What are the accounts used in SharePoint Foundation 2010 for a least privileged configuration

In Many Organization while Implementing  SharePoint 2010 . the first question which may arise is What are the account we need to create and what are the permission levels it should have . I have tried my best to collate the things together and text it in my Blog .


The setup account: This is the account with which the useris logged that runs the setup. This account must be a local administrator on all systems where SharePoint Foundation 2010 setup is run.

Post-Setup Configuration Run-As user: This is the user that runs the PSC tool.
This user must also be a local administrator
PSC runs a prerequisites check .
In addition to being a local administrator on all computers running Office Server, this account also has the following requirements on a remote server running SQL Server to be used as part of a SharePoint Foundation 2010 Services farm

Must be a SQL login
Must be a member of the SQL Server Database Creators Role
Must be a member of the SQL Server Security Administrators Role
This account need not be a local administrator on the server running SQL Server

Thisis the only account given explicit rights on SQL. It will give the database access account the SQL privileges it needs because it has the rights to do so.

The database access account: This is the account that is specified to the PSC tool when creating or connecting to a Configuration Database.
This account need not be the same as the PSC Run-As user and it need notbe a local administrator on any computer running Office Server.
It should also not be a local administrator on the SQL server, and doesnot require any SQL permissions in advance of creating a configuration database. Many of us refer to this as the “farm admin” account, but thisis misleading. The user that accesses the Central Admin Web pages to perform farm administrative activities is the farm admin account.

Central Admin App Pool ID:This account is “automatically” configured by the PSC tool to be the same account as the database access account that is stipulated to the PSC tool when creating a configuration database. This account and the SPTimer account constitute one exception to separate accounts being usedfor all account types.

The SPTimer account: As with the Central Admin App Pool ID, this account is “automatically” configured by the PSC tool to be the same account as the database accessaccount that is stipulated to the PSC tool when creating a configuration database.

The Farm Admin account: As mentioned earlier, this is the user that accesses the Central Admin Web pages to perform farm administrative functions.
This account can create Web applications, site collections, SSPs, configure Search, IFSS, Profile Imports, assigning permissions, and so on.

The following users do not have email address specified

Problem Description:

Unable to set alert on a List for single or multiple users

Error Message:

The following users do not have email address specified: <Username>

Probable cause:

The user’s profiles are not updated in SharePoint even though everything is setup up correctly in Active Directory and in Exchange.

Troubleshooting done:

1.   Checked if the user is stamped with an email address automatically.

2.   If the user's email address is set manually, need to remove the exchange attributes and reconnect the mailbox after running the cleanup agent in exchange, or create a new mailbox if there was no mailbox for the user in exchange server.

3.   Email address is stamped automatically by recipient update service (RUS) a component of exchange server and hence one should not add the email address manually.

4.   When configuring alert, check if the users email address is listed in the people picker. In this case the email address was not displayed; however the email address was stamped automatically by exchange. ( The affected user's email address was not

5.   displayed, but the user who was receiving alerts success had email address displayed in the people picker)

6.   Tried sending a test email from telnet to the affected user and it got delivered successfully which meant that the exchange was working fine.

Resolution:

1.   Went to Central Admin -> SSP -> User profiles and properties -> Configure profile import: The default access account was not specified.

2.   Hence gave the enterprise administrator and the password as the default access account.

3.   Then Selected Start Full import under SSP -> User profiles and properties.

4.   We were then able to see all the users with their email address in View user profiles.

5.   Then went to the SSP->Search Settings -> Content sources and Crawl schedules.

6.   Performed a Full crawl which completed successfully.

7.   We then selected the people picker and found that the all the users were displayed with their email address along with the affected user.

8.   We were then able to set the alert for that user successfully without getting any errors.

If you have any queries/questions regarding above mentioned information then please let me know, Thank you.

Applies to: SharePoint Server 2007-SP2

Server based Search- Exact match and Prefix match in Lync Server 2010

Server based Search- Exact match and Prefix match in Lync Server 2010

Guys,

We are using Lync Serer 2010 since long however you know how the server based search is work? Here are few scenarios; basically Server-based search usage can be configured by using the in-band provisioning setting, AbsUsage.

This in-band provisioning setting having three possible values:

1.    WebSearchAndFileDownload. IP phones (for example, Polycom CX700 IP desk phone) use server-based search, and Lync 2010 clients use GAL download. This is the default.

The Lync desktop client defaults to GAL download for the following reasons:

·       There may be temporary outages for the Address Book Service depending on the server maintenance schedule. When the Address Book Server is unavailable, all prefix and exact match searches fail.

·       Server-based search does not work in branch office resiliency mode.

2.    WebSearchOnly. Both IP phones and Lync 2010 clients use Server-based search.

3.    FileDownloadOnly. Both IP phones and Lync 2010 clients use GAL download.

Server-based search can be used for both exact and prefix searches. The exact and prefix match searches are different, and the various scenarios when the Lync client would perform an exact match search versus prefix match search.

The Lync client sends a SOAP query through HTTPs to the user’s Front End pool. Search results are returned in an XML format.

Exact Match Search

Exact match search is performed by the Lync client whenever it needs GAL contact data for a specific contact. In an exact match query, the Lync client requests the GAL contact data by using a SIP URL or email address. Passing a SIP URL or email address in the request ensures the GAL contact data returned is unique because the SIP URI and email address are both unique contact identifiers.

Prefix Match Search

Prefix search is invoked when a user initiates a search from the following:

·       The main UI search box.

·       The People picker dialog box (that can be opened, for instance, from the Conversation Window, the call forwarding dialog box, or call transfer).

When a prefix search is performed, the client sends a SOAP query with the search term and number of search results to be returned by the Address Book Service. Lync client shows the top 50 results whereas IP phones and Lync mobile clients show the top 20 results.

Thank you.

SharePoint 2010 - Download and Install Prerequisites for Offline Setup

1. Microsoft SQL Server 2008 Native Client – sqlncli.msi – 7.69MB
2. Hotfix for Microsoft Windows (KB976462) – Windows6.1-KB976462-v2-x64.msu – 4.13MB
3. Windows Identity Foundation (KB974405) – Windows6.1-KB974405-x64.msu – 1.47MB
4. Microsoft Sync Framework Runtime v1.0 (x64) – Synchronization.msi – 2.59MB
5. Microsoft Chart Controls for Microsoft .NET Framework 3.5 – MSChart.exe – 1.76MB
6. Microsoft SQL Server 2008 Analysis Services ADOMD.NET – SQLSERVER2008_ASADOMD10.msi = 6.76MB
7. Microsoft Server Speech Platform Runtime (x64) – SpeechPlatformRuntime.msi – 2.81MB
8. Microsoft Server Speech Recognition Language – TELE(en-US) – MSSpeech_SR_en-US_TELE.msi – 23.4MB
9. SQL 2008 R2 Reporting Services SharePoint 2010 Add-in – rsSharePoint.msi – 36.9MB

Enabling and Using Developer Dashboard - Sharepoint 2010

Today I was working with one Client who was having some issues with performance . In Sharepoint 2010 . I found a Out of box Feature which helps in monitoring the performance of the site Developer Dashboard.

The Developer Dashboard is an instrumentation framework introduced in Microsoft SharePoint Foundation 2010. Similar in concept to ASP.NET page tracing, it provides diagnostic information that can help a developer or system administrator troubleshoot problems with page components that would otherwise be very difficult to isolate.

For example, a developer can easily introduce extra SPSite or SPWeb objects into his or her code unknowingly or add extraneous SQL Server queries.

In the past, the only way to debug performance problems caused by the extra overhead of these instances in code would be to attach a debugger to the code and monitor SQL Server Profiler traces. With the Developer Dashboard, a developer can identify this type of problem, either programmatically by using the object model or visually by looking at page output.

Although performance issues and resource usage information is available in the Unified Logging Service (ULS) logs, interpreting the raw data can be very time consuming. With the Developer Dashboard, all the related information is correlated, which makes identifying these types of issues much easier.

How to enable Developer Dashboard and how to use this?

Enable / Disable over stsadm:

stsadm -o getproperty -pn developer-dashboard

stsadm –o setproperty –pn developer-dashboard –pv “On”

Enable / Disable over powershell

Turn On: for onDemain Mode
$service = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$addsetting =$service.DeveloperDashboardSettings
$addsetting.DisplayLevel = [Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::OnDemand
$addsetting.Update()

Turn On
$service = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$addsetting =$service.DeveloperDashboardSettings
$addsetting.DisplayLevel = [Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::On
$addsetting.Update()

Turn Off
$service = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$addsetting =$service.DeveloperDashboardSettings
$addsetting.DisplayLevel = [Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::Off
$addsetting.Update() 

On – Displays the output all the time at the end of the page content
Off – Switch off Developer Dashboard and nothing is rendered
OnDemand – Displays a DeveloperDashboard icon to make dashboard output visible if needed.

In ON Demand - you will see a icon on the top right hand side corner of the site . as Shown below .

also you will see the following details when you click on the icon .

How to use the Developer Dashboard?
Developer dashboard is designed to find performance bottleneck during the page load.
To get an overview about the whole page load performance take a look in the upper right side  on category “web server”. On my test environment the total time of page rendering  is 3801.71 milli seconds.

At the left side you will see the ASP.NET rendering process of all involved controls with their time to render. Here is makes sense to focus only on long running controls.

In this case the longest operation is GetWebPartPageContent (1815.92 ms)

Because sharepoint controls will request data from database, the developer dashboard lists also corresponding sql requests with their execution time.

If you click on the sql command than a popup windows display more details. The long running sql request on my test environment is “Declare @…”

During this request i see the complete SQL query and the corresponding call stack to identify the correct control. Additionally at the end we see the IO Stats in case of a slow running SQL server based on too many IO-operations. 

One additional category exist for webparts to identify the slow running ones. In this case the ListView-Webaprt of the “Shared Document Library” is the slowest one.


Hope This Post helps administrators on resolving Performance issues .



Reference sites- http://msdn.microsoft.com/en-us/library/ff512745(v=office.14).aspx

http://blogs.technet.com/b/patrick_heyde/archive/2009/11/16/sharepoint-2010-enable-using-developer-dashboard.aspx

Psconfig Steps with their Operations performed at each task

Today Lets check out What happens when we run the Post Setup configuration Wizard . After setup is run the post setup configuration wizard must be run to complete the process of either creating a new farm or joining a server to an existing farm.

Psconfig Steps with their Operations performed at each task. 

Task 1 -      Initialize SharePoint products and technologies configuration 

Note - It Initializes the configuration and has very less chances of failing on this step.

Task 2 -    Create Configuration database. 

Note - It creates a new configuration Database in the sql . You need to have proper rights to create a database. 

Refer - http://technet.microsoft.com/en-us/library/cc678863%28v=office.14%29.aspx

Setup user account - The Setup user account is used to run the following:

• Setup

• SharePoint Products Configuration Wizard
• Domain user account.
• Member of the Administrators group on each server on which Setup is run.
• SQL Server login on the computer that runs SQL Server.
• Member of the following SQL Server roles:
• securityadmin fixed server role
• dbcreator fixed server role

If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.

If you find an issue Connecting Sharepoint to the Sql server. Create a UDL file and check for the connectivity. For further information on UDL check the link below

http://blogs.msdn.com/b/farukcelik/archive/2007/12/31/basics-first-udl-test.aspx

Task 3 -      Install help collections

Task 4 -       Secure SharePoint resources

Task 5 -            Register SharePoint Services

 Successfully provisioned service: Windows SharePoint Services  Usage.

Successfully installed service instance: Windows SharePoint Services Usage

Successfully provisioned service instance: Windows SharePoint Services Usage

Successfully installed service: Microsoft.SharePoint.BusinessData.SharedS

BdcService.

Successfully provisioned service: Microsoft.SharePoint.BusinessData.Share

e.BdcService.

 Task 6 -        Register SharePoint features

Successfully installed feature C:\Program Files\Common Files\Microsoft Sh…

Server Extensions\14\Template\Features\SPSearchFeature\Feature.xml.

Successfully installed feature C:\Program Files\Common Files\Microsoft Sh

b Server Extensions\14\Template\Features\TenantAdmin\feature.xml.

Task 7 -           Provision Central Administration Web application and site if   

                        Standalone install.

Task 8 -          Register SharePointHealth Analysis rules 

Task 9 -            Create sample data and provision default Web application 

Task 10 -         Install application content files

Installing the application content files...

Installing the SharePoint Central Administration Web Application content.

Installing the SharePoint Web Application content files...

Task 11 -Finalize SharePoint product and technologies configuration

One new feature of SharePoint Foundation 2010 is that it will automatically set up inbound Windows firewall rules when provisioning a Web application or Web services. During PSConfig, steps above firewall rules will be created for newly created Web applications and services.

Business Data Connectivity connectors are currently enabled in a partitioned environment: SharePoint 2013.

Problem: You could see in SharePoint Health Analyzer rule "Business Data Connectivity connectors are currently enabled in a partitioned environment."

Background:  Business Data Connectivity (BDC) Models containing External Content Types with database, WCF, Web service or custom connectors can be used by tenants to elevate their user permissions. In a partitioned environment, we recommend you disable the Business Data Connectivity connectors.

Reason for error: Business Data Connectivity connectors are currently enabled in a partitioned environment.

Resolution: Disable unwanted connectors by using Windows PowerShell.

To disable unwanted connectors, follow these steps:

1.      Click Start, click All Programs.

2.      Click Microsoft SharePoint 2010 Products.

3.      Click SharePoint 2010 Management Shell.

4.      At the Windows PowerShell command prompt, type the following command, and then press ENTER:

Get-SPServiceApplicationProxy

5.      Note the Business Data Connectivity proxy instance.

6.      You must set the EnableSystemType property to false for each unwanted connector. To do this, at the Windows PowerShell prompt, type the following command, and then press ENTER:

$proxy.EnableSystemType("Connector_type",$false)

Reference: http://support.microsoft.com/kb/983546

Applies to:

·        SharePoint Server 2013 

·        SharePoint Foundation 2013 

How to change service accounts and service account passwords in SharePoint Server 2007/2010

There might be a Need in the org to change the password of the service account as some administrator has Left or for some other reason to avoid any integrity issue .

Just as I was walking through the process of Changing Service account passwords in 2010 which i found the simplest .

I also wanted to share the old way of changing service accounts and service account passwords in SharePoint Server 2007 .

Please refer to the below link

http://support.microsoft.com/kb/934838

The steps in the KB article would walk you through the individual STSADM commands that were necessary to update the password for the following accounts on every server in the SharePoint Farm:

•Farm account
•Application pool account(s)
•Windows SharePoint Services Help Search Service
•Content access account (used by the Windows SharePoint Services Help Search Service)
•Shared Services Provider (SSP) account(s)
•Office SharePoint Server Search service

However in Sharepoint 2010 we have Managed Accounts

Launch SharePoint 2010 Central Administration (logon as Setup Farm Account)
Navigate to ‘Application Management’
In ‘Security’ Section Click‘Configure Manage Accounts
Click Register Managed Account

Add the New Account
User Name (NEW USER)
Password (NEW PASSWORD)

Update Security Groups on Each SharePoint Server.
Start – Administrative Tools – Computer Management
Expand System Tools -> Local Users and Groups – Groups
Set the permissions as below:

ADMINISTRATORS – add the new farm account confirm it exists
WSS_WPG – add the new farm accountconfirm it exists
WSS_ADMIN_WPG – add the new farm accountconfirm it exists

Launch Central Administration
Select Security
Select Configure Service Accounts
Update the following Accounts:
• Farm Account
• Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service
• Windows Service – User Profile Synchronization Service
• Windows Service – Web Analytics Data Processing Service
• Service Application Pool – SecurityTokenServiceApplicationPool
• Service Application Pool – SharePoint Web Services System

You can also change only the password of the Service account

Launch SharePoint 2010 Central Administration (logon as Setup Farm Account)
Navigate to ‘Application Management’
In ‘Security’ Section Click
‘Configure Manage Accounts
Click on Edit besides the service account and then fill in the details
The Managed account should be already selected
Check the Change password now box
Set account password to new value
Confirm Password
Click ok

Hope This helps some Administrators .

You can also refer - http://blogs.technet.com/b/seanearp/archive/2011/01/25/updating-passwords-on-sharepoint-2010.aspx

Recover data from an unattached content database - Sharepoint 2010

Wow One more amazing feature .

Now you can Recover data from an unattached content database . you dont have to add the content database to a web application

As a Sharepoint administrator there might be a need to restore only some but not all content within a content database. How would you do that in SharePoint 2010 .

In earlier versions of SharePoint, to restore or recover content from a backup file, we had to restore the backed up file to a database server and had to attach that restored database to a another SharePoint farm. Then we needed to export the required content from this new temporary farm and then migrate it to the original farm where we wanted to recover it. This whole process required a huge time investment and rigorous planning.

To recover content from an unattached content database by using Central Administration

* Verify that the user account that is performing this procedure is a member of the Farm Administrators group and is a member of the db_owner fixed database role.

* In Central Administration, on the Home page, click Backup and Restore.

* On the Backup and Restore page, in the Granular Backup section, click Recover data from an unattached content database.

* On the Unattached Content Database Data Recovery page, type the database server name in the       
    Database Server text box and type the database name in the Database Name text box.

* Select the database authentication method that you want to use.

* Select the Browse content option, and then click Next.

* Click Start Restore.

* On the Browse content page, select the site collection, site, and or list that you want to restore, select the
   Backup site collection or Export site or list option, and then click Next.

Complete the process to restore the content.

To recover content from an unattached content database by using Windows PowerShell

Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt, type the following command

Get-SPContentDatabase -ConnectAsUnattachedDatabase  -DatabaseName <DatabaseName> -DatabaseServer <DatabaseServer>

Where:
<DatabaseName> is the name of the unattached database from which you want to recover content.
<DatabaseServer> is the name of the database server that hosts the unattached database from which you want to recover content

For reference - http://technet.microsoft.com/en-us/library/hh269601(v=office.14).aspx

Recently published content for SharePoint 2013

Published the week of January 21, 2013

Business Data Connectivity connectors are currently enabled in a partitioned environment (SharePoint 2013)   Describes how to resolve the SharePoint Health Analyzer rule.

Cached objects have been evicted (SharePoint 2013)   Describes how to resolve the SharePoint Health Analyzer rule.

Distributed cache service is not enabled in this deployment   Describes how to resolve the SharePoint Health Analyzer rule.

More Cache hosts are running in this deployment than are registered with SharePoint (SharePoint 2013)   Describes how to resolve the SharePoint Health Analyzer rule.

SPHA rule: This Distributed Cache host may cause cache reliability problems   Describes how to resolve the SharePoint Health Analyzer rule.

The number of Distributed Cache hosts in the farm exceeds the recommended value    Describes how to resolve the SharePoint Health Analyzer rule.

Use UPRE to replicate user profiles across multiple farms in SharePoint Server 2013   Learn how to use the User Profile Replication Engine to replicate user profiles across multiple SharePoint 2013 farms
.
Timer job reference (SharePoint 2013)   Describes the ways you can filter and view timer jobs and lists the default timer jobs that are in SharePoint 2013.

Upgrade from Office SharePoint Server 2007 or Windows SharePoint Services 3.0 to SharePoint Server 2013 or SharePoint Foundation 2013   Learn how to use the database-attach method to upgrade from Windows SharePoint Services 3.0 or Office SharePoint Server 2007 to SharePoint 2013.

Upgrade from other versions or other products to SharePoint 2013   Learn how to upgrade to SharePoint 2013 from other versions, such as Office SharePoint Server 2007 or Windows SharePoint Services 3.0.