum c:\temp

copy %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat c:\temp

Then I took ownership of these files so I can copy these files from another server.

takeown /f %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.mum

takeown /f %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat

Next I used icacls to grant administrators permissions to overwrite the files.

icacls %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.mum /grant administrators:F

icacls %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat /grant administrators:F

Finally, I logged out and then logged back in so I can copy the two files from another server where I was able to successfully install KB2620704 to the server. Even though I was logged in with a domain account that was a member of the local administrators group the permission to copy the files was denied. I went to Windows\servicing\packages folder in Windows Explorer and gave my domain account  full-control permissions to the packages folder. I removed this permission after I was able to copy the two files. I ran the update for KB 2620704 and it was finally successful.

I then tried to install SP1 (KB976932) again. By that time I knew all these KB article numbers better than my address and phone number. Fortunately, this time it worked and I was able to install SP1 on my Windows Server 2008 R2. It only took about 40 hours in three days. Piece of cake!

SharePoint Server 2010 Installation

The rest of the article only applies to you if you are installing SharePoint Server 2010 on a new server. Once the service pack was installed, I should be able to install SharePoint, right? Wrong! This time the software prerequisites tool was able to install a couple of prerequisites, including the Web Server (IIS) Role, but was unable to install the hotfix KB976462.

Okay, no problem. I downloaded the hotfix KB976462 for my x64 system (Windows6.1-KB976462-v2-x64.msu) from here and tried to run it but got an error “The update is not applicable to your computer.” Here’s how I worked around that hurdle. I followed the instructions in yet another KB article KB934307.

1. I created a folder C:\KB976462 and downloaded the file Windows6.1-KB976462-v2-x64.msu into that folder.
2. I created a folder C:\TEMP.
3. I opened command prompt as an administrator and ran the following command to expand the MSU file to the temp folder which resulted in 4 files in the TEMP folder.
   expand -f:* “C:\KB976462\Windows6.1-KB976462-v2-x64.msu” C:\TEMP
4. Then I ran the following command.
   pkgmgr.exe /n:c:\temp\Windows6.1-KB976462-v2-x64.xml
   You will not see any message after you run this command successfully. Just wait a minute or so until the command prompt is returned and that’s how you will know if the command was successfully executed. The only time you will see a message is if something went wrong.
5. Next I double-clicked the Windows6.1-KB976462-v2-x64.msu file in the C:\KB976462 folder where I originally downloaded it. I got a pop up message that “The update is not applicable to your computer.” This is the same message I received when I had double-clicked the file the first time. By the way, some people have reported that they get the message that the patch is already installed.
   NOTE: Regardless of what message you see, you should simply ignore it and go to the next step and you will be a happy camper.
6. I ignored the notice and ran the SharePoint software prerequisites tool again. This time everything worked and I was able to install the software prerequisites.
   
7. I deleted both the C:\KB976462 and the C:\TEMP folders.
8. I rebooted the server. Even though I had not received any notices or warnings that I need to restart the server, when I tried to install SharePoint the wizard indicated that I must reboot first before proceeding to install SharePoint.
9. After the reboot I continued on with SharePoint Server 2010 installation without a hitch.

References

Here are the download links for Windows System Update Readiness Tool for Windows Server 2008 R2, Windows 7 and Windows Vista (KB947821).

System Update Readiness Tool for Windows Server 2008 R2 x64 Edition (KB947821) [August 2011] 315.6MB

System Update Readiness Tool for Windows 7 106.6MB

System Update Readiness Tool for Windows Vista 121.8MB

Here’s another related article KB947366 that might also help.

KB947366: How to troubleshoot Windows Vista and Windows Server 2008 service pack installation issues

A hotfix for the.NET Framework 3.5 Service Pack 1 is available for Windows 7 and for Windows Server 2008 R2 as a prerequisite for Microsoft Office SharePoint Server 2010.

KB976462: Prerequisite hotfix for Microsoft Office SharePoint Server 2010

This is the hotfix mentioned in the above link. It’s called SharePoint Shared Services Roll-up for Windows Server 2008 R2. Instead of going through all the hoops, you can download this hotfix from the following link.

KB976462: Download link for the prerequisite SharePoint Shared Services Roll-up

And finally here’s an article which describes the Windows Update Stand-alone Installer. I was able to use the information in this article to get over the last hurdle.

KB934307: Description of the Windows Update Stand-alone Installer (Wusa.exe) and of.msu files in Windows Vista, Windows 7, Windows Server 2008 and in Windows Server 2008 R2

Authentication prompts have been a pain in the neck for a lot of SharePoint users over the years both in SharePoint 2007 and SharePoint 2010 environments. There are several reasons for the prompts. I can’t cover all the possible solutions but I have documented multiple solutions to different authentication prompt issues.

Problem

In SharePoint 2010, you have multiple site collections on your intranet that you access on a regular basis. When you access these sites remotely from an external network and connect to the first site you are prompted for authentication. You logon successfully. Then you try to connect to the second, third and fourth Site Collection but you are prompted for authentication each time. You want to have access to all the sites without being prompted for authentication each time.

Solution

Add the intranet sites to the Local intranet zone in Internet Explorer (IE).

1. In IE8 or IE9 go to Tools, Internet Options, Security tab, Local intranet, Sites, Advanced and add all the Site Collections to the zone.
2. Click close three times to close all windows.
3. Restart Internet Explorer.

Now once you logon to the first intranet site, you should be able to access all the other sites in different Site Collections without entering your username and password.

NOTE: There are lots of other scenarios where you may experience multiple authentication prompts and depending on the scenario you may have to use a different solution. One setting that you should be aware of is located in the Internet Explorer’s options.

1. Go to Tools, Internet options, and select the Security tab.
2. Select the appropriate zone (e.g. Internet zone).
3. Click Custom level.
4. In the User Authentication section select the appropriate setting (e.g. Automatic logon with current user name and password).
5. Click OK twice.

NOTE: You can deploy this setting to client computers using Group Policy. Go to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Sites Zone. In the right-hand pane locate “Logon options” double-click it. First Enable the option and then in the drop-down box select the option “Automatic logon with current username and password.” On the client computer run gpupdate /force at the command prompt to refresh the Group Policy.

Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer

There is another issue that you may run into that is documented in the KB article 943280. Sometimes you may get prompted for authentication when you open a Microsoft Office document in SharePoint. Here are the steps documented in the KB article 943280 to resolve the issue in Windows 7 clients.

Click Start, type regedit in the Start Search box, and then press ENTER.

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

On the Edit menu, point to New, and then click Multi-String Value.

Type AuthForwardServerList, and then press ENTER.

On the Edit menu, click Modify.

In the Value data box, type the URL of the server that hosts the Web share, and then click OK.Note You can also type a list of URLs in the Value data box. Here’s a sample.

https://*.Contoso.com

http://*.dns.live.com

*.microsoft.com

https://172.169.4.6

Exit Registry Editor.

After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

Note You have to restart the WebClient service after you modify the registry.

Things to avoid in the URL list

• Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.
  http://*.dns.live.*
• Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
  • http://*Contoso.comIn this example, the service also sends user credentials to http://extra_charactersContoso.com
  • http://Contoso*.comIn this example, the service also sends user credentials to http://Contosoextra_characters.com
• In the URL list, do not type the UNC name of a host. For example, do not use the following:
  *.contoso.com@SSL
• In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
  • http://*.dns.live.com/DavShare
  • http://*dns.live.com:80
• Do not use IPv6 in the URL list.

Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.

NOTE: You can deploy the above setting to clients using Group Policy.

Disabling Authentication Prompts in SharePoint 2010

In SharePoint 2010, another thing you can try to disable authentication prompts is to modify the Web.config file.

<system.webServer>

<security>

<requestFiltering allowDoubleEscaping=”true”>

<verbs allowUnlisted=”true”>

<add verb=”OPTIONS” allowed=”false” />

<add verb=”PROPFIND” allowed=”false” />

</verbs>

</requestFiltering>

</security>

Disable “Remember my credentials” Option

If the users check the option “Remember my credentials” and then they change their password, they will keep getting prompted for authentication. It is not a good idea to remember passwords for security reasons and when working with SharePoint you might want to disable this feature. You can disable this feature using a Group Policy. Open the Group Policy (e.g. Default Domain Policy) and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and enable the setting “Network access: Do not allow storage of passwords and credentials for network authentication.”

Use Credential Manager in Windows 7

Yet another method to avoid authentication prompt is to use Windows 7′s Credential Manager. Go to Control Panel -> User Accounts and in the upper left hand corner select Manage your credentials.

Select Add a Windows credential and provide the logon information.

There is no need to reboot the computer. You should be able to access the site in your browser without being prompted for logon credentials.

Additional References

Here are some additional references that you may find useful.

1. Authentication requests when you open Office documents
2. Office 2003/2007 Integration and Forms based authentication (FBA) with SharePoint (MOSS)
3. Unable to “Check Out” a Document in MOSS 2007 Published Through ISA Server 2006
4. Understand duplicate authentication prompts ISA 2006 publishing MOSS using FBA

Updated: March 22, 2012

There is a free Wake-On-LAN GUI tool available that you can use to wake a remote computer up by either using it’s IP address or it’s Fully Qualified Domain Name (FQDN). You can use the Wake-On-LAN feature to start a computer either on the LAN or through the Internet.

You can download the tool here.

Telnet Client is not installed by default on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008. The procedures to install Telnet Client vary based on the operating system you are using. Microsoft has documented the following instructions on TechNet in this article.

To install Telnet Client by using a command line.

1. Open a command prompt window. Click Start, type cmd in the Start Search box, and then press ENTER.
2. Type the following command: pkgmgr /iu:”TelnetClient”.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. When the command prompt appears again, the installation is complete.