none
WMI RSOP Logging Data - How to delete to fix repository bloat

    Question

  • Help please!

    I am in search of a script that can delete all the RSOP User SID Namespaces and associated logging data that is created in WMI with each user logon?  I have servers with WMI Repositories that are 3GB in size and have tens of thousands of User SID Namespaces.  I have a script that deletes the User SID Namespaces, but obviously not the RSOP logging data because the repository does not shrink in size.  Below is my script. 

    Thank you!

    Greg

    strSidDomain = "<my domain's SID>"intSidDomainLen = len (strSidDomain)
    strComputer = "."strNameSpace = "\root\rsop\user"
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & strNameSpace)
    Set colNameSpaces = objWMIService.InstancesOf("__NAMESPACE")
    For Each objNameSpace In colNameSpaces
       if left (objNameSpace.Name, intSidDomainLen) = strSidDomain then
          wscript.echo objNameSpace.Name & " TO BE DELETED."
          Set objItem = objWMIService.Get("__Namespace.Name='" & objNameSpace.Name & "'")
          objItem.Delete_
       else
          wscript.echo objNameSpace.Name
       end if
    Next

    Wednesday, January 09, 2013 9:36 PM

Answers

  • One last time - you must delete and recreate the repository.  See MS KB articles for reasons and methods.

    Place a call to MS Support and have them step you through "shrinking" the repository.

    Post WS2003 the repository can be shrunk with the commandline.  Before that it must be done manually.  SEE KB posted.

    http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx

    Please read this very carefully as it addresses your issue exactly.  If after you read this you still don't believe us then please call Microsoft Support and ask them to explain this and walk you through a fix.


    ¯\_(ツ)_/¯

    Thursday, January 10, 2013 3:54 PM

All replies

  • Turn off logging in Group Policy.  Someone turned it on for troubleshooting and forgot to turn it off.  When you turn it off the cache should be cleared automatically when the machine is rebooted.

    I have not tested this but that is how I remember it works from a few years ago.


    Happy New Year ¯\_(ツ)_/¯

    Wednesday, January 09, 2013 10:11 PM
  • Here is the KB on how to manage and disable this.

    http://support.microsoft.com/kb/2020286


    Happy New Year ¯\_(ツ)_/¯

    Wednesday, January 09, 2013 10:13 PM
  • Thank you for the good replies JRV.  I turned off rsop logging a few weeks back and unfortunately in my case the logging data persists.  Also, I read KB2020286 and from there found a plethora of articles about rebuilding the WMI repository.  I tried rebuilding the repository on one of my servers as a test, and unfortunately I incurred WMI/application issues.  My servers are Citrix XenApp 5, 2003 R2 x64.  My hope is a WMI script expert can offer up a solution.
    Wednesday, January 09, 2013 10:30 PM
  • Thank you for the good replies JRV.  I turned off rsop logging a few weeks back and unfortunately in my case the logging data persists.  Also, I read KB2020286 and from there found a plethora of articles about rebuilding the WMI repository.  I tried rebuilding the repository on one of my servers as a test, and unfortunately I incurred WMI/application issues.  My servers are Citrix XenApp 5, 2003 R2 x64.  My hope is a WMI script expert can offer up a solution.

    If your repositoties are corrupted you cannot fix them with a scirp.,  Yu will need to do a complete rebuild.

    YOU cannot get help for that in a scripting forum.  POst in the WS2003 platform management forums or the WMI forum.  If that is not helpful then you will need to palce a call to Micosoft Support.


    Happy New Year ¯\_(ツ)_/¯

    Wednesday, January 09, 2013 10:56 PM
    1. Change startup type to Window Management Instrumentation (WMI) Service to disabled
    2. Stop the WMI Service; you may need to stop IP Helper Service first or other dependent services before it allows you to stop WMI Service
    3. Rename the repository folder:  C:\WINDOWS\system32\wbem\Repository to Repository.old
    4. Open a CMD Prompt with elevated privileges
    5. CD windows\system32\wbem
    6. for /f %s in ('dir /b /s *.dll') do regsvr32 /s %s
    7. Set the WMI Service type back to Automatic and start WMI Service
    8. cd /d c:\  ((go to the root of the c drive, this is important))
    9. for /f %s in ('dir /s /b *.mof *.mfl') do mofcomp %s
    10. Reboot the server

    Happy New Year ¯\_(ツ)_/¯

    Wednesday, January 09, 2013 10:58 PM
  • My repositories are not corrupt (everything WMI functions), they are just massively large because of RSOP logging data for tens of thousands of users.  I attempted the repository rebuild as in your last post (but first had to fix it for long filename paths spaces), but had issues with Citrix.  Thank you for giving me your suggestions and time
    Thursday, January 10, 2013 3:14 PM
  • The steps I posted will shrink the repository by rebuilding it from scratch.  After it is rebuilt the delete the 'old' version.

    This is not a scripting issue.


    ¯\_(ツ)_/¯

    Thursday, January 10, 2013 3:24 PM
  • You don't say what "had issues with Citrix" means. If you're doing a WMI repair as noted above, it seems you should address any problems with that with Citrix support.

    This is a scripting forum, of course. Are there any scripting questions we can answer?

    Bill

    Thursday, January 10, 2013 3:25 PM
  • How to script deletion of the logging data along with the namespace?  I posted a script that deletes the WMI RSOP User SID namespaces.  The associated RSOP logging data per user namespace stored in WMI does not get deleted.  Why? 
    Thursday, January 10, 2013 3:31 PM
  • Hi,

    I don't know if that is possible via script.

    Bill

    Thursday, January 10, 2013 3:35 PM
  • One last time - you must delete and recreate the repository.  See MS KB articles for reasons and methods.

    Place a call to MS Support and have them step you through "shrinking" the repository.

    Post WS2003 the repository can be shrunk with the commandline.  Before that it must be done manually.  SEE KB posted.

    http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx

    Please read this very carefully as it addresses your issue exactly.  If after you read this you still don't believe us then please call Microsoft Support and ask them to explain this and walk you through a fix.


    ¯\_(ツ)_/¯

    Thursday, January 10, 2013 3:54 PM
  • I appreciate your help.  I fully understand the articles and fully understand what you and AbqBill are saying.  My post in here was an attempt to reach out to WMI script experts, as one angle to resolve my issue.  Thank you both for your time.
    Thursday, January 10, 2013 4:24 PM
  • I appreciate your help.  I fully understand the articles and fully understand what you and AbqBill are saying.  My post in here was an attempt to reach out to WMI script experts, as one angle to resolve my issue.  Thank you both for your time.

    As stated before and in the article.  You must delete the repository.

    In script just stop the WMI service and rename the folder then restart the service,  How you script this depends on what kind of scritping tools you want to use.  You cannot include WMI in your operation.

    SC can remotely manage a service and an admin can remotely rename a folder.


    ¯\_(ツ)_/¯

    Thursday, January 10, 2013 4:29 PM