Skip Ribbon Commands
Skip to main content
SharePoint

Kevin Hughes

December 11
Bulk Import User Profile Photos to SharePoint 2013 from File Share

I had a recent client who was migrating to SharePoint 2013 from a non-SharePoint intranet. They wanted to use a new SharePoint 2013 intranet portal to replace many functions currently in the old intranet and also some other systems. They had been storing employee photos in a file share which had been referenced programmatically by their Human Resources Information System but this was not accessible by all employees. Through a complex bit of code, these had been referenced by their old intranet but it was slow and not easily searchable. They wanted to use SharePoint 2013 MySites to contain company-wide employee information which was searchable and accurate. Getting the rest of the requirements is outside the scope of this article. However, the big issue was not really the creation of the user profiles in SharePoint 2013, nor the import of user data from both Active Directory and their HRIS. It was how to get their employee pictures (over 4000 employees) into the new user profiles. Of course it could be done manually, but that's a lot of work. And since the HRIS was where they initially captured the employee picture new photos would always be placed in the file share. So, we needed a way to be able to repeat the import as part of a regular onboarding process.

Enter our old friend PowerShell.

Using a PowerShell script, we were able to reference a .csv file which contained necessary information to create a repeatable import process. The .csv file was created by their HRIS, but could be created in other ways for different scenarios. For this article, the format of the .csv file was:

domain_user_name

path

email

aalejandro

file://Network_Share/Marketing/EmployeePhotos/Axel00049.jpg

AXEL.ALEJANDRO@DomainName.Com

aanderson

file://Network_Share/Marketing/EmployeePhotos/Addie00532.jpg

ADDIE.ANDERSON@DomainName.Com

aaugustin

file://Network_Share/Marketing/EmployeePhotos/Audra01398.jpg

AUDRA.AUGUSTIN@DomainName.Com

abream

file://Network_Share/Marketing/EmployeePhotos/Allan00422.jpg

ALLAN.BREAM@DomainName.Com

aburgos

file://Network_Share/Marketing/EmployeePhotos/Alexandra00035.jpg

ALEXANDRA.BURGOS@DomainName.Com

 

They also had a couple of wrinkles in the mix…

The HRIS didn't store the user name with the domain suffix (domain\user). And more, they had two AD domain suffixes used for their employees. So, as users were imported from AD, their credentials might be domain1\user OR domain2\user. This is a wrinkle because the user profiles are referenced via that AD login name.

So, the PowerShell script needed to do the following:

  1. Find the domain user name
  2. Reference the proper network path to their employee photo
  3. Check which domain suffix was actually imported into SharePoint's user profile DB
  4. Assign the proper domain suffix to the user name to get the format of "Domain\Username"
  5. Import the employee photo to the user name
  6. Report any errors

Requirements to run this process are:

  • This must be performed using specific credentials which have elevated permissions within the farm. This means the credentials must be a member of the Farm Administrators group and must be listed as a Shell Admin in the SQL Server.
  • Need the following files placed in the same directory. In this example the directory is c:\scripts\
    • ImportUserPictures.ps1 – the PowerShell script which will perform the bulk picture import
    • UserPictureList.csv – a comma separated values file which contains import information. It should contain

 

This is the script for this process. It's not really complex.

 

Add-PSSnapin microsoft.sharepoint.powershell

 

[void][system.reflection.assembly]::loadwithpartialname("Microsoft.Office.Server.UserProfiles")

 

$csvFile = "c:\scripts\UserPictureList.csv"

 

$MySiteUrl = "http://mysites.domain.com/"

 

$site = Get-SPSite $MySiteUrl

 

$context = Get-SPServiceContext $site

 

$profileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)

 

$csv = import-csv -path $csvFile

 

foreach ($line in $csv)

 

{

#Check which domain is being used for a particular user

try

{

$initialUserName = "domain1\" + $line.domain_user_name

$TestUserExists = ($profileManager.GetUserProfile($initialUserName))

$user_name = $initialUserName

}

catch

{

try

{

$initialUserName = "domain2\" + $line.domain_user_name

$TestUserExists = ($profileManager.GetUserProfile($initialUserName))

$user_name = $initialUserName

}

catch

{

$username = $line.domain_user_name

write-host -ForegroundColor Yellow $username "does not exist in the SharePoint user database"

$e1 = $username + "Does not exist in the SharePoint user database" | Out-file c:\scripts\useruploadlog.txt -Append

}

}

 

 

$up = $profileManager.GetUserProfile($user_name)

 

if($up)

 

{

 

$up["PictureURL"].Value = $line.path

 

$up.Commit()

 

write-host $user_name,"--->",$up.DisplayName,"--->",$line.path

 

$up = $null

 

}

 

}

#create thumbnails in Mysites

 

Update-SPProfilePhotoStore -MySiteHostLocation $mySiteUrl 2>> C:\scripts\useruploaderrors.txt

 

It may not be the solution to your issue, but maybe it will help you along.

Keep sharing!

 

October 30
Get a report of large lists in your SharePoint 2013 farm

 

The scenario today is one regarding performance and user experience. Our fictional client has a SharePoint 2013 farm on premises and about 1000 users who actually have adopted their SharePoint-based intranet and use it. They have, though, reported that some lists seem to load very slowly and sometimes don't show all the items in the list. They don't have a list of all the locations, and we suspect that there are multiple areas which may be impacted.

As we know, when a list or library has a large number of items the performance of the list/library and possibly the container site will diminish. The default List View Threshold is 5000 items returned in a view. This Resource Throttling is to reduce the number of full table or full database locks in a content database. When item view quantity exceeds 5000 rows returned, SQL Server will escalate a lock from row locks to table locks to be more efficient with resources. This can vary according to the overall performance of the database at the time of the query and may be escalated to a full database lock if performance is low. This increases query time which increases page load time. The List View Threshold means that users will not be able to see any items beyond that threshold when they navigate to a view of the list/library.

As we don't know which libraries and/or lists may be an issue, we can leverage our old friend PowerShell to help us out. Run the following script on your web front end server using your shell administrator credentials.

 

 

if ( (Get-PSSnapin -Name "Microsoft.SharePoint.Powershell" -ErrorAction SilentlyContinue) -eq $null )

{

Add-PsSnapin "Microsoft.SharePoint.Powershell"

}

# For Output file generation

$OutputFN = "d:\scripts\output\LargeListsData.csv"

#delete the file if already exists

if (Test-Path $OutputFN)

{

Remove-Item $OutputFN

}

 

#Write CSV Headers

Add-Content $OutputFN "List Name , site Collection , Site URL , Item Count"

 

#Get the web aplication URL

$WebAppURL = Read-Host "Enter the web application URL"

$SPWebApp = Get-SPWebapplication $WebAppURL

 

#Loop through all site collections, sites, lists

foreach($SpSite in $SPWebAPP.sites)

{

foreach($Spweb in $SPSIte.AllWebs)

{

foreach($SPList in $Spweb.Lists)

{

if($splist.ItemCount -gt 2000)

{

$content = $splist.title + "," + $spsite.rootweb.title + "," + $spweb.url + "," + $splist.itemcount

Add-content $OutputFN $content

}

}

$spweb.dispose()

}

$spsite.dispose()

}

write-host "Large List report generated successfully"

 

This produces a result much like this:

List Name

site Collection

Site URL

Item Count

Shared Documents

Clubhouse Home

http://clubhouse.widgets.com/sites/accounting

4234

Sheet1 test

Clubhouse Home

http://clubhouse.widgets.com/sites/customerservice/CallTracking

62490

IS Enhancements and Issues Log Time Tracking

Clubhouse Home

http://clubhouse.widgets.com/sites/enterpriseservices

3621

Merchant Auditing

Clubhouse Home

http://clubhouse.widgets.com/sites/enterpriseservices/auditing

2257

Stock Images 1

Clubhouse Home

http://clubhouse.widgets.com/sites/pdf

3314

Stock Images 3

Clubhouse Home

http://clubhouse.widgets.com/sites/pdf

4122

Curriculum

Clubhouse Home

http://clubhouse.widgets.com/sites/pdf/pmidevelopment

10934

MVP

Clubhouse Home

http://clubhouse.widgets.com/sites/projects

2598

Pro Trader Institute

Clubhouse Home

http://clubhouse.widgets.com/sites/salesandmarketing/sep

2635

Shared Documents

Clubhouse Home

http://clubhouse.widgets.com/sites/accounting

4234

Sheet1 test

Clubhouse Home

http://clubhouse.widgets.com/sites/customerservice/CallTracking

128490

IS Enhancements and Issues Log Time Tracking

Clubhouse Home

http://clubhouse.widgets.com/sites/enterpriseservices

3621

Merchant Auditing

Clubhouse Home

http://clubhouse.widgets.com/sites/enterpriseservices/auditing

2257

Stock Images 1

Clubhouse Home

http://clubhouse.widgets.com/sites/pdf

3314

Stock Images 3

Clubhouse Home

http://clubhouse.widgets.com/sites/pdf

4122

Curriculum

Clubhouse Home

http://clubhouse.widgets.com/sites/pdf/pmidevelopment

150934

MVP

Clubhouse Home

http://clubhouse.widgets.com/sites/projects

2598

Pro Trader Institute

Clubhouse Home

http://clubhouse.widgets.com/sites/salesandmarketing/sep

2635

Theme Gallery

Home

http://portal.widgets.com

2723

CARS

Home

http://portal.widgets.com/Forms

2007

Customers

Home

http://portal.widgets.com/Forms

2330

Workflow History

Home

http://portal.widgets.com/Forms

11452

 

Those I have indicated in yellow are close to the default threshold of 5000 items. Those in red are over the 5000 limit. In an environment where you have full administrative access to Central Administration, this may be increased by altering the Web Application settings. However, this is not recommended as you are almost guaranteeing a degradation in performance by doing so.

To resolve such things, I have listed some standard approaches:

Consider creating indexed columns for the large lists. In general, an index on a column enables you to quickly find the rows you want based on the values in that column, even when working with millions of items.

Each additional column index will consume additional resources in the database and adds some overhead to every operation to maintain the index. Therefore, add indexes only to columns that will be used actively for filtering in views on the list or library.

Consider creating filtered views based on column indexes. For a view to quickly filter through a large number of items, the first column that you specify in the filter must be indexed. Other columns you specify in the view filter may or may not be indexed, but the view does not use those indexes. You also need to make sure that the first column of the filter does not return more items than the List View Threshold.

Consider management of the Recycle Bin. Items here are not actually deleted from the database and so are still considered part of the list index.

Consider using Search as an alternative to views. Because Search has its own indexing mechanisms, it is not subject to the List View Threshold or other related limits.

 

I hope this helps you out when you are in this boat.

 

Keep sharing!

 

Kevin

October 22
Make Promoted Links work for you

As a third entry in my series about SharePoint 2013 Promoted Links web part, I offer up more about how to make the Promoted Links lists work for you. This series is demonstrated in an online session for the SharePoint Power Hour, sponsored by Rackspace.

Promoted links example:

For step-by-step instructions on how to create your own Promoted Links visit http://sharepoint.rackspace.com/2013-Articles

In previous articles I've already shown how to display Promoted Links in multiple lines in a responsive design format

And also how to make them display completely vertical. In this article I want to show you how to control the look & feel of this type of list.

These are wonderful, but now I wish to show you the CSS properties to manipulate the Promoted Links web parts. These all can be applied in a custom style sheet file or per page, as we've already discussed.

 

  • .ms-promlink-body
  • .ms-promlink-header
  • .ms-tileview-tile-root
  • .ms-tileview-tile-content
  • .ms-tileview-tile-detailsBox
  • .ms-tileview-tile-content
  • .ms-tileview-tile-content
  • .ms-tileview-tile-content img
  • .ms-tileview-tile-detailsListMedium
  • .ms-tileview-tile-descriptionMedium
  • .ms-tileview-tile-titleTextMediumExpanded
  • .ms-tileview-tile-titleTextLargeCollapsed
  • .ms-tileview-tile-titleTextLargeExpanded
  • .ms-tileview-tile-titleTextMediumCollapsed
  • .ms-tileview-tile-descriptionMedium

 

Using these styling properties we can manipulate most any aspect of the Promoted Links tiles. An example of how we may make the links behave in particular ways – we will shrink the tiles, shrink the images, shrink the mouse hover overlay, change the font and font sizes, and change the hover color from grey to a blue.

The CSS code for this is below:

 

<style unselectable="on">

.ms-promlink-body {

height:100px;

width:100%;

}

 

.ms-promlink-header {

visibility:hidden;

}

 

.ms-tileview-tile-root {

height:110px !important;

width:110px !important;

}

 

.ms-tileview-tile-content, .ms-tileview-tile-detailsBox, .ms-tileview-tile-content > a > div > span {

height:100px !important;

width:100px !important;

}

 

.ms-tileview-tile-content > a > div > img {

max-width:100%;

width:100% !important;

}

.ms-tileview-tile-content img {width: 100px; height: 100px;}

ul.ms-tileview-tile-detailsListMedium {

height:100px;

padding:0;

}

 

li.ms-tileview-tile-descriptionMedium {

font-size:11px;

line-height:16px;

}

 

.ms-tileview-tile-titleTextMediumExpanded, .ms-tileview-tile-titleTextLargeCollapsed, .ms-tileview-tile-titleTextLargeExpanded {

padding:3px;

}

 

.ms-tileview-tile-titleTextMediumCollapsed {

background:none repeat scroll 0 0 #002E4F;

font-size:12px;

line-height:16px;

min-height:36px;

min-width:97px;

padding-left:3px;

position:absolute;

top:-36px;

}

 

li.ms-tileview-tile-descriptionMedium {

font-size:11px;

line-height:14px;

padding:3px;

}

</style>

 

This is only one example of what you may do with these styles properties. Play with it and make it your own.

Remember to check out the SharePoint Power Hour video to see this in action.

Keep sharing!

 

Kevin

 

October 19
New Racker Here

Hello. My name is Kevin…and I am a Racker. I've been a Racker for 14 days. (mass voices respond, "Hello, Kevin")

Isn't that how these meetings start?

Yet again I have moved on to another company in hopes of furthering my career goals.

On my last day at Valorem Consulting I reflected on the company and why I was leaving. I had been there for 4 1/2 years and had seen the company grow from 3 Full-time employees to over 75 in that time. The company is growing well and doing great business. It is just growing in directions which are not comfortable for me. It has nothing to do with the size, nor does it have anything to do with the individuals with whom I worked. It isn't even about my clients, for whom I have great respect and desire to see them succeed. It just feels like I need to go elsewhere.

And the grass looks greener at a company called Rackspace, based in San Antonio, TX.

I accepted an offer from them a few weeks ago and started on October 6th. I will work from my home office here in Overland Park, KS. It is better in all the usual areas of compensation, insurance and other benefits. In that, they are not unique among many potential employers that come my way every day. What set them apart was a feeling that what will be doing matters to someone besides me. Instead of a feeling that what I do in IT and the platform in which I specialize is a necessary burden, I was greeted with smiling faces and a potential to feel appreciated.

The company flew me to their headquarters, call The Castle, in San Antonio, TX. I spent my first week in the best new employee onboarding experience of any company for which I have worked. It was engaging, interactive, and full of what my new manager referred to as "Kool-Aid". I spent most of last week at the Castle getting to know some of the Cloud Services and SharePoint hosting teams. It was fun. I joined 6000+ Rackers (the term used by employees and executives to refer to every Rackspace employee) of which 3500-ish are at the Castle. It is hard to describe the Castle.

The entrance looks very much like any other large company that just happens to reside in a 1.2 million sq. ft. renovated shopping mall. There is reception, security, and all the other trappings. That is where the completely respectable look ends.

Pass through security and enter into a world combining professionalism with an insane asylum. Or maybe Bohemian Wall Street is better. Or maybe think early Bill Gates, Steve Wozniak, and Steve Jobs – but put their creativity and utter geekdom into Delta House.

When my first official offer letter arrived, it was titled "Welcome Home". And except for not having my family and friends with me, it was kinda like that at the Castle. You find conference rooms with a GPS-enabled smartphone App by looking for Cheerios, The Shire, The Bookstore, the Tardis, and just about any other aspect of geekdom you can think of to name a conference room. People are encouraged to express themselves in their workspace through flags, decorations, nick-nacks, etc. There are video games, ping pong, and a 10,000 sq.ft. fitness center. Work hard. Play hard. It can work. But the biggest thing was that the people were helpful, friendly, encouraging, welcoming and seemed to genuinely want to be there – ALL OF THEM!

I kept wondering when the proverbial other shoe was going to drop, and even asked that of some people. Their replies, "Well, I've been here (insert 1-15 years) and it hasn't fallen yet." KOOKY!!!!

Since I was in San Antonio over a weekend, I got to play tourist and see the Alamo, visited the Hard Rock, Cowboy's Harley Davidson and a few other cool places along the Riverwalk. I think I gained weight since the hotel didn't have a way for me to cook, so everything was restaurants or fast food. But, it was all still a good time.

I am glad that I stayed extra time in San Antonio to get to know some coworkers and get to ask questions of people without having to schedule meetings. I got to experience a bit of the Rackspace culture - which ROCKS btw- and maybe even made a few new friends (which would be kinda strange for me).

But...10 days away from everyone else I know, especially my darling wife Trudy, is a bit too much. I missed her and I missed home. I missed my friends, my brother masons, and familiar surroundings. Mostly it was the people. Wierd, huh!!??

I'd love to visit The Castle (Rackspace HQ) again. San Antonio is a nice city just like any other large city. But, maybe for only a few days at a time. Or spend the extra and take Trudy with me. That could make ALL the difference.

For now, I am home and ready to get to work.

Maybe it's because the Kool-Aid is fresh. But things seem pretty darn ok. RACKER TO THE CORE!

Stay tuned as I have a LOT of blogging to catch up on.

Keep sharing…

Kevin

August 15
SharePoint 2013 Promoted Links in Vertical

As a followup to my earlier blog on Display Promoted Links on Multiple Rows, I wanted to let you in on a couple other tidibits about the Promoted Links CSS. The basic styles in that post will take effect for all the Promoted Links web parts on a page. If you put it in a style sheet, then it will make that happen for the entire site.

But, what if you wanted to make sure they display vertically? Say in a right-hand column...maybe for important links or advertisements? Microsoft never gave us that option...but maybe they will...someday. Or maybe they knew ​we could style it and just never announced it.

In any case, if you constrain the width to 170px instead of the 100% from the earlier post, then you will get vertical columns.

     <style type="text/css">
           .ms-promlink-body {width:170px}
           .ms-promlink-header {visibility:hidden}
     < /style>

Or what if you wanted to place two Promoted Links web parts on the same page and display one horizontally and one vertically? Well, we're going to help you out. Still using our same CSS we just add the web part's ID, as indicated by the #.

     <style type="text/css">
          #msozonecell_webpartwpq6 .ms-promlink-body {width: 170px }
          #msozonecell_webpartwpq6 .ms-promlink-header {visibility:hidden}
     </style>

So...now Promoted Links web parts are even more useful.

Have fun!

August 11
Display Promoted Links on Multiple Rows

I have seen many people struggle with using the Promoted Links list in SharePoint 2013. This is a great way to add a small bit of pizazz to an otherwise boring list of links and it is Out-of-the-Box. J

But, if you put too many links into the list, the tiles will still only display on a single row. This will cause horizontal scroll buttons to appear between your tiles and the web part chrome. And while this does allow for a variety of screen sizes (you just see fewer tiles without scrolling left/right) it no longer looks as "cool" as you might expect. If you're looking for more of a "responsive design" feel then you might be tempted to create extra metadata columns in your Promoted Links list to be able to categorize and create multiple filtered Tile views. While this can be a workaround, it is clunky and still doesn't look "cool".

I have seen a single jQuery solution from Creative SharePoint (http://blog.creative-sharepoint.com/2013/09/displaying-promoted-links-on-multiple-lines/) it seems to frighten some even though it works well enough, but you do have to edit the script if you want to change how many tiles display in a single row before the break. So I get it. I have also found that the script only works reliably, all the time, for all users, when it is uploaded to the ~sitecollection/_catalogs/masterpage/Display Templates/ folder. If this is the case in your environment and you have permissions to place a file there, go for it.

If, however, you aren't comfy with jQuery, want a true responsive design look & feel or just want a solution you can use even if all you have permissions for is editing a single page…then consider handling this with custom styling. I've recently been trying to dig deep into this area of SharePoint and found a solution that works every time for every user.

Basically we use CSS to change set the width property of the Promoted Links web parts to 100%. This will expand the web part to take up all the horizontal space it is allowed in its location (page, rich text field, web part zone, etc.). Then when it has placed as many tiles as it can in this space it will automatically start a new row. If you have enough tiles, you may have 3, 4 or more rows this way, depending on your screen resolution and window sizing. Unfortunately, doing only this will still get us the horizontal scroll buttons. And you'll have some unexpected behavior in this situation.

So, we set another property to hide the promoted links header and the scroll buttons go away.

If you already have a custom style sheet you are calling in your site, then place the following in that custom .css file.

.ms-promlink-body {width:100%}
.ms-promlink-header {visibility:hidden}

Or, if you like, or only want this behavior on a single page, add a Script Editor Web Part to the page and put the following in the source.

<style type="text/css">
.ms-promlink-body {width:100%}
.ms-promlink-header {visibility:hidden}
< /style>

Now you have a nice clean look that is truly responsive to screen/window sizing.

Have fun. Keep Sharing.

Kevin

December 16
Kerberos Tokens

It seems that more and more my clients are coming up against issues that keep them from implementing pass-through authentication via Kerberos protocols. Most often it seems the issue is in regards to authentication tokens that are too large - stemming from an Active Directory that is out of control.

This article is to summarize information from a variety of sources and my own experience to try to assist in keeping Large Token Size something that can be mitigated in your own environment.

Kerberos Primer

The Kerberos protocol is a secure protocol that supports ticketing authentication. A Kerberos authentication server grants a ticket in response to a client computer authentication request, if the request contains valid user credentials and a valid Service Principal Name (SPN). The client computer then uses the ticket to access network resources. To enable Kerberos authentication, the client and server computers must have a trusted connection to the domain Key Distribution Center (KDC). The KDC distributes shared secret keys to enable encryption. The client and server computers must also be able to access Active Directory directory services. For Active Directory, the forest root domain is the center of Kerberos authentication referrals.
 
Kerberos allows a client’s identity to be impersonated by a service to allow the impersonating service to “pass” that identity to other network services on the client’s behalf. NTLM does not allow this delegation.
 

Kerberos enabled services can delegate identity multiple times across multiple services and multiple hops. As an identity travels from service to service, the delegation method can change from Basic to Constrained but not in reverse. This is an important design detail to understand: if a backend service requires basic delegation (for instance to delegate across a domain boundary), all services in front of the backend service must use basic delegation. If any front end service uses constrained delegation, the back service cannot change the constrained token into an unconstrained token to cross domain boundary.
Protocol transition allows a Kerberos enabled authenticating service (front end service) to convert a non-Kerberos identity into a Kerberos identity that can be delegated to other Kerberos enabled services (back end service). Protocol transition requires Kerberos constrained delegation and therefore protocol transitioned identities cannot cross domain boundaries.
Constrained Delegation is required for services which leverage the Claims to Windows Token Service. Constrained delegation is required to allow protocol transition to convert claims to windows tokens.

 

Users may be members of many Active Directory groups, which can increase the size of their Kerberos tickets. If the tickets grow too large, Kerberos authentication can fail. It was reported that some Active Directory users were members of 1400+ Active Directory groups.

The user cannot authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication.
 
Kerberos uses the Privilege Attribute Certificate (PAC) field of the Kerberos packet to transport Active Directory Group membership. If there are many group memberships for the user, and if there are many claims for the user or the device that is being used, these fields can occupy lots of space in the packet. If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. Therefore, users cannot authenticate, and they may receive an "out of memory" error message.
 
The behavior caused is that a user may be prompted for credentials repeatedly when attempting to access data external to SharePoint. Instead of an actual prompt, the user’s credentials may be presented multiple times via the Kerberos protocol and still may fail authentication. In many cases, Windows NTLM authentication works as expected.
 
This problem can occur even though the credentials you provide are valid and can be utilized to obtain access to the same computer through direct access. However, the Wininet.dll file may not allocate a sufficient buffer for containing the user's Kerberos token.
 
Token Size Calculation
MaxTokenSize value:
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
·         d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
·         s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
·         1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.
 
 
It was noted that the MaxTokenSize registry entry for each of the SharePoint farm servers had been increased to 65535.
 
Known issues for token size
1.       The Local Security Authority (LSA) service generates the user Access Token from this SID buffer. The hard-coded limit of customer definable SIDs for this token is 1,015. If you use "trusted for delegation" accounts, (Which is the case when SharePoint is using pass-through authentication via Kerberos protocol) the buffer requirement for each SID may be doubled. In these scenarios, you can only store approximately 800 Domain Local Group SIDs when a MaxTokenSize value of 64K is used.
2.       The Internet Information Server (IIS) uses a reduced request buffer size to mitigate a denial of service attack vector of 64 KB. However, a Kerberos Ticket in an HTTP request is encoded as Base64 (six bits expanded to eight bits). Additionally, and the Kerberos Ticket is using 133 percent of its original size. Therefore, when the maximum buffer size is 64 KB in IIS, 48 KB of a Kerberos Ticket can be used.
 
If you set the MaxTokenSize registry entry to a value that is larger than 48000, and the buffer space is used for SIDs, an IIS error may occur. However, if you set the MaxTokenSize registry entry to 48000, a Kerberos error may occur.

November 09
Gearing up for SPC12

The Microsoft SharePoint Conference 2012 is beginning in just a couple of days. I am attending and am looking forward to the break from work. However, I don't feel a part of the SP Community as I did for SPC09. Since taking this consulting job, I've had little time for user groups, SharePoint Saturdays or other conferences. I don't have Twitter access from most client sites, so can't keep up on the daily topics. And while I used to blog about all sorts of SharePoint issues, I find that what I want to blog about now is part of company intellectual property so always am walking a thin line when I do post a new blog.

There will be some familiar faces – familiar to me anyway – at SPC12. And perhaps some will even be friendly. This conference is supposed to be huge, so I don't envision having a lot of "face" time with individuals.

I've filled my daily schedule with educational sessions and left little time for running around the Exhibitor floor. I have volunteered to spend some time in the Community Hub and maybe that will be fun. I imagine the evenings will be filled to overflowing with people trying to make connections and push the envelope of propriety just because they are in Las Vegas and feel they can get a bit wild. The Bon Jovi concert should be fun…at least the music should be good.

For all the organized fun, the training, and the throngs of people – it will likely be a time of finding out just how much the community has moved on without me over the past three years. Not that even my ego would be big enough to think that I was essential, but perhaps at least a welcome part.

So, I journey this weekend to Las Vegas with mixed feelings. Maybe by the end of the week there will be more good memories than blah or bad.

See you in Vegas!

February 22
Send Calendar Event Email to Outlook Calendar

I have had many instances where users wanted to be able to not only see a SharePoint calendar in MS Outlook, but also wanted the ability to add an event in a SharePoint calendar to their own personal calendar.

I'll leave the interface for making this happen up to you, but here is the description of the mechanics of a workflow that will achieve this - either making it automatic or a choice.
 
In a workflow, you can automatically send an email to the user, and then within the email, there can be a link that will add the item to their own personal calendar.

How to obtain this link? Well, open up any calendar item, and right-click on "Export event", and copy that URL so that you can use it. Then, you dissect the URL...
 
 
See where it says ID=8 in there? Well, 8 is the list item's ID number. So, in the URL within your email, just replace that number with the lookup or variable that represents that ID field. You can pretty it up by adding HTML href encoding if you wish.
 
Then, when users receive the email, they can simply click that link to be prompted to add the item to their calendars.

 

It's that easy.​

November 04
How Security Affects What You Can See in SharePoint

SharePoint security can often be the subject of many a long day of planning, implementing and/or troubleshooting. And as more companies become security-conscious, having the right security in your SharePoint sites is essential to insuring a smoothly running collaborative environment.

This is the first installment of a series on SharePoint security. It is written for the end-user and the site administrator alike. In future installments we will explore the topics of permissions levels, SharePoint groups vs. Active Directory groups, and permissions inheritance.

Anyone that has navigated around Microsoft SharePoint sites shall have noticed that they have different options available to them on different sites or even different locations within the same site. And perhaps even the Help feature was not enough as the instructions referred to menu options that you just could not see. This is not an attempt to frustrate.

SharePoint only shows you the sites, site content, and menu options to which you have been granted permissions to see or successfully use. This is referred to as a security trimmed user interface (UI).

SharePoint security can be assigned to allow actions through an entire site, or fine-tuned to have different permissions on each list or library in the site or even each document in a library. Your permissions can differ between sites and can differ between the content on the same site, such as: lists, libraries, items in lists, and files in libraries. As such, menu options you have on one site, library or item may not be available in a different location.

Following are a couple of examples to help show how a security trimmed UI affects users with different permissions for a SharePoint site and its content. The examples assume the default installation of a SharePoint site and its content, your site may have different menu options.

Site Actions Menu

You may or may not have seen the Site Actions button in the upper corner of a SharePoint site. The Site Actions menu contains options that potentially affect the entire site by adding additional content or changing site settings. Here are two examples of what options are displayed when the Site Actions menu button is clicked. The menu options vary depending on the features active within the SharePoint site and the permissions of the user that selects the menu. Assuming a typical site with typical default features active, we have the following example.

 

Site Owner Menu

Figure 1 - Site Owner

Site Member Menu

Figure 2 - Site Member

When William, the site administrator for Sales, clicks the Site Actions menu on the Sales site, the options available to him are represented in Figure 1 – Site Owner. William has permissions to perform all of these options.

William is a member of the default Site Owners group for the Sales site. The Site Owners group has the Full Control permission level for the site. This is a common permission level for a person who manages a SharePoint site. Users with the Full Control permission level can do almost anything they want to a site and its content.

When Elizabeth, a member of the Sales team, clicks the Site Actions menu on the Sales site, the options available to her are represented in Figure 2 – Site Member. Elizabeth has permissions to perform all of these options.

Any options in the Site Actions menu that would allow editing the site settings or structure are not available for Elizabeth, like they were for William. Elizabeth has the Contribute permission level, which isn't sufficient to perform actions such as create sites or document libraries, change site settings or edit with SharePoint Designer, so the menu options are not displayed for her.

Elizabeth is a member of the default Site Members group for the Sales site. The Site Members group has the Contribute permission level for the site. This is a common permission level for people who add, edit, and delete content on a SharePoint site. They have no permissions to change the overall layout of the site, site settings or site security.

When Louis, an accountant in the company, visits the Sales site, the Site Actions menu is not displayed for him.

Louis is a member of the default Site Visitors group for the Sales site. The Site Visitors group has the Read permission level for the site. This is a common permission level for people who need to read content on a site but not make any changes to it. The Read permission level isn't sufficient to perform actions that change the entire site, so the Site Actions menu is not displayed for him.

Library Ribbon

William, from the preceding example, goes to the Shared Documents library of the Sales site. Here are the Document options available to him in the ribbon menu. William has permissions to perform all of the options listed in the menus. * You may not see identical menu options; they also depend on the features of your SharePoint environment.

Figure 3 – Site Owner Documents Menu

And if William selects the Library menu, he will have the following Ribbon menu available to him.

Figure 4 - Site Owner Library Menu

Elizabeth goes to the same library as William. Elizabeth has the Contribute permission level. With this permission, Elizabeth has almost all the same abilities for documents in a library as a site owner as can be seen in Figure 5.

Figure 5 - Site Member Documents Menu

However, since the Contribute permission level has no rights to change any of the Document Library settings, any options on the Library ribbon menu that would allow such editing are not available. Elizabeth's Library options are limited to those which pertain to different ways to view the library, but not making any changes to it.

Figure 6 - Member Library Menu

Louis goes to the same library as William. As a site visitor Louis has the Read permission level, which does not allow him to add or edit document in the library, so few Ribbon menu options are available to him. These basically allow Louis to open the document, view its properties or download a copy of the document. No options that allow any changes or creation of new content are available.

Figure 7 - Visitor Document Menu

Finally, when Louis chooses the Library ribbon menu, his options as a visitor with Read permissions are even more limited than Elizabeth's.

Figure 8 - Visitor Library Menu

Any ability to view the library in a different manner mostly rely on doing so in external applications. Louis cannot even create a customized personal view of the Library.

As before, the options which actually display on your ribbon menus may differ due to different features being active in your site(s).

In this article, we have explored the reasons behind differences in menus and options based on the permissions assigned to different users of a SharePoint site. In future articles in this series we will delve deeper into SharePoint security with topics aimed more for site administrators in hopes of demystifying security and assisting them to create their own security-trimmed collaborative environment.

1 - 10Next

 ‭(Hidden)‬ Admin Links

1/1/2015 5:45 PM   KCOG Meeting 
1/10/2015 8:00 AM   SharePoint Saturday Kansas City 
SharePoint administrators, end users, architects, developers, and other professionals that work with Microsoft SharePoint Technologies will meet for the 2nd SPS Events Kansas City event on January 10, 2015 at JCCC located at 12345 College Blvd, Overland...
1/13/2015 7:00 PM   SharePoint - Kansas City Users Group 
2/5/2015 5:45 PM   KCOG Meeting 
2/10/2015 7:00 PM   SharePoint - Kansas City Users Group 
3/5/2015 5:45 PM   KCOG Meeting 
3/10/2015 7:00 PM   SharePoint - Kansas City Users Group 
4/2/2015 5:45 PM   KCOG Meeting 
4/14/2015 7:00 PM   SharePoint - Kansas City Users Group 
5/7/2015 5:45 PM   KCOG Meeting 
(More Events...)

 ‭(Hidden)‬ Send Feedback