Wednesday, July 22, 2015

2013 Upgrades

Transition Steps – Making the Old New Again!

Old Create Content Screen _layouts/15/create.aspx

Good Series from FBWeb on SharePoint 2013 Upgrades
http://blog.fpweb.net/series/sharepoint-2013-upgrades-in-a-nutshell/

What's New
http://technet.microsoft.com/en-us/library/cc303422.aspx

What's Gone
http://technet.microsoft.com/en-us/library/ff607742%28v=office.15%29.aspx#section1

Office Issues – Office 2010 and 2013 products on same PC
http://sharepoint-community.net/profiles/blogs/sp2013-problem-office-2010-and-an-office-2013-product-on-same

What Might Not Work
http://en.share-gate.com/blog/not-working-after-sharepoint-migration-to-2013

Friday, June 26, 2015

Document Routing in SharePoint – Content Organizer

2010

SharePoint 2010 Content Organizer
Part 1 – A Cool New Feature for Managing Your Content
https://samlman.wordpress.com/2015/02/28/sharepoint-2010-content-organizer-part-1-a-cool-new-feature-for-managing-your-content/
Part 2 - SharePoint 2010 Content Organizer – The Rules Engine
https://samlman.wordpress.com/2015/02/28/sharepoint-2010-content-organizer-part-2-the-rules-engine/
Part 3 - SharePoint 2010 Content Organizer – The Drop Off Library
https://samlman.wordpress.com/2015/02/28/sharepoint-2010-content-organizer-part-3-the-drop-off-library/

UPDATES

Documents can be redirected to document sets but there is a trick.
Copy and paste the Document Set URL since document sets do not appear when you browse during rule creation. Thank you Michal

http://www.sharepointanalysthq.com/2010/09/using-the-content-organizer-to-route-to-a-document-set/

NOTE that the information below is a REPOST

The Content Organizer has the following limitations that you should beware of:

Content Organizer feature is only available in SharePoint 2010 Server and is not part of the SharePoint Foundation 2010.
Content Organizer will only work on content types that are of, or derive from the Document content type, so make sure that you inherit from this content type when creating a custom document library.
You cannot route documents to a Document Set. This one should be on the wish list for the next release!
The routing action is performed using the App Pool account of your Web applications.
You cannot route the document outside of a Web app, farm, or SharePoint at all. All of this could be done with workflow rules instead. In fact, there are a lot of things that should be done with workflow instead of Content Organizer, which is designed to handle document uploads.
There are a whole bunch of events that effect a document library; you should beware the order of executions that could affect the handling of these documents:
- Any workflow that is attached to a document library will be run first
- Next to be executed is Event Receiver, although the actual priority can be set programmatically by the developers
- Last is the Content Organizer.

REPOST

Here is the list of shortcomings:

Supported Content Types must be or inherit from Document, Page, Document Set, Rich Media Asset or Common Indicator Columns. Lists are not supported.
When a document is routed to the final location, if the target library has SharePoint Designer workflows to be started on item creation, they won't be triggered. The Application Pool account is used by the Content Organizer to do the routing and this account does not trigger workflows, by design.
The OOTB Rules only allow 6 conditions.
It doesn't check for the user permissions on the target library. The documents are routed using the System Account (privileged account) which means there isn't a security boundary around what goes where. On the other hand, the Create/Modified fields are not changed, making the actions easily traceable. This is particularly important to have in mind when choosing the overwriting model (see 2. below).
Adding Rule Managers is bugged: it doesn't allow groups.
Different behaviors when checking in a document either using the browser or a client application (i.e. Microsoft Word): when using the browser, the document gets routed immediately, while when using Microsoft Word it is not routed immediately - it will only be routed by the nightly Timer Job. There are other situations where the routing may not be immediate. You could change the nightly Timer Job schedule, but this can have side-effects. For instance, notification mails are sent by this Job, so a large volume of e-mails (rather than 1 a day) may be sent by the Content Organizer, which is not pleasant.
If you are using Lookup fields and OOTB rules, the fields can't have more that 20 values, otherwise the value in the condition doesn't get saved in the rule. The reason for this is that the edit field control for lookup fields changes depending if we have more or less than 20 options and the Content Organizer Rule List doesn't handle it correctly.
[Defect] If you use the Send To functionality to send documents back to the Drop Off Library to be re-routed, they can be deleted permanently. This will happen in the case where the document will be routed to the same location. The root issue is that the move operation in Send To is not atomic: it is a copy to the destination followed by a delete in the origin. This means it is not thread safe. If versioning is used for duplicate submissions, we have a problem. If while these 2 operations are being performed, the Content Organizer job actually does the routing in the meantime, the final result is: copy to Drop Off Library [Send To], routed to original library as a new version [Content Organizer], deleted from the original library - both versions! [Send To]. This defect may not always happen, but it is something to have in mind, it did happen to me! I've had similar behaviours in the past, on another setup, where Publishing a page directly (which corresponds to calling 2 actions in sequence: Submit for Approval + Approve) had conflicts with a workflow running in the background for auto-approving submissions if certain conditions were valid. Basically, the workflow would be processed after the submit action of the Publish and before the Approve, causing the page to get locked. In the case of the Content Organizer, the consequences are far more dangerous.
[Defect] If you have try to develop customizations on top of the Drop Off Library, such as an Event Receiver or Workflow, that creates a new version of the document (an example would be automatic tagging), and check it in as System Account (to identify it as a system change), the Content Organizer Event Receivers can create a new version with modified permissions (System Account + Rule Managers) and the Modified By field will actually be set to the first Content Organizer Rule Manager in the list (!!). I have not experienced this in every Content Organizer setup, so I am guessing this may be dependent on a specific set of configurations or SharePoint version to happen.
There is a feature called "E-mail Integration with Content Organizer", but according to some people's investigation (and Microsoft feedback) this is only a legacy for Exchange 2007 and should not be used for this purpose in SPS2010 (see here).

Some other important points to notice:

One of the options provided is to force the usage of the Drop Off Library. This enforcing will only happen on libraries that are the target of a rule. Also, if users use the Windows Explorer to upload the files, this enforcing will not happen.
Be very aware of the overwriting documents option. If you do not have versioning enabled in the destination library, if you upload a document with the same name, it can permanently overwrite the existing document. In a large system, with versioning enabled, it is also unsettling for the users to have the Content Organizer routing document from the Drop Off Library to a Destination Library as a new version. If it was just an accidental duplicate naming, users will certainly be confused and can even lost track of the previous document.
Unique permissions when a document does not match any rule: only the Creator and the Rule Managers will have permissions to see the document. I believe this is a good thing, but consider this behaviour if you have the idea of implementing any workflow (or similar) on the Drop Off Library.
Content Types must be defined on the Site Collection / Site level, otherwise they can't be used on the configuration. This actually makes some sense, you shouldn't be defining your Content Types on library / list level anyway.

SharePoint 2010 Content Organizer Part 1 - A Cool New Feature for Managing Your Content [TechNet]

Metadata-based routing and storage overview (SharePoint Server 2010) [TechNet]

http://sharepointlessons.blogspot.com/2010/03/content-organizer-document-routing.html

http://www.get-sp.com/2014/05/problems-with-content-organizer-10.html

Creating Host Name Site Collection via PowerShell

Updates

Note that you can use a wildcard entry as per this blog thx Todd

Microsoft now recommends using no host header
https://technet.microsoft.com/en-us/library/cc424952.aspx#section2a

CREATING HOST-NAMED SITE COLLECTIONS IN SHAREPOINT 2013

https://sergeluca.wordpress.com/2014/01/13/creating-host-named-site-collections-in-sharepoint-2013/

http://www.benjaminathawes.com/2013/12/11/using-host-named-site-collections-in-sharepoint-2013-with-mysites/

Quickly Migrate SharePoint Path-based to Host-named Site Collections Using Feb 2015 PU

http://thesharepointfarm.com/2015/02/quickly-migrate-sharepoint-path-based-host-named-site-collections/

NHSC Lab without Host Header

Note you will need to add the following for the above example powershell to work properly.

Create managed account called … 'Contoso\JDoe'
DNS CNAME Record for portal.contoso.com using ‘nyc-sp1’

Three lines of powershell from Technet

New-SPWebApplication -Name 'Contoso Sites' `
-port 80 -ApplicationPool ContosoAppPool `
-ApplicationPoolAccount `
(Get-SPManagedAccount 'Contoso\JDoe') `
-AuthenticationProvider ~
(New-SPAuthenticationProvider `
-UseWindowsIntegratedAuthentication)

New-SPSite 'http://nyc-sp1' -Name 'Portal' `
-Description 'Portal on root' `
-OwnerAlias 'contoso\administrator' `
-language 1033 -Template 'STS#0'

New-SPSite 'http://portal.contoso.com' `
-HostHeaderWebApplication 'http://nyc-sp1' `
-Name 'Portal' -Description 'Customer root' `
-OwnerAlias 'contoso\administrator' `
-language 1033 -Template 'STS#0'

I don’t like the database name from Technet code so think about creating database with a better name!

add -databasename ContosoSites

NHSC Lab using Host Header

So the future for Microsoft is to use Host Named Site Collections and since we have no GUI, my challenge has been to script this via PowerShell. But many examples on the web have come up short and since I have been real busy this project has been put on the back burner. Finally!

For my students, I am using 20331 Lab 8 but you can use any SharePoint farm, but you will need to modify the IP address and domain names as needed.

Using 20331 Lab 7/8 verified

Prerequisite #1 - Create DNS Records

A Record
webapp.contoso.com – 172.16.1.22
CNAME Records
root.contoso.com - webapp.contoso.com
companyA.contoso.com - webapp.contoso.com
companyB.contoso.com - webapp.contoso.com

Prerequisite #2 – Add 172.16.1.22 to NIC

Prerequisite #3 – Edit BackConnectionHostNames

Using regedit navigation to

add values for the all four sites added to DNS earlier.

Prerequisite #4 – Here is the script

   1:  # Using 20331 lab 8 vm

   2:  # DNS and TCPIP prerequisites

   3:  # create A record for webapp.contoso.com `
to 172.16.1.22 and add 172.16.1.22 to NIC

   4:  # create cname records to webapp.contoso.com`
for webapp, root, companya, companyb

   5:  # add sites to backconnectionhostnames if`
 needed

6:

   7:  # Load SharePoint PowerShell Snapin

   8:  Add-PSSnapin microsoft.sharepoint.powershell

9:

  10:  # Web Application Variables

  11:  $webapphostheadersimple = 'webapp.contoso.com'

  12:  $webapphostheader = 'http://webapp.contoso.com'

  13:  $webappname = 'Portal WebApp'

  14:  $language = '1033'

  15:  $ipaddress = '172.16.1.22'

16:

  17:  # Site Collection Variables

  18:  $RootSC = 'http://root.contoso.com'

  19:  $rootSCname = 'Root Site'

  20:  $HNSC1 = 'http://companyA.contoso.com'

  21:  $HNSC1name = 'Company A'

  22:  $HNSC2 = 'http://companyB.contoso.com'

  23:  $HNSC2name = 'Company B'

24:

  25:  $rootsitetemplate = 'STS#0'

  26:  $sitetemplate = 'BLANKINTERNET#0'

  27:  $webdb = 'wss_content_portal'

28:

  29:  # Account Variables

  30:  $owneralias = 'contoso\administrator'

  31:  $serviceaccount = 'contoso\spcontosocomapppool'

32:

  33:  # Create Authentication Provider

  34:  $ap = new-spauthenticationprovider -usewindowsintegratedauthentication

35:

  36:  # Create New Web Application

  37:  new-spwebapplication -name $webappname `
-hostheader $webapphostheadersimple -port 80 `
-applicationpool $webappname -applicationpoolaccount`
 $serviceaccount -databasename $webdb `
-allowanonymousaccess -authenticationprovider $ap

38:

  39:  # Create IIS Binding

  40:  new-webbinding -name $webappname `
-hostheader "*" -ipaddress $ipaddress `
-port 80 -protocol http

41:

  42:  # Create root site collection

  43:  new-spsite $RootSC -hostheaderwebapplication`
 $webapphostheader -name $rootSCname –description `
 $rootSCname -owneralias $owneralias -language`
 $language -template $rootsitetemplate

44:

  45:  # Create host named site collection for CompanyA

  46:  new-spsite $HNSC1 -hostheaderwebapplication`
 $webapphostheader -name $HNSC1name -description`
 $HNSC1name -owneralias $owneralias -language`
 $language -template $sitetemplate

47:

  48:  # Create host named site collection for`
 CompanyB

  49:  new-spsite $HNSC2 -hostheaderwebapplication`
 $webapphostheader -name $HNSC2name -description`
 $HNSC2name -owneralias $owneralias -language`
 $language -template $sitetemplate

Results – Here are site collections and web application

Option Step - If needed edit IIS bindings

Appears to work fine with unassigned binding for webapp.contoso.com

Multiple zones for host named site collections in SP2013

https://blogs.msdn.microsoft.com/brian_farnhill/2014/07/07/multiple-zones-for-host-named-site-collections-in-sp2013/

SharePoint 2010 HNSC

https://blogs.msdn.microsoft.com/kaevans/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections/

Create Site Collections via PowerShell

2013

Renaming Site Collections

$site = Get-SPSite http://portal.contoso.com/sites/demo
$uri = New-Object System.Uri("http://demo.contoso.com")
$site.Rename($uri)

Thx Todd - How to Rename SharePoint 2013 Site Collections Without Prayer or Sobbing

Host Named Site Collections

For my students, I am using 20331 Lab 8 but you can use any SharePoint farm, but you will need to modify the IP address and domain names as needed

http://thecloudengineer.blogspot.com/2014/09/creating-host-name-site-collection-via.html

2010 Archive

How do you create multiple site collections via PowerShell?

The following script allows you to create a site collection with a dedicated content db and url.

First you set an array with the site collection names, then add managed path, content db and site collections for each url in the array.

$a = ("Engineering", "Sales")
ForEach($url in $a)
{
New-SPManagedPath -relativeurl /$url -webapplication http://intranet.contoso.com -explicit

New-SPContentDatabase -Name WSS_Content_Intranet_$url -WebApplication http://intranet.contoso.com

New-SPSite -Url http://intranet.contoso.com/$url -ContentDatabase WSS_Content_Intranet_$url -OwnerAlias CONTOSO\SP_Admin -Template "STS#0"
}

Special Site Collections

Hosted Named Site Collections (great article)
http://blogs.msdn.com/b/kaevans/archive/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections.aspx

http://blogs.msdn.com/b/markarend/archive/2012/05/30/host-named-site-collections-hnsc-for-sharepoint-2010-architects.aspx (scripts confirmed)

How to Create Host Named Site Collections (I found some good code samples and reposted below in case of site deletion) Note you need to add the DNS entries for both.

http://mshorrosh.blogspot.com/2014/02/quick-guide-to-implementing-host-name.html

   1:  #"Add SharePoint Cmdlets"

   2:  add-pssnapin microsoft.sharepoint.powershell

3:

   4:  # Web App Variables

   5:  $WebAppDefault = "SharePoint - HSNC Example"

   6:  $Port = "80"

   7:  $AppPool = "HSNCAppPool"

   8:  $Account = "domain\svc-apppoolaccount"

9:

  10:  # Root Site Variables'

  11:  $RootHHDefault = "myrootsite.com"

  12:  $RootURLDefault = "http://myrootsite.com"

  13:  $Owner = "domain\svc-farmaccount"

  14:  $RootDB = "RootDB"

  15:  $Lang = "1033"

  16:  $Template = "blankinternetcontainer#0"

17:

  18:  # HSNC Site Variables

  19:  $HNSCSITE1 = "http://hnsc1.com"

  20:  $HNSCSITE2 = "http://hnsc2.com"

21:

  22:  # Create Web App

  23:  New-SPWebApplication -Name $WebAppDefault -hostHeader $RootHHDefault -Port $port -ApplicationPool $AppPool -ApplicationPoolAccount (Get-SPManagedAccount $Account) -AuthenticationProvider (New-SPAuthenticationProvider –UseWindowsIntegratedAuthentication) -DatabaseName $RootDB -AllowAnonymousAccess

  24:  echo "Web App created"

25:

  26:  # Create Root Site Collection

  27:  New-SPSite $RootURLDefault -Name 'Root Site' -Description 'External Root Site Collection' -OwnerAlias $Owner -language $Lang -Template $Template

  28:  echo "Root Site Collection created"

29:

  30:  # Create HNSC 1

  31:  New-SPSite $HNSCSITE1 -HostHeaderWebApplication (get-spwebapplication $RootURLDefault) -Name 'Site 1' -Description 'HNSC Site1' -OwnerAlias $Owner -language $Lang -Template $template

  32:  echo "HNSC 1 Site Collection created"

33:

  34:  # Create HNSC 2

  35:  New-SPSite $HNSCSITE2 -HostHeaderWebApplication (get-spwebapplication $RootURLDefault) -Name 'Site 2' -Description 'HNSC Site2' -OwnerAlias $Owner -language $Lang -Template $template

  36:  echo "HNSC 2 Site Collection created"

http://www.sharepointdiary.com/2014/06/create-host-named-site-collections-in-sharepoint-2013.html

   1:  Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

   2:  #Set variables for New web application creation

   3:  $WebAppName = "HNSC Host Web Application"

   4:  #Variables for new Application Pool

   5:  $AppPoolName = "HNSC App Pool"

   6:  #Get the existing Managed Account

   7:  $AppPoolAccount = Get-SPManagedAccount "Crescent\SvcAppPool"

   8:  #To utilize existing AppPool, Use: Get-SPServiceApplicationPool <AppPoolName>

   9:  $ContentDatabase = "SP13_HNSC_Content"

  10:  $AuthProvider = New-SPAuthenticationProvider –UseWindowsIntegratedAuthentication

  11:  #Create the web application

  12:  $WebApp = New-SPWebApplication -ApplicationPool $AppPoolName -ApplicationPoolAccount $AppPoolAccount

   1:  $ServerName = "http://G1WFE01"

   2:  New-SPSite -URL $ServerName -Name "HNSC Root" -OwnerAlias "Global\SvcOwner"

   1:  $HostURL = "http://WFE01"

   2:  $OwnerID = "Crescent\Support"

   3:  $OwnerMail= "Support@Crescent.com"

   4:  $SiteURL = "http://sales.crescent.com"

   5:  $TemplateVal ="sts#0" #Team Site

   6:  #Create the HNSC

   7:  New-SPSite -url $SiteURL -HostHeaderWebApplication $HostURL -owneralias $OwnerID -owneremail $OwnerMail -Template $TemplateVal

Unlike SharePoint 2010, SharePoint 2013 allows managed paths in host named site collections. Here is how: Create a new managed path "teams"

   1:  New-SPManagedPath "Teams" –Hostheader

   1:  $HostURL = "http://WFE01"

   2:  $OwnerID = "Crescent\Salaudeen"

   3:  $OwnerMail= "Support@Crescent.com"

   4:  $SiteURL = "http://Sales.crescent.com/teams/cloud"

   5:  $SiteName = "Clould Sales Team"

   6:  $TemplateVal ="sts#0"

   7:  #Get the Host named site collection by its name

   8:  $webApp = Get-SPWebApplication $HostURL

   9:  #Create new Host-named site under the managed path

  10:  New-SPSite $SiteURL -OwnerAlias $OwnerID -HostHeaderWebApplication $webApp -Name $SiteName -Template $TemplateVal

Wednesday, April 29, 2015

SharePoint Security

Security 101

Concerns

Edward Snowden, SharePoint, and Security
https://www.credera.com/blog/technology-insights/microsoft-solutions/edward-snowden-sharepoint-security/

Pentest – Phases

Recon
Scan
Gain Access
Maintain Access
Cleanup
Pivot

https://en.wikipedia.org/wiki/Penetration_test
https://windsorwebdeveloper.com/comptia-pentest-study-guide/

Tools

https://www.kali.org/
https://nmap.org/

Tutorials – NMAP Zenmap MegaPing
https://www.youtube.com/channel/UCtudLj18oXlrzrPHqKC5bLA

News

WikiLeaks CIA Files: The 6 Biggest Spying Secrets Revealed By the Release of 'Vault (2017)

https://yro.slashdot.org/story/17/03/07/2124251/wikileaks-cia-files-the-6-biggest-spying-secrets-revealed-by-the-release-of-vault-7

“”1,2,3, and 5 were revealed with the documents that Edward Snowden released to The Guardian and was subsequently detailed in at least a couple of the books written about that leak including Data and Goliath by Bruce Schneier and The Snowden Files by Luke Harding.

The NSA and CIA also maintain a cache of vulnerabilities they have discovered but kept to themselves and not shared with Microsoft, Android/Google or Apple as well as the other operating system vendors so they can perform surveillance on any company running those OS.

This activity has been approved by the FISA court all in the name of Homeland security but not necessarily restricted to that activity.” George

2016

Plan security hardening for SharePoint Server 2016

https://technet.microsoft.com/en-us/library/cc262849(v=office.16).aspx

MS16-101 Prevents SharePoint From Changing Managed Account Passwords

https://thesharepointfarm.com/2016/09/ms16-101-prevents-sharepoint-from-changing-managed-account-passwords/

2013/2010

Technet on Planning Security Hardening (2010 or 2013)

https://technet.microsoft.com/en-us/library/cc262849(v=office.15).aspx

https://technet.microsoft.com/en-us/library/cc262849(v=office.14).aspx

Good Article on SharePoint Groups vs. AD Groups and effect on Search Crawls
http://blogs.msdn.com/b/kaevans/archive/2013/05/06/clarifying-guidance-on-sharepoint-security-groups-versus-active-directory-domain-services-groups.aspx

Preview as user (Third Party)
http://blog.mastykarz.nl/previewing-pages-content-targeting-user-segments-sharepoint-2013/

Updates
Interesting Vulnerability Site on SharePoint
Lists - http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-11116/Microsoft-Sharepoint-Server.html
Stats - http://www.cvedetails.com/product/11116/Microsoft-Sharepoint-Server.html?vendor_id=26

Legacy

Great Security Articles by Liam Cleary
https://www.helloitsliam.com/

PenTest (Part 1 and 2)
https://www.helloitsliam.com/2014/11/06/sharepoint-2013-pentest-part-1/
https://www.helloitsliam.com/2014/11/10/sharepoint-2013-pentest-part-2/

https://www.helloitsliam.com/2014/11/06/10-ways-to-a-more-secure-sharepoint-infographic/

”SO you wanna hack SharePoint” Presentation - TechEd
http://view.officeapps.live.com/op/view.aspx?src=http%3a%2f%2fvideo.ch9.ms%2fsessions%2fteched%2fna%2f2013%2fATC-B315.pptx

OLD LINKS – Broken due to new site
http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=121
Is SharePoint Secure?
part 1 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=100
part 2 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=101
part 3 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=103
part 4 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=105
Is SharePoint Vulnerable
http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=116

Effect of SharePoint Security Groups and/or AD Security Groups on Search Crawl Performance
http://blogs.msdn.com/b/kaevans/archive/2013/05/06/clarifying-guidance-on-sharepoint-security-groups-versus-active-directory-domain-services-groups.aspx

Best practices for using fine-grained permissions in SharePoint Server 2013
http://technet.microsoft.com/en-us/library/gg128955.aspx

Troubleshoot common fine-grained permissions issues for SharePoint Server 2013
http://technet.microsoft.com/en-us/library/dn169566.aspx

UAG - SharePoint Publishing Guide
http://technet.microsoft.com/en-us/library/dd857299.aspx

Firewall Ports
azure acs
http://msdn.microsoft.com/en-us/library/windowsazure/jj136814.aspx
office 365
http://blogs.technet.com/b/educloud/archive/2011/11/30/what-firewall-ports-do-i-need-open-to-connect-to-office-365-for-education.aspx
http://ahandyblog.wordpress.com/cloud-technologies/firewall-ports-for-office-365/

2010

Articles

Copy Permissions Between Site Collections Using AD Groups
https://social.technet.microsoft.com/wiki/contents/articles/8138.sharepoint-2010-copying-permissions-between-site-collections.aspx

Fine Grained Permissions Guide
http://technet.microsoft.com/library/gg128953(office.14).aspx

More from SharePoint Galaxy

Authentication
http://thecloudengineer.blogspot.com/2013/02/authentication.html

TMG UAG
http://thecloudengineer.blogspot.com/2011/07/golden-5-rules-on-sharepoint-security.html

Document Security
http://thecloudengineer.blogspot.com/2011/09/sharepoint-document-security.html

SharePoint Designer
http://thecloudengineer.blogspot.com/2012/03/sharepoint-designer-security.html

Books

Actual book http://www.amazon.com/Office-Sharepoint-Security-Microsoft-Corporation/dp/0735626545

Free Ebook http://technet.microsoft.com/en-us/library/cc287889(v=office.12).aspx

Tuesday, April 21, 2015

Site Collection Administrators

The following is a repost – reference – thank you Per Jakobsen
and more thx mike reference
The text is due to confusion SharePoint creates by having three different groups which when you create a site collection start out having the same persons, but are in fact different.
The three groups are:
Site Collection Owners

Are controlled via `Central Administration | Application Management | Change site collection administrators'
Receive email about site collection: quota warnings, not used warnings ...
Automatically members of Site Collection Administrators
Can only be users

Site Collection Administrators

Are controlled via Site Settings | Site collection administrators
Have full permissions in the site collection
Can be users or groups

Site Owners

A group named {SiteName} owners
By default have full permissions in the site collection, but are subject to changes in permissions, broken inheritance, only read/edit own items,...
Is just a standard SharePoint group which can be modified, deleted
Can be users or groups

Strange things
Part of the problem understanding these groups are some of the strange behaviours of these groups:

When a site collection is created you specify "Primary Site Collection Administrator" and "Secondary Site Collection Administrator" these two persons are entered into all three groups
When you add "Site Collection Administrators" in Central Administration these can only be users and there can only be max 2 and they become both "Site Collection Owners" and "Site Collection Administrators"
When you remove a "Site Collection Administrator" in Central Administration he/she is removed from "Site Collection Owners" and "Site Collection Administrators"
When you add "Site Collection Administrators" in Site Settings in the Site Collection you can specify any number of users and/or groups they only become "Site Collection Administrators"
If you remove a person who is "Site Collection Owner" as part of modifying "Site Collection Administrators" in Site Settings in the Site Collection he/she is removed from "Site Collection Owners" as well. If it's the Primary Owner then the Secondary Owner becomes Primary Owner, if there is no Secondary Owner, the first user in the list of Site Collection Administrators become new Primary Owner

Thursday, April 16, 2015

Content Type Hub

Content Type Hub FAQ and Limitations

MSDN Blog - Chaks' SharePoint Corner – FAQ and Limits
http://blogs.msdn.com/b/chaks/archive/2011/02/09/content-type-hub-limitations.aspx

Workflows and Content Type Hubs–What's the story?

http://blogs.msdn.com/b/chaks/archive/2012/05/05/workflows-and-content-type-hubs-whats-the-story.aspx

Configuration

http://gallery.technet.microsoft.com/office/Configuring-the-Content-ee9a0723

Troubleshooting – Content Type Hub

I ran across a strange issue when setting up content type hub today. No errors. Followed all the same steps as before so I thought I would include a list of gotchas.

Created new site collection that will act as the content type hub using Team Site Template.

Verified that Content Type Syndication Hub as Active

Went to Site Content Type and verified that Manage publishing was set, this must be set, check.

Verified on another site collection that the Managed Metadata Service was available.
NOTE: The Subscribed Content Type states
- no content types have been subscribed -