Wednesday, January 25, 2006

Crazy Wild Desktop Day

I knew it was going to be bad when the pager started going off at 7 AM, before I had crawled out of bed. They said that "a lot" of people were getting rebooted for security patches and after reboot, they didn't get their desktop. They also said that they didn't get the "I Accept".

Okay, I dialed in and checked the WSUS server: 1,800 desktops or so updated so far. Not a Good Thing if they were all broken.

"Not getting their desktop" was something that was reported from time to time. Also known as "lost the printer setup" or "lost email profile". When we do automated installs, it is generally by making the machine automatically log in to a special, captive desktop admin account. The account runs a login script that does the install. When a user reported that their desktop is blank, email profile is gone, printers are gone, I had written it off to something failing in the script and the user not knowing that they are logged in to a different account. TAC walked them them through getting it straightened out.

This was not like that. These updates were being done by Automatic Updates. Straight Microsoft code with no automatic login or anything.

The patches were released by Microsoft on Jan. 10 and we applied them to our 30 or so test desktops. No problems in the last couple of weeks. They were scheduled to be released to all desktops last Wednesday, but we had too many other problems going on that day. Finally released then Monday evening. They downloaded to the desktops during the day yesterday, then started installing at 4 AM this morning.

It looks like all of the ones that installed at 4 AM worked without problem. Machines that were powered off overnight were different. The user powered on the machine, Symantec AV kicked off a scheduled weekly scan (on Wednesday by coincidence), the patches started installing, and then the user logged on.

"Can't load profile... NTUSER.DAT file in use." (Was it being scanned?) Windows was kind enough to create a new profile by copying the default user profile... but none of the user's desktop shortcuts, printers, My Documents, etc. were to be seen. Some new profiles were worse than that: Default User\NTUSER.DAT could not be copied because it was also in use. Ugly profiles resulted. (They didn't get the "I Accept", which being interpreted, means the login script didn't run.)

1,880+ out of 3,000+ already installed and the others probably couldn't be stopped because most would already have been downloaded and waiting on the desktop. Vogue la galère. We'll just keep it going.

To shorten a long story... We developed a safe and effective fix to get the users back on their original profiles and "a lot" did not turn into "very many" or "every".

5 comments:

jjp said...

Most of our users just go to class or work if my stuff is gone. At least you got a workaround, and didn't have to rebuild your image, then what for them to deploy out, to find out again it still doesn't work...

Dave said...

We would not want that because I would be the who would do most of the reimaging.

DREW said...

that was the long story made short?

~ Amy said...

I was thinking the same thing, "that was the short version?". Just kidding. It actually made me miss work. Don't tell Darren you get to sleep in until 7. He has to get up at 4:30am to try to beat the traffic into work. I keep hoping the 3-4 hour drive a day will wear him down enough to want to move....but I still feel bad for him.

Pro Payne said...

At least it was short after I said that.