Developer Apprentice Program in .NET

 

MAX Technical Training is doing something quite interesting!  Again!

 

"Interested in becoming a Developer or know someone who is?"

"Whether you are an employer looking hire a .NET programmer or a Job Seeker looking to build a new career - this is the program to meet both your needs."

"This intense 9 week "boot camp" immerses you in 42 intense full-days of training. To be accepted, you must pass two aptitude tests and a screening interview with the program director." 

"This will be MAX's fourth program. All of our past apprentices who have completed the program are successfully employed in developer related positions with Great American Insurance, Paycor, Western and Southern, or Assurex."

 

IMPORTANT DATES:

September 17: If you are currently unemployed and live in Hamilton County please attend our Recruitment Fair on September 17 at 9 am.

September 24: For Butler, Warren and Clermont County unemployed residents, please attend our Recruitment Fair on September 24 at 9 am.

For more information: http://www.maxtrain.com/DynamicPage.aspx?DynamicContentID=166

Office 365 / SharePoint–a Moving Target–the target is still moving and moving!

 

More changes in Office 365 / SharePoint Online… (I guess this is an ongoing topic for my blog…)

Previous: 3/29/14,  9/1/14 

In this update…

• The Tasks rollup found in Welcome, About me, Tasks is going away.
• The Task list Sync to Outlook button is going away!
• New feature: Delve! (formally Oslo, built on Office Graph)

 

The Tasks rollup found in Welcome, About me, Tasks is going away.

According to this Microsoft support article "The Tasks menu option will be removed from SharePoint Online during the next few weeks." The article is dated September 6, 2014 and must also be a "moving target" as it is already in Revision 7.0!

The Tasks page is still in my subscription.

The Task list Sync to Outlook button is going away!

The same support article listed above has a note towards the bottom that says: "Additionally, the Sync to Outlook button will be removed at a later date."

The Sync to Outlook is still in my subscription.

 

New feature! Delve (formally Oslo, built on Office Graph)

To see this on is Office 365 you will first need to enable the "First Release" option. Click here for info.

As there's a lot on the web already, I'll just give you a few links to get started…

• Introducing Delve (codename Oslo) and the Office Graph
  http://blogs.office.com/2014/03/11/introducing-codename-oslo-and-the-office-graph/
• Work like a network! Enterprise social and the future of work
  http://blogs.office.com/2014/03/03/work-like-a-network-enterprise-social-and-the-future-of-work/
• Channel 9: Introducing Codename "Oslo" and the Office Graph
  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/OFC-B240
• Office Delve: search and discovery
  http://office.microsoft.com/en-us/business/what-is-office-delve-FX104369201.aspx
• Office Delve for Office 365 admins
  https://support.office.com/Article/Delve-for-Office-365-admins-54f87a42-15a4-44b4-9df0-d36287d9531b
• And do a general search to see what else is out there!
  http://www.bing.com/search?q=%22Office%20Delve%22

 

Ready, Shoot, Aim!

.

When is Full Control not Full Control

 

This article has three possible titles:

• All Full Control Users are not able to see the Access Requests Link and Page
• When is Full Control not Full Control?
• All About Associated Groups!

 

The problem: You have a user who has Full Control, but who is not a member of the Site Owners group.

Shouldn't they be able to do anything a member of the Owners group can do? Turns out they cannot see the "Access Requests" link in Site Permissions page.

Members of the Site Owners group see:

While the Full Control only user sees:

(Just typing "Full Control only user" is weird!  "Only" has Full Control?)

 

So who can see the Access Requests Link?

Two groups of people:

• Site Collection Administrators
• Members of the site's associated Owners Group

Notice that "users with Full Control" is not in that list, and that the word "associated" is in there.

 

Three Magic Groups

You can create many "owners" groups and give them all Full Control and they still won't be able to see the Access Requests link. The magic owners group must be "associated" to a special property. The SharePoint web site (the SPWeb object) has three properties that identify the three default special groups: AssociatedMemberGroup, AssociatedOwnerGroup and AssociatedVisitorGroup. The group associated with the AssociatedOwnerGroup gets the "magic sauce" to let its users see the Access Requests link!

SharePoint 2007 had a nice option in the People and Groups page to set the associated groups:

To set the associated groups in SharePoint 2010, 2013 and Office 365 you will have to visit the page that's normally displayed when you create a new subsite with unique permissions; http://yourserver/sites/yoursite/_layouts/permsetup.aspx. This page has the title of "Set Up Groups for this Site". Here you can select from existing groups or create new groups and associate them to the three "magic groups".

An interesting side effect of the above page it when you add an owners group that does not have Full Control this page gives the group Full Control.

 

How to set the associated groups using PowerShell:

$web = Get-SPWeb "http://buckeyespug.maxsp2013.com";
$groups = $web.SiteGroups;
$group = $groups.GetByName("The New Owners Group");
$web.AssociatedOwnerGroup = $group;
$web.Update();

 

A C# version:

SPSite site = new SPSite("http://buckeyespug.maxsp2013.com");
SPWeb web = site.RootWeb;
SPGroupCollection groups = web.SiteGroups;
SPGroup group = groups.GetByName("The New Owners Group");
web.AssociatedOwnerGroup = group;
web.Update();

 

And for non-Developers

Visit the http://yourserver/sites/yoursite/_layouts/permsetup.aspx page!

 

Another way?

According to this article you can also directly grant permissions to the Access Requests lists. (The list won't exist until you have your first access request created.)

http://rwcchen.blogspot.com/2013/10/sharepoint-2013-update-access-requests.html

 

Auto-create the default groups

If you want to create the three default groups automatically call the SPWeb.CreateDefaultAssociatedGroups method, or if you are not a developer just visit the http://yourserver/sites/yoursite/_layouts/permsetup.aspx page.

.

Office 365 / SharePoint–a Moving Target–the target is still moving!

 

More changes in Office 365 / SharePoint Online…

The Welcome menu has changed again

In SharePoint 2007 the menu for user options was called the Welcome menu and displayed the word "Welcome" follow by the user's name. In SharePoint 2010 word "Welcome" disappeared and only the user's name was displayed. (The help desk would ask the user to "click on your name".) SharePoint 2013 was the same as 2010, until recently. Now there is a picture of the user, or just a generic icon. ("Will the help desk now have to say "click your face"?)

To make room for the "face" they had to double the height of the Suite Bar. Hope this did not mess up your branding…

Also note the addition of Tasks. This does not take you to your SharePoint task list, it takes you to Outlook. While you are here, note the behavior of the Suite Bar when then browser is resized. Menu items disappear and are now available from the "…" menu:

 

No Tags and Notes for You

SharePoint Online will not support the Tags and Notes social tagging features after November 1st. Recommended replacement??? Yammer!  (I have no idea how to tag a document in a SharePoint library from within Yammer…)

You can download your existing tags and notes into a CSV file, but I have no idea what you can do with them!

The following is from this support article: https://support.office.com/Article/77851bd5-6d5e-42fe-9bf6-d7c17eeb771f

Item	Description of change
Tags & Notes button on ribbon	Still visible but disabled.
Note Board and Tag Cloud web parts in the web part gallery	Still visible and enabled. The web parts will show up as blank when added to a page.
Note Board and Tag Cloud web parts embedded in a page	Page will display a blank space in the area previously occupied by the web parts. Edit the page to remove the web parts.
Social tags	Social tags will no longer appear in the tags refiner. The refiner will still display hashtags.
Tags and notes listed on personal sites	The area that previously listed tags and notes will be blank.

 

Office On Demand no more…

Many users never found Office on Demand. It is a link on the user's OneDrive site that does a just in time install of an Office product and runs it as an ActiveX control. This was a handy way of using Office 2013 on a PC with an older version of Office without impacting the old install. Office on Demand can no longer be demanded ( ) after November 1st.

More info and options here: http://community.office365.com/en-us/f/172/t/259931.aspx

 

 

Ready, Shoot, Aim!

 

.

SharePoint Governance Training

 

MA-1040 - SharePoint Governance, Planning and Oversight

Next SharePoint Governance class: 9/4/2014
You can attend locally in Cincinnati or remotely from anywhere.

I've never delivered this training twice the same way… SharePoint changes (especially SharePoint online), I learn more everyday from from students and clients, available tools change, nothing stands still, This next class is no different. New handout, new labs, more content on cloud topics and lots of details. You will leave this class with an outline of your governance plan, and 1,000 new questions! Call it homework!

 

Why focus on SharePoint governance?

SharePoint will spread as a virus! It's too easy to use. Like Lotus 1-2-3, and later Excel, it will quickly spread beyond the limited set of users you first envisioned for the product. SharePoint attracts "stuff", kind of like a closet. Important stuff, junk stuff and stuff with a legal risk. Content will appear to grow on its own. Due to misuse and lack of training SharePoint will too often be like "a new coat of paint on an old car"… your old networks shares back to haunt you.

Governance is not just about SharePoint, SharePoint is just a tool to store and manage content. You have stored enterprise content on network shares, local disk drives, in emails and on paper for years. SharePoint attracts governance attention due to its simplicity, its complexity, rapid spread throughout the organization, and of course… stuff.

 

About governance plans

A governance plan should be created before you roll out SharePoint, but probably will be created after you have already done it the wrong way. Governance is a broad topic potentially touching every aspect of the organization. Governance is not just “the plan”.

• You can’t buy one
• You can’t have a consultant write one
• You can’t do it by yourself   (can you be the one person governance team!)

 

What should be governed?

SharePoint governance is more than rules for the server administrators. Governance is about people, content, and SharePoint.

• Information architecture and taxonomy - how is content categorized and later found
• Content guidelines - what should be stored
• Retention policies
• Physical infrastructure - who owns the servers, who has access to the servers, where are the servers, what is the service level expected?
• Customization policy - what should be customized, who should be responsible for the cost of customization and the cost of supporting customized sites
• Cloud based SharePoint? (Office 365, etc.) The issues are unique. 
• Security, security and security!
• Training? Required, optional, and for which users?

 

What you will get with no plan, and no enforcement

• Servers and installations everywhere with various levels of backup, services packs and legal licenses
• Dozens or hundreds of Office 365 subscriptions
• Lack of security
• Site and subsite structures with no plan
• Inappropriate content, often with legal issues
• Content duplicated everywhere, in multiple SharePoint sites and network shares
• Garbage in, garbage out (users moving entire network shares into SharePoint)
• A never ending growth in server storage requirements and hardware
• System downtime and slow performance
• Wasted employee time - searching for documents
• Wasted employee time - "decorating" / branding sites that should have simple business purposes
• Wasted employee time - reinventing the wheel (and new paint on the old car)
• Legal issues due to content being deleted that must be retained
• Legal issues due to content being kept that should have been deleted
• Add your own here ______________________________________

 

Remember…

• It’s your plan
• It’s your issues
• It’s not just any sample plan
• Ask questions…
• Get answers…
• Fill in the blanks!

 

See you in class!

Mike

.

Big change in SharePoint Certification Options

 

New Certification Path for SharePoint 2013 Administrators

In the past to get the SharePoint 2013 admin certification you had to be Windows Server 2012 certified (a big step). Now the two exams associated with course 20346 (70-346 and 70-347) can be used in place of the Server 2012 certs.

For comparison:

• The Server 2012 certification, MCSA: Windows Server 2012 - Solutions Associate, requires three exams: 70-410, 70-411 and 70-412.
• The Office 365 certification, MCSA: Office 365 - Solutions Associate, only requires two exams:
• Exam 70-346 - Managing Office 365 Identities and Requirements
• Exam 70-347 - Enabling Office 365 Services

Certifications:

Passing 70-346 and 70-347 will get you the "MCSA: Office 365 - Solutions Associate" certification. Those two exams plus the SharePoint admin exams, 70-331 and 70-332, will now get you the "MCSE: SharePoint - Solutions Expert" certification.

Classes?

The Server 2012 classes total three weeks while the 70-346 class is only one week. Unless you already have strong DNS, AD and Exchange skills, you will need extra study on those topics.

Which path?

If you are supporting SharePoint 2013 on-premise then you probably would follow the Windows Server 2012 path. If you are moving to the cloud with Office 365, then follow the Office 365 / MCSA: Office 365 - Solutions Associate path.

Links:

• MCSA Office 365: Now an optional path to three MCSE tracks
  http://borntolearn.mslearn.net/btl/b/weblog/archive/2014/08/14/mcsa-office-365-now-an-optional-path-to-three-mcse-tracks.aspx
• MCSE: SharePoint - Solutions Expert:
  https://www.microsoft.com/learning/en-us/mcse-sharepoint-certification.aspx
• MCSA: Windows Server 2012 - Solutions Associate
  https://www.microsoft.com/learning/en-us/mcsa-windows-server-certification.aspx
• MCSA: Office 365 - Solutions Associate
  https://www.microsoft.com/learning/en-us/mcsa-office365-certification.aspx

Classes (from MAX of course!):

• MA-MCSESP - SharePoint MCSE Certification Package
  All of the classes for the Server 2012 path plus practice exams and exam vouchers!
  http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=109075
• MS-20346 - Managing Office 365 Identities and Services
  http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=119383
• MS-20331 - Core Solutions of Microsoft SharePoint Server 2013
  http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=68933
• MS-20332 - Advanced Solutions of Microsoft SharePoint Server 2013
  http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=71294
• MS-20410 - Installing and Configuring Windows Server 2012 R2
  http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=43964
• MS-20411 - Administering Windows Server 2012 R2
  http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=43965
• MS-20412 - Configuring Advanced Windows Server 2012 R2 Services
  http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=43966

.

What's Available / Not Available in Office 365 SharePoint Online?

 

Nice comparison of SharePoint Online editions showing what's available in each edition. To see what's missing in SharePoint Online scan the rows where every item is "No"!

SharePoint Online Service Description: http://technet.microsoft.com/en-us/library/sharepoint-online-service-description.aspx

 

.

SharePoint Saturday Columbus–this Saturday!

 

Time flies when you are having fun, or working too much. Our next regional SharePoint Saturday is this weekend, 8/23/14, in Columbus. I will be speaking on SharePoint / Office 365 Governance.

See here for schedules and registration: http://www.spsevents.org/city/columbus/columbus2014

And don't forget the Cincinnati and the Louisville SharePoint Saturdays in October!

 

SharePoint Office 365 Governance... Should you do it? Can you do it?

Track: IT Pro, End-User, Business

SharePoint’s greatest strengths – flexibility and ease of use – can also become its greatest weaknesses if you don’t adequately plan for tremendous growth and proliferation of SharePoint sites/usage. Office 365 greatly expands the governance challenges as it is so easy for anyone to create a new 365 subscription.

Topics will include:
• SharePoint Governance – the core issues are the same
• You must have a policy for the cloud, even if it’s just “don’t go there!”
• The unique issues of cloud based SharePoint
• The backup, auditing and security management challenges
• Dealing with external users

My Goals:
• To get you thinking
• To get you concerned
• To convince you to get started on a plan

The takeaways:
• More questions than answers! (homework!)
• A list of things to be concerned about.
• A motivation to have a plan.
• Most of your existing governance still applies.
• Office 365 is a moving target!
• The need to communicate the plan to the users of SharePoint.
• That a plan will never be complete, it will evolve as you integrate SharePoint into your enterprise, and as SharePoint Online evolves.

See you there!

 

.

SharePoint 2010 Limited Access Information Leaks

 

In a recent PowerShell SharePoint Auditing class we got side tracked on a discussion about security and the Limited Access Permission Level. I mentioned that even the names of lists and libraries can leak confidential information and that users with Limited Access permissions can often see these names. That led to a mandatory demo of the issue and a promise of a blog article with complete demo steps…

 

The Summer Co-Op said what?

You granted permissions to an innocent library like Sales Training Materials to a summer co-op. Later they ask you about plans to acquire a competitor. In a panic you check every document in that library for anything about the other company or about acquiring anything. You find nothing. You finally ask the co-op how they heard about that and they just answer "I saw it in SharePoint while looking for the training materials".

More fun security stuff!

How did they discover it? In the Quick Launch on the page for the training materials library there's a link named "Confidential: XYZ Acquisition Documents". How did they even get to see that? Limited Access.

Even worse… when they clicked the link they went to the library's page and there could the verbose description that was added by the person who created the list!

What about SharePoint 2013? 2013 has similar issues, but does hide the Quick Launch. I'll follow up with a 2013 specific article.

 

Demonstration:

Test setup:

• Create a new site collection. (just so everything is "clean")
• Go to Site Actions, Site Permissions, click Check Permissions and confirm that your test user currently has no access to the site.
• Create a new library or two so you have at least two for testing. Give them fun names like "Training Documents", "Top Secret", "Department Layoff Documents", and "Confidential Mergers and Acquisitions".

• Break inheritance on one of the more confidential libraries (Stop Inheriting Permissions button).
  • Remove all access except for the Owners group.

You now have a site with all content visible to your Owners, Members and Visitors groups… except for your test library, which only the Owners can see.

 

Test 1 – Grant a user access to the site

• Go to Site Actions, Site Permissions and click Grant Access
• Add your test user to the members group
• Open a browser and login as your test user.
  • Best ways to test (in order or preference):
    • Logon from a different computer as your test user.
    • Open a different brand of browser (Firefox, Chrome, etc.) using "Run as different user".
    • Open a different brand of browser. (Firefox, Chrome, etc.)
    • In Internet Explorer use File, New Session.
• Visit the site as the test user
  • In Quick Launch and All Site Content you should see all site content, except for the library where you broke inheritance. This user will not know that the secured library even exists. (This is probably what you expected with security trimming.)
  • If you copy and paste a URL that goes directly to the confidential library, or a file in the library, then you should get an Access Denied message.

Results:

• User can't discover the secured content.
  • Actually a good hacker can discover that the library exists. If they type or copy and paste the URL to a real library then they will get "Access Denied". They at least now know that the library exists. If they type a URL to a library that does not exist they will get a 404 Not Found error.
• Users using the REST web services (see later in this article) won't discover the secured lists.

 

Test 2 – Grant a user only access to a library with broken inheritance

• Remove any permissions granted in Test 1. Use Check Permissions to confirm that they do not have access to the site.
• Grant access to your test user to just the library  (don't add to one of the site groups!) Grant permissions to your test user and grant "Contribute".
  • Visit the library, click the Library ribbon, click Library Settings and click Permissions for this document library
  • Break Inheritance
  • Grant the Contribute Permission Level to your test user.
• Open a browser for your test user (see the info in Test 1) and paste in the the URL to the secured library. The user should be able to see the library and the library contents.
• Note the Quick Launch menu… All of the lists and libraries are visible!
• Click on any of the libraries listed in Quick Launch. The user will see the library's page, but no content. While the content is secure, the user now knows that the library exists. They can see both the list title and description.

Results:

• User can't discover the secured content., but the user can discover the names all of the lists and libraries in Quick Launch.
• The user will get Access Denied when accessing the home page.
• The user will see all custom links and content added directly to the master page.

 

Why?

Limited Access.

If you return to the browser where you are logged on as a Site Owner and visit the libraries you will see that the user with only access to a single library actually has the Limited Access permission level to all lists and libraries.

Why does Sam have Limited Access to this library? Sam was given "Limited Access" to the site when he was given Contribute to the library so he could see the master page and other resources needed to display the pages for the one library he was granted access to. All of the lists and libraries currently inherit their permissions from the site, therefore they inherit Sam's Limited Access permissions.

Side effects of granting permissions to a List, Library, Folder or Item, but not to the Site:

• User gets access to the List, Library, Folder or Item where they were directly granted permissions.
• User can see links to all lists and libraries in Quick Launch and other links. (I.e. no security trimming in Quick Launch.)
• User cannot see the content of the List, Library, Folder.
• User can hand enter a URL to any list or library and confirm that the item exists. (I.e. Gets to the list or library pages, but not to the items in the list or library.)
• User cannot visit the Site Content page. But that link is listed in their Quick Launch area and in their Site Actions. Clicking the link will display Access Denied.
• User cannot visit any page stored in the Site Pages library. Your home page is Site Pages.
• Your site icon may not display properly as they are often stored in Site Assets or other library. The same is true for any image, CSS or JavaScript stored in libraries.

 

 

What about all of the other lists not in Quick Launch?

Are they discoverable by the Limited Access user? Yes, if they can Google or Bing! SharePoint 2010 has a RESTful web service that exposes lists. While this is security trimmed, the user in the above scenarios has access to the list's name through the inherited Limited Access permissions. I.e. this is not a bug with Quick Launch, it's a "feature" of Limited Access! Here's what the user will discover from a web search:

         http://yourserver/sites/yoursite/_vti_bin/ListData.svc

That link will display via XML the list of lists and libraries!

SharePoint 2013 includes the above REST service plus a more generalized version.

         https://yourserver/sites/yoursite/_api/web/lists

 

The Fix?

To prevent the accidental discovery of other lists and libraries when using unique permissions on a single list or library you will need to break inheritance on every list and library and grant the appropriate access.

You will need to:

• Break inheritance on all content lists and libraries and grant access to the appropriate groups and users. If you do this after you have granted unique permissions to a user, you will need to remove the Limited Access users from each list and library.
• Grant View access to everyone to the Site Access library (or where ever you store site logos, CSS and other support files) so your icons and custom branding will display correctly. "Everyone" could be a group unique to your site or department or "NT AUTHORITY\Authenticated Users" for everyone who can logon to your networks. Granting access in anyway to "NT AUTHORITY\Authenticated Users" is not generally a good practice!

 

There's no end to learning SharePoint!

 

.

Speaking at the Buckeye SPUG this Thursday

 

Buckeye SharePoint Users Group http://www.buckeyespug.com/SitePages/Home.aspx

July 17th - 5:30 pm @ the Microsoft Polaris Office

The Mystical SharePoint Super User and Auditor

A look into SharePoint User Policies, the creation of “super users” and how to take away powers from everyone else!

In this session we will explore SharePoint Permission Policies and User Policies to grant application wide permissions to selected users to create the often mentioned but rarely documented “Auditor” and “Super User” roles. We will also see how to use SharePoint’s only option to deny permissions to restrict even Full Control users from things like creating subsites.

See you there!

.