Ed Wilson, the Microsoft Scripting Guy, will be presenting at the Cincinnati PowerShell User Group meeting on June 15th at MAX Technical Training.
Topic: Configuration Management with Azure Automation DSC - Cloud & On-Prem, Windows & Linux
Info and regestration here: http://www.meetup.com/TechLife-Cincinnati/events/230743256/
See you there!
I’m often chasing one SharePoint rabbit or another down a rabbit hole and spending hours there when I only wanted to ask the rabbit one simple question. In this case the question was who is “Everyone” and are they related to “NT AUTHORITY\Authenticated Users”. A simple question, or so I had thought. In this rabbit hole I found all kinds of interesting accounts, so I thought that I’d take a few notes while I was there. As to “Everyone”, I’ll follow up with another blog article. I also got distracted by two Office 365 users hanging around the hole named “Guest Contributor” and “Guest Reader” that will also get their own article.
If you would like to dive into the rabbit hole, here’s a few tools to investigate user accounts:
SharePoint 2013 and later uses Claims Based Authentication which can support more than one authentication source. This slightly complicates the UserLogin property as it must have both the user name and the claims source data in the property value. In a non-Claims system the user name might be as simple as contoso\msmith. In a Claims system you need to know where the user was authenticated, so you end up with UserLogins that might look like i:0#.w|contoso\msmith for a Windows AD user or i:0#.f|ContosoFBA|susan for a Forms Based Authentication user.
If you would like to learn more about the Claims identity codes (“c:0!.s”, etc.) see: http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx
and
http://www.wictorwilen.se/Post/How-Claims-encoding-works-in-SharePoint-2010.aspx
Who are all of these users? Well… I’m still negotiating with the rabbit for more details, but I’ll soon add these articles with what I have discovered:
For now:
I was reviewing some training materials recently and ran across a statement to the effect you should put NT AUTHORITY\AUTHENTICATED USERS in all of your site Visitors groups so everyone can find content in SharePoint. Should you do this? Should everything in your SharePoint be freely accessible to everyone who can logon to your network? Contractors, vendors, summer co-ops, part timers? If you don’t already have a policy or governance on this, then you should be working on it.
SharePoint does not give us any way to prevent the use of the “Everyone” accounts, so you will need to deal with this through education and auditing.
UPDATE! Anders Rask responded to this post with info about a SharePoint Online cmdlet that can hide these “everyone” options in the people pickers. Turns out there are three options:
Set-SPOTenant -ShowEveryoneClaim $false
Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $false
Set-SPOTenant -ShowAllUsersClaim $false
The Set-SPOTenant cmdlet: https://technet.microsoft.com/en-us/library/fp161390.aspx
Blog: https://blogs.office.com/2015/07/16/new-it-management-controls-added-to-onedrive-for-business/
Here’s a short list of best practices. The term “everyone” used here includes NT AUTHORITY\AUTHENTICATED USERS and any account that starts with “Everyone” or “All Users”.
While your SharePoint may vary… see the Notes column… here’s a list of the accounts that may include users other than those who you were expecting. This is not complete, so if you discover others please post a comment to this article.
| DisplayName | UserLogin or SystemUserKeyProperty | Notes |
| c:0!.s|forms%3amembership | Only O365 | |
| c:0!.s|windows | Same as NT AUTHORITY\ authenticated users | |
| All Users (yourFBAMembershipProviderName) | c:0!.s|forms%3aYourFBAMembershipProviderName | Form Based Authentication |
| Everyone | c:0(.s|true | |
| Everyone except external users | c:0-.f|rolemanager|spo-grid-all-users/17b83262-5265-… | Only O365 (ID will vary) |
| NT AUTHORITY\ authenticated users | c:0!.s|windows | |
| Guest Contributor | SHAREPOINT\writer_9e8a77849f89425c9cff6a6af5175… | ID varies with share |
| Guest Reader | SHAREPOINT\reader_cb6f6371456b4542ba0609638a4… | |
| _SPOCacheFull | ylo001\_spocachefull | Only O365. Visible only from PowerShell |
| _SPOCacheRead | ylo001\_spocacheread | Only O365. Visible only from PowerShell |
| _spocrawler_17_3910 | ylo001\_spocrawler_17_3910 | Only O365 (ID will vary) |
| System Account | SHAREPOINT\system | Visible only from PowerShell |
| System Account | S-1-0-0 | SystemUserKeyProperty |
| Company Administrator | s-1-5-21-1851826741-1401831065-3463747319-87287… | Only O365 (ID will vary) |
| Typical user (Sam Conklin) | samc@yourDomain.onmicrosoft.com | As seen in O365 PowerShell |
| Typical user (Sam Conklin) | i:0#.w|yourDomain\samc | As seen in On Prem PowerShell |
| Typical user (Sam Conklin) | i:0).w|s-1-5-21-2499188511-2905385804-3446143336-… | SystemUserKeyProperty |
| Typical FBA user (Susan) | i:0#.f|YourFBAMembershipProviderName|susan | Form Based Authentication |
.
Microsoft is releasing two new SharePoint 2016 administrator courses in July. The courses have a new numbering scheme to better reflect the “Part 1” and “Part 2” nature of the pair. 20339-1 and 20339-2. While the focus is on on-premises SharePoint 2016, some Office 365 content is included.
Course 20339-1: Planning and Administering SharePoint 2016
https://www.microsoft.com/en-sg/learning/course.aspx?cid=20339-1
Publish date: July 8, 2016
Course 20339-2: Advanced Technologies of SharePoint 2016
https://www.microsoft.com/en-sg/learning/course.aspx?cid=20339-2
Publish date: July 21, 2016
.
SharePoint 2016 is so similar to SharePoint Online / Office 365 that it’s sometimes hard to tell which version you are in. I just ran across an odd change from the past versions. How do you share or break inheritance on a list item?
The steps are different and the end results are different. And I thought 2016 was supposed to be SharePoint Online brought onsite.
I write training materials and really wish I was paid by the word or page! These detail differences waste hours and complicate training!
.
Article applies to SharePoint 2013, SharePoint Online and SharePoint 2016.
Did you ever wonder after using the Share buttons in SharePoint if the Site Owner ever responded to your request, responded with a question, or approved the request?
As I can’t find any documentation, I’ll call this undocumented for now… After a bit of web searching I did find a mention of the page in an Ignite presentation. In any case, this page lists the status of pending requests and lets the user who made the request check and send messages to the site owners. Requests that have been approved or declined will not be listed here.
The site owner can see your requests by going to Settings (gear), Site Settings, Site Permissions and clicking “Show access requests and invitations”. This will take them to the Access Requests page at _layouts/Access%20Requests/pendingreq.aspx.
You can check your pending requests by going to:
http://yourDomain/sites/yourSite/_layouts/mypermissions.aspx
This link will redirect to /_layouts/15 for now and may change in future versions.
Of course, no one knows about this page. There are no out of the box links to it. And… the site owner will probably not know to click the “SEND” button to start a conversation with the person who made the request.
If “Sharing” is important in your organization, you will need to provide some training, easy access to a link to the MyPermissions page, and do some work to “drive adoption”.
Details:
.
If you have followed this blog, you know that I’m kind of a SharePoint nut who’s also a PowerShell nut. Over the years I have created a lot of PowerShell scripts while working with SharePoint and answering questions in my classes and in the TechNet forums. There’s plenty of resources for installing and configuring SharePoint using PowerShell, but there’s little on dealing with all of the daily questions on premise admins get that can be quickly answered using PowerShell. I was just going to take my 100+ scripts and create something like a “cookbook”, but instead created a class. The class handout kind of ended up as the cookbook… 85 pages and 175 sample scripts, or maybe more like a giant PowerShell cheatsheet for SharePoint.
This class is for on-premise SharePoint 2010, 2013 and 2016 administrators. A SharePoint Online version is in the works, but not available yet.
If you would like to attend this class, delivered by the author (your’s turely!), we are offering it next Monday, March 14th, at MAX Technical Training in Cincinnati, Ohio. You can attend this class at MAX or remotely from anywhere. If you can’t attend this class, it is available from trainging centers all over the world.
March 14th class at MAX: SharePoint 2010 and 2013 Auditing and Site Content Administration using PowerShell
Search for this class at other training centers: https://www.bing.com/search?q=55095%20powershell
If you would like to see some of the other courses and books I’ve written, then click here.
This one day instructor-led class is designed for SharePoint 2010 and 2013 server administrators and auditors who need to query just about anything in SharePoint. The class handout is effectively a cheat sheet with over 175 PowerShell scripts plus the general patterns to create your own scripts. These scripts cover:
At Course Completion
After completing this course, students will be able to:
Prerequisites
Before attending this course, students must:
Course Outline
Module 1: SharePoint and PowerShell
This module provides an introduction to the topics covered in the class, introduces SharePoint PowerShell terminology and provides a review of important PowerShell features.
Lessons:
Lab:
After completing this module, students will be able to:
Module 2: Working with SharePoint CMDLETs and Objects
This module introduces the SharePoint object model and some important terminology.
Lessons:
Lab:
After completing this module, students will be able to:
Module 3: Managing Memory and Limiting Performance Impact
This explores limiting impact on server memory usage and performance.
Lessons:
Lab:
After completing this module, students will be able to:
Module 4: Working with Content
This module explores SharePoint using PowerShell from the Farm down to individual list items.
Lessons:
Lab:
After completing this module, students will be able to:
Module 5: Users and Security
This module covers the use of PowerShell to explore and document SharePoint permissions.
Lessons:
Lab:
After completing this module, students will be able to:
Module 6: Managing Sites
This module explorers Site Collection and Web management from PowerShell.
Lessons:
Lab:
After completing this module, students will be able to:
Audience
Something for the SharePoint trivia department…
What do you call this:
I had always thought that calling the App Launcher button in Office 365 and SharePoint 2016 the “waffle button” was a bit of a joke. It does look kind of like a waffle, there is no mouse-over tip to give a hint, and no one would ever guess “App Launcher”. Turns out that the word “waffle” is actually in the HTML! So going forward, I will consider both to be an acceptable name for the button.
Ok, back to work… do something useful…
.
The problem… While we do want site visitors to see the list items, we don’t want them to see or click the list’s attachments.
One approach is to use CSS and a handy SharePoint control. You could also write a JavaScript solution. Here we will look at the CSS option.
Note: This is not security! This is hiding some HTML using CSS. Users can right-click and select View Source to discover the text hidden by the CSS.
General pattern:
The SPSecurityTrimmedControl
The magic here is that the SPSecurityTrimmedControl can selectively display content based on a user’s assigned permission. As an example, users with the Read permission level do not have the EditListItems permission while members and owners do. Note that the control can only be set to a single permission, not a Permission Level or group.
More detailed steps:
SharePoint 2010 (and probably 2007) version:
<style type="text/css">
#idAttachmentsRow { display:none }
</style>
<Sharepoint:SPSecurityTrimmedControl runat="server" PermissionsString="EditListItems">
<style type="text/css">
#idAttachmentsRow { display:inline }
</style>
</Sharepoint:SPSecurityTrimmedControl>
SharePoint 2013 and SharePoint Online / O365 (and probably 2016) version:
<style type="text/css">
#idAttachmentsRow { display:none !important }
</style>
<Sharepoint:SPSecurityTrimmedControl runat="server" PermissionsString="EditListItems">
<style type="text/css">
#idAttachmentsRow { display:table-row !important}
</style>
</Sharepoint:SPSecurityTrimmedControl>
A list of the PermissionsStrings can be found here: https://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx
More about using SPSecurityTrimmedControl can be found here: http://techtrainingnotes.blogspot.com/2009/07/sharepoint-run-javascript-based-on-user.html
.
Microsoft is “expiring” a long list of exams in September.
You may also want to see:
Azure Exams 70-532, 70-533
and 70-534 Getting an Update!
More certification articles.
These certifications are Impacted. (The tests for them expire 9/16.)
These exams are going away in September:
Links:
.
Working on your Azure certifications? Take a break and go look at the list of announced updates. While they are listed as being updated as of March 16th, 2016, at least some the listed changes have already been applied.
The exams:
The links to the exam changes PDFs:
.