Wednesday, March 7, 2012

Domain Account Keeps Getting Locked Out...? Have You Checked LanGuard?

I recently experienced issues with GFI LanGuard again. I don't know why, for a long time this product was it for me and really enjoyed using it. Lately though it has been a royal pain.

I kept noticing my account was being locked out every ten seconds or so. I immediately suspected LanGuard so I checked the service on the LanGuard machine. The service was under another account I created solely for this program so it wasn't the problem. I also checked DCOMCNFG from the run command and under LNSS, the same account was used. After a while I started to think maybe it wasn't LanGuard but something else. To test this theory I stopped the GFI service and unlocked my account again. I used my account for a good 30 minutes and decided it was GFI causing it because my account was no longer locking out.

After digging around a bit I finally found the problem;


I apparently had my credentials set in one of the folders or the Active Directory like tree. It didn't even have a password, it was just domain\username so it was constantly trying to refresh the status of the clients with this account and locking me out. The unfortunate thing is that LG didn't even bother telling me this issue was occuring. For example when I had ran a "refresh info" scan on all the computers, they just stayed stuck on "pending" and never started. In either case, make sure you check this hierarchy and find if you have any alternative account setup.

Posted by at 10:16 AM 1 comments
Labels: ,

Thursday, February 23, 2012

Further on Java Silent Installs Error: 25099

If you are still getting "complete" installations that aren't really installing in GFI LanGuard, try running the following batch file commands against the affected client:

CD %ProgramFiles(x86)%
RD /S /Q Java
RD /S /Q %AppData%\..\LocalLow\Sun

If for some reason a previous install or uninstall of Java on the client went wrong, these directories may remain causing the Silent installs to fail even though GFI LanGuard reports them as successful. NOTE: Before running it though, I would verify that Java isn't showing up in the client's Installed Programs in the Control Panel. WMIC should be able to detect this, but I am not certain it is always reliable:
wmic /node:computername product where "name like 'Java%'" get name
If the client machine has characters other than letters and numbers you should use single quotes around the name.  If you run this batch file against a good installation of Java it can give you problems. It will not let you uninstall or reinstall! It will report that a DLL is missing. If you come across this problem simply copy the %ProgramFiles(x86)%\Java\ directory of a working installation from another computer and paste it to the one having issues. This will allow you to uninstall or reinstall Java. Of course you shouldn't have this issue though as long as you verify that Java isn't already showing up as installed. For other things to try with troublesome Java check this link: http://www.java.com/en/download/help/regkey_addremove.xml


Posted by at 11:39 AM 0 comments
Labels: , , , ,

Windows 7 RAID (Software RAID), Worked for Me...for a Bit

I normally stay away from software RAID especially Windows RAID because of the overhead. However when I tried Windows 7 RAID, the performance wasn't bad at all. I was using RAID 1. I think there are still some issues to work out in this implementation though. I had two partitions on DRIVE 0 and DRIVE 1 which were both being mirrored. Partition 2 worked like a champ and mirrored all my data. Partition 1 though would occasionally have to rebuild bringing your performance to turtle speed. One reason the mirror would decide to rebuild is if the shutdown was hard, perhaps power went out or your computer froze and you had to hold the power button, or maybe you had a BSOD which has been rare for me on W7 anyway. Other times though it seemed it would just start rebuilding for the heck of it! After being patient for multiple rebuilds I disabled RAID. Other than this issue, RAID was great on W7. I read on some of the forums that many folks were  having this issue or similar.

I will be trying it again on another machine and report my experience, I just don't have the time to screw with it now.
Posted by at 8:59 AM 0 comments
Labels: ,

Wednesday, February 22, 2012

GFI LanGuard: Deploying Java Updates Silently, Not Working...?

  • This applies to GFI LanGuard 2011 (10.2 Build 20111128) However, it should work for version 9 also. 
  • Java Updates.
I have been using GFI LanGuard for quite a long time now. Also I have been pretty happy with GFI's products and support. However I noticed that their forums were full of folks that seemed dissatisfied with the product. It seems it was mostly in the "non-Microsoft" patch area. I have been using it as I said, pretty successfully keeping my domain updated--especially with the annoying Java and Flash updates that are released oh every 5 seconds. Well not really but if you are reading this, you understand.

Past month or so though I have been experiencing issues deploying both Flash and Java, but more so Java updates. I can make a Flash post separately, so let's focus on Java. This may be old news to some, but I'll share what I have learned so far, as it is, the GFI forums aren't very helpful, and neither is their non-existent knowledgebase.

These are the procedures I use to update Java on my client computers. Note, I personally don't worry about the Autoupdate notifications, but you can modify the procedures how you want if you would rather "neuter" Java notifications. There are quite a few tutorials on how to do that on the web, so I won't go into that here.

The Issues

The issues I have encountered have been the following:
  • Installation saying it is "complete" indicating it was successful. Checking the client for the Java installation reveals it wasn't installed or updated
  • Installation does not upgrade properly and creates multiple Java installs
  • Installation fails with error: "PatchAgent is performing another remediation session on the target computer"
The last one is more related to GFI not completing a task and being stuck in memory. If you run into this problem fix it first before trying to install anything. Note the machines that have the error and kill the process with a simple batch file which you can shoot to them all:
taskkill /F /IM PatchAgent.exe
Remember you can use the Deploy Custom Software  menu to shoot this batch to all those you noted.

Now I know that GFI can deploy Java using the "Deploy Security Patches" menu and usually does a good job, but I don't know exactly what it does to install it. I asked their support if it removed the old instance then installed the new and they basically said, 'it performs an upgrade.' However their reply wasn't very informative. So I prefer to use "Deploy Custom Software" for Java and Adobe products.

The reason for this is because at least I know it is a clean install and I know exactly what functions it is performing. Before installing any Java update it is good practice to remove the old Java install. There are several ways of doing this, but I use what I recently learned, using WMIC.

My GFI workstation has a pretty organized "Updates" directory locally. What I do is simply store scripts and GFI XML files that store preconfigured installation sets that I can later use. In my Java folder I store a batch file which I simply named "java-remove.bat" with the following code:
wmic /FAILFAST:ON product where "name like 'Java%%'" call uninstall /nointeractive

You can run this all in one line. In order for the batch file to uninstall any instance of Java, be sure to use Java%% and not just Java% for a batch file. This batch file is handy to use if you also just want to remove Java from any client using GFI to deploy it as custom software. The great thing is, you don't have to supply any text document containing a list of computers because LanGuard already enumerates them for you. This means you don't have to use /node:'ComputerName' switch.

In the same directory I store the Java offline installer. Even though we have some 64-bit operating systems running, I don't bother with 64-bit, I just install 32-bit on all of them. Once it is downloaded, again in LanGuard use the "Deploy Custom Software" menu and add the Java executable file.

Once it is added select custom to supply the following switches:
/s /v /qn REBOOT=ReallySuppress

Hit OK and now export it so you can save the configuration as an XML. I personally add the batch file first then add the Java exe with the switches second, then I export. This allows you to save the XML with both tasks in order.

If you do it this way, WMIC will uninstall all instances of Java before deploying the new Java installation.

Okay this takes care of performing a clean install using LanGuard "Deploy Custom Software" option. Now if you are getting "Successful" and "Complete" statuses but you are not seeing the installation on the clients you should verify that the Java file is named the same as it was when you downloaded it. I am still not satisfied as this being a reason to causing such a weird issue, but I tested it multiple times. Here is what I discovered:

I was renaming Java downloads to something simple like "Java-6-31.exe" and it seemed to be installing just fine for me. Especially if you test it locally from the command prompt, it will install perfectly. Even over the network via UNC path it will install. For some reason though using LanGuard it only says it installs when it doesn't. According to the processes on the client the msiexec instance continues to run and just sits there. After trying it a dozen times renaming it back to what it was was the only thing that fixed it for me. It installed perfectly. I simply use the same switches GFI uses:
/s /v /qn REBOOT=ReallySuppress

Technically speaking, the /s switch is more than enough to carry out a silent install, but I use what they use, it's difficult enough to get it working in the first place.

Summary

  • Make sure "PatchAgent" is not running from an old deployment
  • Uninstall Java using WMIC with a batch file
  • Deploy Java with the Custom Software option
  • You can combine both the uninstall and the install in the same XML file
  • Important: Do not combine the PatchAgent taskkill script with the XML file, it will kill the PatchAgent and it will hang. Unfortunately GFI PatchAgent has to run first before running any scripts, so in effect, it would kill itself instantly. Instead run the PatchAgent script before hand as a separate deployment if you find some clients have PatchAgent.exe running already.
Hope this helps, so far this works for me.

Update: Having Internet Explorer open on the client machine can sometimes cause issues with silent Java installs too. It's odd, very hit and miss because I have also seen successful installs. If you want  you can kill any browsers open before running the above scripts with taskkill /F /IM iexplore.exe (or Firefox.exe).


Posted by at 2:51 PM 0 comments
Labels: , , ,

.the redeye admin

If you're an administrator then it isn't a mystery why any admin may be caught in the redeye hours working.
Posted by at 1:37 PM 0 comments
Subscribe to: Posts (Atom)