AutoSPInstaller – Auto-create local profiles for SharePoint Service Accounts

SharePoint is a big product and there’s a lot of people in the world working on it.. so it’s funny to be working on a specific issue, then coming full circle and either Bing’ing upon your own old blog post, or, as today, seeing that someone has adopted what the guy sitting next to you blogged a while ago into the current code you are looking at.

What

While running SharePoint 2010 you may notice the following error Event ID 1511 messages in your Application event log each time you restart the IIS Worker process and made a request:

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 5/3/2010 10:05:07 AM
Event ID: 1511
Task Category: None
Level: Error
Keywords:
User: CONTOSOAppPoolAccount
Computer: SP2010Dev.contoso.com
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

So What

If your SharePoint services accounts are being run under the Application Pools then you are not going to see this message. If you are however using a separate account to run your Application Pools you are probably going to see this error in your event logs.

You need to get those accounts to fire up a local profile – this could in the simplest sense be accomplished by logging on as each of those accounts once. Nasty!

The better approach- well, I was looking at scripting a PowerShell to run the following en masse for all of an installs service accounts:

runas /u:CONTOSOAppPoolAccount /profile cmd

..however, knowing that we have had some joy with the AutoSPInstaller recently, I thought I’d poke around that and see if we couldn’t just wire in the creation of the local profiles into that solution, so it would be taken care of in the same go as batch account creation.

Well, poking around the AutoSPInstaller file AutoSPInstallerFunctions1.ps1 is discovered the following magical discovery – look’s like my homeboy Sean (on his Brainlitter blog post) has already inspired this fix (change 72193) to be added to the AutoSPInstaller codebase! :

The suggestion from matein78 got added in as a patch:
– AddManagedAccounts function now creates local Windows profiles for each account, to avoid ‘1511’ type event log errors (thanks to user matein78’s suggestion from http://autospinstaller.codeplex.com/workitem/15535!)

NOTE: I created a stripped down version of this functionality that doesn’t require the main AutoSPInstaller script, i.e. you can run it manually on a hand-deployed SharePoint install. Read about it here.

..which is implemented as:

ForEach ($account in $xmlinput.Configuration.Farm.ManagedAccounts.ManagedAccount)
		{
            $username = $account.username
            $password = $account.Password
            $password = ConvertTo-SecureString "$password" -AsPlaintext -Force 
			# The following was suggested by Matthias Einig (http://www.codeplex.com/site/users/view/matein78)
			# And inspired by http://todd-carter.com/post/2010/05/03/Give-your-Application-Pool-Accounts-A-Profile.aspx & http://blog.brainlitter.com/archive/2010/06/08/how-to-revolve-event-id-1511-windows-cannot-find-the-local-profile-on-windows-server-2008.aspx
	        Try
			{
				Write-Host -ForegroundColor White " - Creating local profile for $username..." -NoNewline
				$credAccount = New-Object System.Management.Automation.PsCredential $username,$password
				$ManagedAccountDomain,$ManagedAccountUser = $username -Split ""
				# Add managed account to local admins (very) temporarily so it can log in and create its profile
	    		If (!($LocalAdmins -contains $ManagedAccountUser))
				{
					$builtinAdminGroup = Get-AdministratorsGroup
                    ([ADSI]"WinNT://$env:COMPUTERNAME/$builtinAdminGroup,group").Add("WinNT://$ManagedAccountDomain/$ManagedAccountUser")
				}
				Else
				{
					$AlreadyAdmin = $true
				}
				# Spawn a command window using the managed account's credentials, create the profile, and exit immediately
				Start-Process -WorkingDirectory "$env:SYSTEMROOTSystem32" -FilePath "cmd.exe" -ArgumentList "/C" -LoadUserProfile -NoNewWindow -Credential $credAccount
				# Remove managed account from local admins unless it was already there
                $builtinAdminGroup = Get-AdministratorsGroup
	    		If (-not $AlreadyAdmin) {([ADSI]"WinNT://$env:COMPUTERNAME/$builtinAdminGroup,group").Remove("WinNT://$ManagedAccountDomain/$ManagedAccountUser")}
				Write-Host -BackgroundColor Blue -ForegroundColor Black "Done."
			}

Now What

Now I sit back and relax as the circle of life has been completed and this is one less bit of code to write today. Thanks to Sean, Todd Carter, matein78 and of course brianlala for writing AutoSPInstaller and adding this patch!

References:
Sean Wallbridge (my boss):
http://blog.brainlitter.com/2010/06/08/how-to-resolve-event-id-1511windows-cannot-find-the-local-profile-on-windows-server-2008/

AutoSPInstaller:
http://autospinstaller.codeplex.com

Todd Carter:
http://www.todd-carter.com/post/2010/05/03/give-your-application-pool-accounts-a-profile/

autospinstaller, eventid 1511 sharepoint

Comment

Leave a Reply to Event ID 1511 – Create SharePoint Service Account Local Profiles – PowerShell | SharePoint 2010 Performance Blog Cancel reply

Your email address will not be published. Required fields are marked *