AutoSPInstallerCustomFunctionsPost.ps1

Jun 19, 2011 at 8:30 PM
Edited Jun 20, 2011 at 12:16 AM

This is all assuming April CU - Understand SharePoint SP 1 is coming this month so some of this may be unnecessary after that but I have not had great success with patches and profile sync services in the past...
It would be great to have some of this in the configuration input file as well with some flags for post install steps or not. Of course this could be cleaned up so there's an AutoSPInstallerPost function below calls multiple functions and other coding cleanup but I thought this was a nice start.  You need to put this in a new file called AutoSPInstallerFunctionsPost.ps1 and add an entry to Main.ps1 in the finalize installation function right the browser windows launch (or just comment those out since they're a time killer).

Be sure to update the variable:

$domain = "somedomain.com"

These steps seem to get rid of all errors and make the profile sync services purr.  Again, this is tested so go through the file and make sure to replace all <something> with your things.

function AutoSPInstallerPost
{
	# Add the disableStackOverflowProbing key to the miiserver.exe.config file
	$webConfigFile = "C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\bin\miiserver.exe.config"
	$backup = $webConfigFile + (get-date).tostring("mm_dd_yyyy-hh_mm_s")
	$xml = [xml](Get-Content $webConfigFile )
	Write-Host "Checking 'disableStackOverflowProbing' in miiserver.exe.config..."
	$node = $xml.SelectSingleNode("//configuration/runtime/disableStackOverflowProbing")
	if ($node -eq $null)
	{
		$xml.Save($backup)
		$disableStackOverflowProbing = $xml.CreateElement("disableStackOverflowProbing")
		$disableStackOverflowProbing.SetAttribute("enabled", "true")
		$xml["runtime"].AppendChild($disableStackOverflowProbing)
		$xml.Save($webConfigFile)
	}

	# Setup variables for Folder Permissions
	$colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write, FullControl"
	$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
	$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
	$objType =[System.Security.AccessControl.AccessControlType]::Allow

	# Give NETWORK SERVICE permission to the C:\Program Files\Microsoft Office Servers\14.0 Folder tree
	Write-Host "Checking NT AUTHORITY\NETWORK SERVICE for C:\Program Files\Microsoft Office Servers\14.0 folder..."
	$objUser = New-Object System.Security.Principal.NTAccount("NETWORK SERVICE")
	$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
	$objACL = Get-Acl "C:\Program Files\Microsoft Office Servers\14.0"
	$objACL.AddAccessRule($objACE)
	try {
	Set-Acl -AclObject $objACL -Path "C:\Program Files\Microsoft Office Servers\14.0"
	}
	catch { }

	# Give WSS_ADMIN_WPG permission to the C:\Program Files\Microsoft Office Servers\14.0 Folder tree
	Write-Host "Checking NT AUTHORITY\WSS_ADMIN_WPG for C:\Program Files\Microsoft Office Servers\14.0 folder..."
	$objUser = New-Object System.Security.Principal.NTAccount("WSS_ADMIN_WPG")
	$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
	$objACL = Get-Acl "C:\Program Files\Microsoft Office Servers\14.0"
	$objACL.AddAccessRule($objACE)
	try{
	Set-Acl -AclObject $objACL -Path "C:\Program Files\Microsoft Office Servers\14.0"
	}
	catch { }

	# Give WSS_WPG permission to the C:\Program Files\Microsoft Office Servers\14.0 Folder tree
	Write-Host "Checking NT AUTHORITY\WSS_WPG for C:\Program Files\Microsoft Office Servers\14.0 folder..."
	$objUser = New-Object System.Security.Principal.NTAccount("WSS_WPG")
	$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
	$objACL = Get-Acl "C:\Program Files\Microsoft Office Servers\14.0"
	$objACL.AddAccessRule($objACE)
	try {
	Set-Acl -AclObject $objACL -Path "C:\Program Files\Microsoft Office Servers\14.0"
	}
	catch { }

	# Re-Add <yourfarmuser> OR <yourproductionfarmuser> back into the Local Administrator's group so that we can start profile sync services logged in as farm
	# after reboot
	Write-Host "Checking SharePoint Farm Account Access (You must login as farm on reboot and start profile sync)..."
	$domain = "<yourdomain>"
	$computer = [ADSI]("WinNT://" + $env:COMPUTERNAME + ", computer")
	$group = $computer.psbase.children.find("Administrators")
	$user = ""
	if (-not $computer.Name.ToString().ToLower().Contains('QA')) { $user = "<yourqafarmuser>" }
	else { 	$user = "<yourprodfarmuser>" }
	try {$group.Add("WinNT://" + $domain + "/" + $user) } catch { }

	##PowerShell Script if you recieve 'Access Denied'
    ##http://stackoverflow.com/questions/1388373/executing-spwebapplication-update-with-system-account-throws-securityexception
    $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService 
    $contentService.RemoteAdministratorAccessDenied = $false 
    $contentService.Update()
	# Reboot Server
	Write-Host "Restarting now..."
	Restart-Computer -Force
}
AutoSPInstallerPost
Jul 19, 2011 at 11:01 PM

Has anyone validated if these are still needed after SP1/June CU ?

Coordinator
Aug 15, 2011 at 11:37 PM

I'm seeing pretty consistent success now with UPA/UPS after SP1/June CU, plus I've added code that adds the Network Service account to the WSS_WPG group. I've never seen the need to reboot though to get UPA/UPS to work.

Brian