Add AD security group as Site Collection administrator with PowerShell in SharePoint

In provisioning solutions it can be a good practice to add a security group from Active Directory as an additional site collection owner. Unfortunately a security group is not accepted as either primary or secondary owner. So to set a group as site collection administrator, the easiest approach I could find was to set the “IsSiteAdmin” property on the User object.

Remove orphaned tasks from the aggregated task list on MySite in SharePoint 2013

For some reason a deleted task was still visible in the aggregated task list for a end-user. The task itself had been deleted from the source site, so when you clicked the task you got an error message telling you it did not exist anymore. The problem was that SharePoint was unable to remove the task from the aggregated view, so now we had to deal with a ghost task!

Solution

The new task aggregation is performed with the help of the Service Application “Work Management Service”, and the users MySite. When the service has aggregated your tasks, it stores the data itself in a list called “WmaAggregatedList_User”. Since it is a traditional list,  you might think: “This is easy! Just go to the list and delete the task!”. Sorry, but no. This list is only intended as a system list, and nothing we ever should care about, so it’s actually has no available views.

Step-by-step to remove the task

  1. Start “SharePoint Manager 2013” on one server in the farm (download from CodePlex)
  2. Navigate to the correct web application, and locate the users MySite site collection under “/personal” or your preferred managed path.
  3. Expand the structure and locate the list “WmaAggregatorList_User”, and choose to browse the “GridView”. If the user doesn’t have to many tasks, you should now be able to use this to visualy inspect the data.
  4. Locate the column named “TxEditUrl” and verify that it matched the URL of the ghost task. In my case I ignored the “&source=” end of the URL. Make a note of the list item ID for the task (the first column)
  5. Fire up good old “SharePoint 2013 Management Shell” to do some PowerShell magic.
  6. Example how to locate the task and remove it:

# Open the users personal site colletion and retrieve the list
$web = Get-SPWeb "http://mysite/personal/adamb"
$list = $web.Lists["WmaAggregatorList_User"] 

# Get the task with the ID located with SharePoint Manager
$item = $list.GetItemById(1) # NOTE: Use the correct ID here

# Now delete the task
$list.Items.DeleteItemById(1)

Summary

In some very rare cases, you can end up with users having orphaned tasks in their aggregated task list on MySite. I never got a understanding why this happened, but it was possible to remove this and get thing back to normal.

Export-SPWeb fails with “These columns don’t currently have unique values”

During a content database migration from SharePoint 2010 to 2013, we also had a requirement to move a few sites (SPWeb) to new locations. The plan was to first mount the Content Database on the SharePoint 2013 farm, create an evaluation upgrade site collection and then export the content from the upgraded site using “Export-SPWeb”. This operation failed, and after several retries it seems like this is not supported.

PowerShell command to export site:

Export-SPWeb http://sps:8080/ -Path "C:\Backup\sps-8080.bak"

This error was found in the log file:

[13.01.2014 10:26:58] FatalError: These columns don't currently have unique values.
[13.01.2014 10:26:58] Debug:    at System.Data.ConstraintCollection.AddUniqueConstraint(UniqueConstraint constraint)
   at System.Data.ConstraintCollection.Add(Constraint constraint, Boolean addUniqueWhenAddingForeign)
   at System.Data.ConstraintCollection.Add(Constraint constraint, Boolean addUniqueWhenAddingForeign)
   at System.Data.DataRelationCollection.DataSetRelationCollection.AddCore(DataRelation relation)
   at System.Data.DataRelationCollection.Add(DataRelation relation)
   at System.Data.DataRelationCollection.Add(String name, DataColumn parentColumn, DataColumn childColumn)
   at Microsoft.SharePoint.Deployment.ListObjectHelper.GetNextBatch()
   at Microsoft.SharePoint.Deployment.ObjectHelper.RetrieveDataFromDatabase(ExportObject exportObject)
   at Microsoft.SharePoint.Deployment.ListObjectHelper.RetrieveData(ExportObject exportObject)
   at Microsoft.SharePoint.Deployment.ExportObjectManager.GetObjectData(ExportObject exportObject)
   at Microsoft.SharePoint.Deployment.ExportObjectManager.MoveNext()
   at Microsoft.SharePoint.Deployment.ExportObjectManager.ExportObjectEnumerator.MoveNext()
   at Microsoft.SharePoint.Deployment.SPExport.SerializeObjects()
   at Microsoft.SharePoint.Deployment.SPExport.Run()
[13.01.2014 10:26:58] Progress: Export did not complete.

Solution

This problem seems to occur once you have created an evaluation site within the same content database. Deleting the evaluation site does not fix the problem unfortunately.

  • Restore site collection from backup to a new content database
  • Export data with Export-SPWeb from the site, but avoid using an evaluation site.

It is possible to run Export-SPWeb both when the site collection is in 2010-mode and naturally after upgrading it to 2013 as long you stay away from creating an evaluation site.

Summary

If you plan to reorganize the content in the same operation as a content database migration from SharePoint 2010 to 2013, avoid using an evaluation site as it leaves your entire site collection in a state where content cannot be exported. With this experience I now always take a extra site collection backup before using creating evaluation sites (which itself is a excellent feature).

Preparing the users MySite after a upgrade from SharePoint 2010 to 2013

A common part of a migration from SharePoint 2010 to 2013, is to include the MySite user profile and personal site collections. Both the User Profile and Managed Metadata service applications must be migrated first. After the web application has been created, and the content database(s) has been reattached, the MySite host must be upgraded to 2013. This can easily be done either from the web page or with PowerShell. All customization to the branding will be lost as the Master Page is reverted to “mysite15.master”, and you will be required to create a new Master Page based on this one to keep a custom branding. In 2013 the user will now be presented with a dialog with 1-2 options the first time they visit their MySite after the upgrade. To avoid unnecessary interruption and confusion, I think it is a good think to prepare the MySite so these choices is already set for the user from a company policy.

What will it look to the end users?

Scenario 1: The user only has a user profile, and no personal site collection

mysite 2

This gives the user the option to have some of the options regarding the social features in their user profile activated. It could be better to set this for all users, and give them a guide how to changes it afterwards instead. Most people won’t care, and keep the default settings.

Scenario 2: The user had both  a user profile and a personal site collection

mysite 1

In the last option, SharePoint has detected that the user has a site collection, and that one or more document libraries exists within it. Keeping this option without being aware of what it does can end in trouble.

For a personal site collection with no customization, this probably will work out fine. But if you have created personal document libraries, or even having custom solutions with their own document libraries, this must be handled differently.

What happens if I choose “Ok” (as ALWAYS)?

If the document library “Shared Documents” exists, it is automatically mapped to the folder “Shared with everyone”. All other document libraries are created as new folders. A few libraries are always ignored; Style Library, SiteAssets and FormServerTemplates.

For testing purposes it is possible to run the initial setup multiple times as long you clean up the “Documents” library to only contain the “Shared with everyone” folder.

After the files have been moved to SkyDrive, the original library is removed. SkyDrive itself is stored in the “Documents” library with the hard coded URL “/Documents”.

Permissions are not copied, so if you had libraries, folder or files with unique permissions set, these must be reapplies manually after the merge.

It can be a bit tricky to test and get a good understanding of what will happen, but luckily this one-time dialog can be open up and reapplied as many times you want by using this URL: http://mysite/_layouts/15/InitialSetup.aspx?IsDlg=1&HasMysite=1

To simulate the last option in the dialog box, switch the query attribute “HasMysite” between 0 and 1.

Disabling the default “Let’s get social” dialog

Found a hint at this blog, but it didn’t for some reason work for me: http://www.ilovesharepoint.com/2013/03/get-rid-of-mysite-lets-get-social-dialog.html.

By adding the value to the AllProperties, instead of Properties bag of the SPWeb object as suggested in the article above, the dialog was suppressed.

$web = Get-SPWeb http://mysite/
$web.AllProperties["urn:schemas-microsoft-com:sharepoint:portal:profile:SPS-O15FirstRunExperience"] = "Off";
$web.Update();

Just as a reminder when you are removing this dialog, you should make sure the default MySite configuration that is correct for your organization.

Enable social data for existing users

For all new users, these settings are configured and managed by the service application. For existing users, a policy to enable social data can be applied with PowerShell.

mysite 3

$site = Get-SPSite -Limit 1
$context = Get-SPServiceContext $site
$profileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$profiles = $profileManager.GetEnumerator()
$profiles | where {  $_.ShareAllSocialData($true); }

Summary

After migrating MySite from SharePoint 2010 to 2013, new features including Social and SkyDrive requires end-users to take action. This article discusses what these options include, and how you could set the policy up front, and suppress the dialog from appearing at all.

Disable site collection upgrades after migrating from SharePoint 2010 to 2013

When migrating SharePoint from 2010 to 2013, it depend of the migration strategy you choose how the end result will appear for your end users. Two different approaches when migrating to SharePoint 2013 can be:

  1. Migrate the farm, content and solutions from 2010 to 2013
  2. Migrate the farm to 2013, but keep the content and solutions in 2010-mode

Selecting the last approach requires the least effort, and could be preferred for several reasons:

  • Reduce the scope of the migration to only include the farm. Less risk and effort needed.
  • Migrate content and solution in a later stage after the new 2013 farm has been stabilized.
  • Keep solutions who will have an end-of-life in near future without extra effort to migrate it.
  • Customer has no functional requirements to adopt 2013 functionality at the current time for all or parts of the solutions, and only requires a platform upgrade.

Since the site collection administrators can on their own effort start the upgrade of their site, I will cover how to get control of this process by disabling the site collection upgrades. As an farm administrator you can then later re-enable this feature, or perform the migration on behalf of the owners (maybe preferred)-

How will a upgraded site collection in 2010-mode appear?

When visiting a site collection after the platform has been migrated, pretty much nothing has changed (good!) for the end users, except a light pink (not nice!) bar at the top reminding us that this site should be upgraded.

site collection upgrade 1

On the site collection upgrade page, an option to “Try a demo upgrade” is available. By default this request is put into a queue, and processed once each night. A copy of the site collection is created, and the site owner will receive an e-mail with the URL. After a fixed time of 30 days, the test site will be deleted.

The reason why this is running by night, is by my best guess because the source site will throw an error while the creation of the eval site runs. So don’t be too tempted to run this timer job manually if the site is in use!

The messages on the top of the screen will only be visible to the site collection administrators, so the regular users (visitors, members or owners) will not see this at all.

Disable the self-service evaluation

In the “SharePoint 2013 Management Shell” run the following Powershell script.

$siteUrl = "http://sp2013"; # Change this one!
$site = Get-SPSite $siteUrl;
$site.AllowSelfServiceUpgradeEvaluation = $false;

The option to create a evaluation site is no longer available for the site collection. The next step would be to disable the possibility for the site owners at all to perform the upgrade them self.

site collection upgrade 2

Disable the self-service site collection upgrade

In the “SharePoint 2013 Management Shell” run the following Powershell script.

$siteUrl = "http://sp2013"; # Change this one!
$site = Get-SPSite $siteUrl;
$site.AllowSelfServiceUpgrade = $false;

Now both the options are disabled, and the pink bar at the top of the site is also removed.

site collection upgrade 3

What if I want to disable this on all site collections?

If you want to go all-in, this Powershell script disables both the evaluation site and self-service upgrade for all site collections within a web application:

$webAppUrl = "http://sp2013"; # Change this one!
Get-SPSite -Limit All -CompatibilityLevel 14 -WebApplication $webAppUrl | % { $_.AllowSelfServiceUpgrade = $false; $_.AllowSelfServiceUpgradeEvaluation = $false; }

Summary

In this article we have seen how a site collection appear to the end-users after the farm has been migrated from SharePoint 2010 to 2013, and the content databases attached back on. With a few lines of PowerShell the administrator can disable both the ability to evaluate a upgraded site as well as perform the self-service upgrade.

Preparing a new server with Windows Server 2012 for development and testing

As a SharePoint developer, I am quite often required to set up new servers for development and testing. Every time I set up a new server, I do a basic configuration before I start installing the specific software I need (SQL Server, SharePoint, Visual Studio etc.). The purpose of doing these preparations is to enable a more desktop like user experience, and remove unnecessary interruptions in the day-to-day usage.

This guide is based on a Windows Server 2012 Standard GUI installation.

Basic settings in Server Manager

After the initial installation and first time password setup is complete, continue in the Server Manager by setting these basic settings to get started. Select Local Server in the left side menu.

  1. Change computer name (postpone reboot to later)
  2. Enable automatic windows update (and start first time check)
  3. Disable IE Enhanced Security (for all users)
  4. Change timezone

server-manager-overview

Add “Desktop Experience” role

This feature adds some settings and software to make the server feel more like a standard Windows 8 end-user computer.

In the Server Manager select Manage and Add Roles and Features.

server-maanager-add-role

In the wizard, select Next until you reach the Feature step. Locate User interfaces and infrastructure and expand it. Check the option for Desktop Experience.

server-manager-desktop-expereince

Enable remote desktop connections

All my installation are mostly on virtual hosts, so getting Remote Desktop up and running is a much better experience than the build in console in for example Hyper-V.

Under Settings (search for the words), select Allow remote access to your computer.

remote-desktop-allow-users

Then select Allow remote connections to the computer.

remote-desktop-allow-users2

Disable password expiry

Disabling these policies is not a good idea in general, but in a development environment, this is necessary to avoid hassle with Windows nagging about setting new passwords from time to time. I always use a general password for these environments, and want to avoid it being changed somewhere.

Open Group Policy Management (just search for it). Right click on Default Domain Policy and select Edit.

disable-password-policy-1

Open the path Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.

disable-password-policy-2

Set Enforce password history and Maximum password age to 0. Disable the Password must meet complexity requirements.

Disable shutdown event tracker

The shutdown event tracker is fine for a server, but is unnecessary on a development machine.

disable-shutdown-event-tracker-3

Open Group Policy Management (just search for it). Right click on Default Domain Policy and select Edit.

disable-shutdown-event-tracker-1

Open the path Computer Configuration -> Policies -> Administrative Templates -> System. Select Display Shutdown Event Tracker.

Select Disabled to avoid this dialogue to appear the next time you shut down the server.

Enable execution policy for PowerShell

By default PowerShell script are disabled from being executed, and a policy setting must be set.

Open a PowerShell Console (as Administrator) and type Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

powershell-set-executionpolicy

Also just as a remined make sure that script you try to execute aren’t blocked. Check this by right clicking the file, select Settings and check if the button Unblock appear in the bottom right of the dialoge.

Disable Loopback check with PowerShell

This is mainly for servers that will be used for hosting web applications with IIS. For more details see: http://support.microsoft.com/kb/896861

Open a PowerShell Console (as Administrator) and type New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name “DisableLoopbackCheck” -Value “1” -PropertyType dword

powershell-disable-loopback-check

A reboot will be necessary for this setting to take effect.

Summary

In this article a step-by-step guidance for preparing a Windows Server 2012 for development and testing use were presented. This enables a better user experience when working in a server environment on the day to day basis.

Just as a disclaimer, these steps reduce the general security level normally required on a server, and should only be used for development and testing purposes.

Any tips that could be included in this preparation guide, are welcome!