Do you run WSUS in your environment? You should... Well, let me clarify. If you aren't running any other patch management solution, you should run something, and if you don't want to pay anything extra, well then - I urge you to try Microsoft WSUS (Windows Software Update Services) 3.0.
Impersonation is a bad thing
I've used SUS/WSUS 1.0-3.0, and ever since the introduction of client reporting in 2.0, a common problem rears its ugly head: You have x number of computers that are supposed to be reporting in, but only a portion of them are. And when they do report in, they report with inconsistent results. Why? Usually this is a result of cloned computers in the network environment. Typically this happens because a SID generation tool was never run on them, which causes duplicate workstation SIDs (and duplicate WSUS client IDs).
What happens next is the following:
- Computer 'A' reports in to the WSUS server, gets its updates, reports back that it is totally up to date.
- Computer 'B' has been cloned from the same image as computer 'A' (without using a SID generation tool), and now has the same workstation SID (security identifier) as 'A', and reports into the WSUS server, telling the server that it needs 3 updates. Now, all of the sudden, you had a computer that was totally updated reporting back in saying that it now needs 3 updates!
Delete the WSUS client ids from the registry, and then run the wuauclt.exe (Windows Update Agent) with the "/resetauthorization' switch, causing it to generate a new WSUS client id...and, creating a proper entry in the WSUS database with the correct computer information.
Many folks have written batch files that do this...here's an example from Athif Khaleel's WSUS blog:
@echo off
Echo Save the batch file "AU_Clean_SID.cmd". This batch file will do the following:
Echo 1. Stops the wuauserv service
Echo 2. Deletes the AccountDomainSid registry key (if it exists)
Echo 3. Deletes the PingID registry key (if it exists)
Echo 4. Deletes the SusClientId registry key (if it exists)
Echo 5. Restarts the wuauserv service
Echo 6. Resets the Authorization Cookie
Echo 7. More information on http://msmvps.com/Athif
Pause
@echo on
net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow
Pause
Automation is your friend
To make things easy on you, I have put together a VBScript that you can run against your computers remotely (with logging!). Of course, you can also set it up in your logon scripts and run it individually on your computers by using command-line arguments.
The script can be downloaded from here.
Script usage:
- SetAuthorization.vbs (will prompt you for a computername, then ask if you would like to reset authorization via inputbox)
- SetAuthorization.vbs computer:computername reset:true (will delete regkeys, stop/restart AU services, perform /resetauthorization /detectnow)
- SetAuthorization.vbs computer:computername (will stop/restart AU service, perform /detectnow)
- SetAuthorization.vbs computer:computername reset:true force:true (if you have run the script on the PC before, you will need to use the force switch to override the regkey marker to run again - then performs the same actions as the 'reset:true' listed above)
Cleanup on aisle 5!
Now that you've cleaned up the mess that you came here to resolve, I suggest that you also download a utility like Sysinternal's NewSID to fix the problem of having duplicate workstation SIDs on your network. Download it and run it on all your affected PCs. You never know when this problem will come back to haunt you! You should also incorporate this or another utility (i.e. Microsoft SysPrep) during your build process.
4 comments:
Hi
I tried your SetAuthorization.vbs and have one observation: No matter what switches I use the script will always perform the cmd 'wuauclt.exe /resetauthorization /detectnow'.
If I try the switch 'reset:no' the script should only perform the cmd 'wuauclt.exe /detectnow' but it doesn't.
I can see this script is a couple of years old, so maybe you have done some changes since then?
Regards, Ole
Hi,
There is a tool for solving Duplicate SID and Duplicate WSUS ID's on your network.
It called DSM (Duplicate SID Monitor), the good thing about it that it will monitor your network all the time and not just the one time you ran the script to solve a problem.
Link to the tool: http://www.smart-x.com/?CategoryID=176&ArticleID=97&sng=1
This is interesting, especially given this post from the SysInternals blog from 2009 - http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx
Yes, but that is referring to Windows SID's, not WSUS SID's, which are entirely different (but based upon the former). WSUS treats them as unique identifiers. The article, while interesting, is moot in this context.
Post a Comment