Thursday, December 18, 2014

Configure SharePoint 2013 Object Cache Super User, Super Reader Accounts

SharePoint 2013 object cache stores metadata about SharePoint Server objects like SPSite, SPWeb, SPList, etc. on the Web Front Ends. SharePoint features such as publishing, content query web part, navigation, search query box , metadata navigation, etc fetches data from object cache, instead of hitting SQL Server when data needs to be retrieved from SharePoint objects to optimize page rendering.

For the object caching to work properly in SharePoint, We need to perform below tasks:
  • Create user accounts for "Portal Super Reader" and "Portal Super User" in your active directory
  • Grant web application policy on these user accounts on web applications.
  • Associate super user and super reader user accounts to web applications
These accounts simulates a reader and high-privileged users. If these accounts are not configured, you’ll see entries in the Windows event log with ids: 7362, 7363:
Object Cache: The super user account utilized by the cache is not configured. This can increase the number of cache misses, which causes the page requests to consume unnecessary system resources.

Event ID: 7362: The super user account utilized by the cache is not configured

Step 1: Create user accounts for "Portal Super Reader" and "Portal Super User" in your active directory
Go to your active directory, create two user accounts. In my case, I've created these accounts in my domain: "Crescent" as:
  • SPS_SuperUser
  • SPS_SuperReader
I've used the below PowerShell script to create these accounts in  Active directory:
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
 
#Set configurations
$AccountPassword = "Password1"
#Convert to Secure string
$Password = ConvertTo-SecureString -AsPlainText $AccountPassword -Force
 
$Domain = "YourDomain.com"
#Specify the OU
$AccountPath= "ou=SharePoint,DC=YourDomain,DC=com"
 
#Create Super Reader Account
$Account="SPS_SuperReader"
New-ADUser -SamAccountName $Account -name $Account -UserPrincipalName $Account@$domain -Accountpassword $Password -Enabled $true -PasswordNeverExpires $true -path $AccountPath -OtherAttributes @{Description="SharePoint 2013 Super Reader Account for object cache."}

#Create Super User Account 
$Account="SPS_SuperUser"
New-ADUser -SamAccountName $Account -name $Account -UserPrincipalName $Account@$domain -Accountpassword $Password -Enabled $true -PasswordNeverExpires $true -path $AccountPath -OtherAttributes @{Description="SharePoint 2013 Super User Account for object cache."} 

Step 2: Grant web application policy on Super User, Super Reader accounts on all web applications
After account are created, we have to grant permissions at web application level. Navigate to
  1. SharePoint Central administration >> Application Management >> Manage web applications.
  2. Select your web application >> From the ribbon, click on User Policy button.
  3. Click on "Add" button from the User policies page.
  4. From the zones list, select "All zones" and click on next.
  5. In the Add users page, Enter the Super Reader user name. Under Permissions, Select "Full Read" option and Click on Finish button.
Repeat these steps for Super user account as well. In the 5th step, Enter the Super User account and choose "Full Control" permission. We got to repeat this procedure for all of our web applications. So, lets automate with PowerShell.

PowerShell script to grant web application user policy on all web applications:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function Grant-UserPolicy($UserID, $WebAppURL, $Role)
{
    #Get the Web Application
    $WebApp = Get-SPWebApplication $WebAppURL
 
    #Convert UserID to Claims - If Web App is claims based! Domain\SPS_SuperReader to i:0#.w|Domain\SPS_SuperReader
    if($WebApp.UseClaimsAuthentication)
    {
        $UserID = (New-SPClaimsPrincipal -identity $UserID -identitytype 1).ToEncodedString()
    }
 
    #Crate FULL Access Web Application User Policy
    $ZonePolicies = $WebApp.ZonePolicies("Default")
    #Add sharepoint 2013 web application user policy with powershell
    $Policy = $ZonePolicies.Add($UserID,$UserID)
    #Policy Role such as "FullControl", "FullRead"
    $PolicyRole =$WebApp.PolicyRoles.GetSpecialRole($Role)
    $Policy.PolicyRoleBindings.Add($PolicyRole)
    $WebApp.Update()
 
    Write-Host "Web Application Policy for $($UserID) has been Granted!"
}

#Get all Web Applications
$WebAppsColl = Get-SPWebApplication
foreach($webApp in $WebAppsColl)
{
    #Call function to grant web application user policy
    Grant-UserPolicy "Crescent\SPS_SuperReader" $webapp.URL "FullRead"
    Grant-UserPolicy "Crescent\SPS_SuperUser" $webapp.URL "FullControl"
}

This adds "Full Control" user policy to all of your web applications for the Super User account and "Full Read" user policy to Super Reader account. You can go back to Web application user policies page to verify that these accounts are added to web applications.

Step 3: Associate super user and super reader accounts to web applications
Once web application policies are created, We've to associate Super User and Super Reader accounts with Web applications either with classic STSADM or using PowerShell commands.

stsadm -o setproperty -propertyname portalsuperuseraccount -propertyvalue Crescent\sps_superuser -url "Web-app-url"

Same can be done with PowerShell as,
$WebApp = Get-SPWebApplication "http://web-app-url/"

$webApp.Properties["portalsuperuseraccount"] = "i:0#.w|Crescent\SPS_superuser"
$webApp.Properties["portalsuperreaderaccount"] = "i:0#.w|Crescent\SPS_superreader"

$WebApp.Update()
Lets use PowerShell to Add object cache accounts with all web applications:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Get all Web Applications
$WebAppsColl = Get-SPWebApplication

foreach($webApp in $WebAppsColl)
{
    #Update with your SuperUser and Super Reader Ids
    $SuperReader = "Crescent\SPS_SuperReader" 
    #Convert to Claims ID
    $SuperReaderID = (New-SPClaimsPrincipal -identity $SuperReader -identitytype 1).ToEncodedString() 

    $SuperUser = "Crescent\SPS_SuperUser" 
    $SuperUserID = (New-SPClaimsPrincipal -identity $SuperUser -identitytype 1).ToEncodedString()

    #Set Super User and Super Reader accounts 
    $webApp.Properties["portalsuperreaderaccount"] = $SuperReaderID 
    $webApp.Properties["portalsuperuseraccount"] = $SuperUserID 

    $webApp.Update() 
    Write-host Object cache accounts updated for $WebApp.URL
}
On Publishing sites, object cache is turned ON automatically. Once its enabled at web application level, you can adjust object caching settings from "Site collection object cache " link under site collection administration settings .
Technet reference: Configure object cache user accounts in SharePoint Server 2013

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Tuesday, December 16, 2014

Migrate SharePoint Users from One Domain To Another

Requirement:
During a acquisition, Our company decided to merge with an acquired company's AD by re-creating their user Ids in our AD. Also, the acquired company had a bunch SharePoint sites and we wanted to migrate them to our SharePoint environment.

That brought an another challenge of re-mapping user Ids with permission between domains. How do we migrate SharePoint users from one domain to another domain?

Solution: 
Well, In SharePoint 2007 days, I used STSADM to migrate users between domains:
Stsadm -o migrateuser -oldlogin domain\OldUserID -newlogin domain\NewUserID -ignoresidhistory 

Now with SharePoint 2013, Its replaced with the PowerShell cmdlet: Move-SPUser. So, rather moving users one by one, we prepared a CSV file, mapping users from one domain to new domain and used PowerShell script to migrate users in bulk.

Here is my CSV file structure:
sharepoint migrate users between domains

The csv file just maps old SAMAccountName with the new one.

PowerShell script to Migrate Users from one domain to another:
Add-PSSnapin Microsoft.SharePoint.PowerShell

#Import data from CSV file
$UserData = Import-CSV -path "C:\Accounts.csv"

#Iterate through each Row in the CSV
foreach ($Row in $UserData)
 {
    write-host "Processing user:" $row.Email

    #Site collection URL
    $siteURL ="https://intranet.crescent.com"
    $site = Get-SPSite $siteURL

    foreach($web in $site.AllWebs)
     {
        #Get All Users
        $UserColl = Get-SPUser -web $web.Url

        foreach ($User in $UserColl)
        {
            #Get values from CSV File
            $OldUserID= $Row.OldUserID.Trim()
            $NewUserID =$Row.NewUserID.Trim()
            $Email = $Row.Email.Trim()

            #Search for Old User Accounts
            if($User.UserLogin.Contains($OldUserID))
             {
                #Update the User E-mail
                Set-SPUser -Identity $User.UserLogin -Email $Email -Web $web.URL

                $NewUser = $User.UserLogin.replace($OldUserID, $NewUserID)

                #Migrate user from Old account to new account - migrate users to new domain
                Move-SPUser -Identity $User -NewAlias $NewUser -IgnoreSID -confirm:$false
                write-host "User Migrated: $($User.userlogin) at site $($web.Url)"
             }        
        
        } 
    }
}
This PowerShell script migrates users to new domain programmatically. You have to use the same method when users leaves the company and rejoin - if their AD accounts are deleted and re-created.

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Thursday, December 11, 2014

Get All Users of SharePoint Farm-Web Application-Site Collection-Site using PowerShell

Requirement: Get all users of SharePoint environment.

PowerShell script to get all SharePoint users at Farm-Web Application-Site Collection-Web levels:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Output Report File
$currentLocation = (Get-Location).Path
$outputReport = $currentLocation + "\" + "SharePointUsers.csv" 
#Write CSV File Header

#Array to hold user data
$UserDataCollection = @() 

#Get All Web Applications and iterate through
$WebAppsColl = Get-SPWebApplication 
#To Get all Users from specific web application, Use: $WeAppsColl = Get-SPWebApplication "web-app-url"
#and remove line #12
 
foreach($WebApp in $WebAppsColl)
{
    Write-host "Scanning Web Application:"$WebApp.Name
    #Get All site collections and iterate through
    $SitesColl = $WebApp.Sites
    #To Get all Users from site collection, Use: $SitesColl = Get-SPSite "site-collection-url"
    #and remove lines between #11 to #20 and Line #55 "}"
    #get all users from site collection PowerShell
    foreach ($Site in $SitesColl) 
    {
        Write-host "Scanning Site Collection:"$Site.URL
        #Get All Webs and iterate through
        $WebsColl = $Site.AllWebs
        #To Get all Users from aq site, Use: $WebsColl = Get-SPWeb "web-url"
         #and remove lines between #11 to #28 and Lines #53, #54, #55 "}"

            foreach ($web in $WebsColl) 
            {
                Write-host "Scanning Web:"$Web.URL
                #Get All Users of the Web
                $UsersColl = $web.AllUsers  #get all users programmatically 
                    #list all users 
                    foreach ($user in $UsersColl) 
                    {
                           if($User.IsDomainGroup -eq $false) 
                            {
                                $UserData = New-Object PSObject
              
                                $UserData | Add-Member -type NoteProperty -name "UserLogin" -value $user.UserLogin.ToString()
                                $UserData | Add-Member -type NoteProperty -name "DisplayName" -value $user.displayName.ToString()
                                $UserData | Add-Member -type NoteProperty -name "E-mailID" -value $user.Email.ToString()

                                $UserDataCollection += $UserData
                            }
                    }
            $Web.dispose()
            }
         $site.dispose()
        }
    }    
    #Remove duplicates
    $UserDataCollection = $UserDataCollection | sort-object -Property  {$_.UserLogin } -Unique 

    #Remove duplicates and export all users to excel
    $UserDataCollection | Export-Csv -LiteralPath $OutputReport -NoTypeInformation
         
    Write-host "Total Number of Unique Users found:"$UserDataCollection.Length

This script can be used to get all users in site collection and export all users to excel.

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Monday, December 8, 2014

The installation of this package failed - Error in SharePoint 2013 Hotfix Installation

During a planned quarterly maintenance window, wanted to patch SharePoint 2013 servers with available hot fixes and cumulative updates (CU). As the first step, From Microsoft site http://technet.microsoft.com/library/dn789211%28v=office.14%29, requested hot fixes, Received an E-mail with hot fix links, downloaded those hot fixes and extracted to individual folders as in the below screen.
sharepoint cu the installation of this package failed

When trying to patch SharePoint 2013 servers with those hot fixes, installation failed suddenly with an error "The installation of this package failed".
sharepoint 2013 cu the installation of this package failed
Troubleshooting: 
Navigated to "%Tmp%" location and tried catching the root cause of the failure from the log file generated "opatchinstall.txt". Found these lines while scanning through the log file: "Getting the data from file <path location> UBERSRV_2.cab"
the installation of this package failed sharepoint foundation 2013
So, the catch here is, Hot fix installer is looking for "ubersrv_2.cab" file which we extracted into a different folder, and fails since it couldn't locate that file on the same folder it exists.

Solution:
Solution is simple! Just place all three extracted files together in the same folder and re-run the hot fix installation. It went through well after moving cab files in to the same folder where the hot fix installer ubersrv.exe was placed.
sharepoint 2013 service pack the installation of this package failed



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Sunday, December 7, 2014

Disable UAC in Windows Server 2012 - SharePoint Best Practice

In SharePoint 2013 farms on Windows Server 2012, its annoying that we've to choose "Run as Administrator" every time when opening Central Administration, Command Prompt, SharePoint Management Shell, Windows PowerShell,etc. and failing so would introduce some weird issues such as: buttons and links missing in SharePoint Central Admin ribbon, Getting Access denied for Farm administrators, etc.
PowerShell too! When launching SharePoint Management shell, it scolds with "The local farm is not accessible. Cmdlets with featuredependencyId are not registered." On running any SharePoint cmdlets, "Cannot access the local farm. Verify that the local farm is properly configured, currently available, and that you have the appropriate permissions to access the database before trying again."
Although I'm a Domain Administrator and Local Server administrator, I've to pick "Run as Administrator" to get rid of these issues. I hate to do Right Click and choose "Run as Administrator" every time on these programs. So, Lets disable UAC in Windows Server 2012 in two steps. Here is how:
  • Go to Server Manager >> Choose "System Configuration" from Tools menu. (Shortcut: MSCONFIG)
  • Under Tools tab, Select "Change UAC Settings" and click on "Launch" button

  • Drag the slider down to "Never Notify" and click "OK".

But wait! We are not yet done. Make this registry change!
Unlike Windows Server 2008 R2, Sliding down UAC button to "Never notify" will NOT disable UAC in Windows Server 2012. You got to do one more fix in windows registry:
  • Open Windows Registry Editor (shortcut: regedit)
  • Navigate to the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
  • In the Right Pane, locate the "EnableLUA" DWORD value. Double click and set its Value "0" (zero)
  • Exit Registry Editor and then restart your Server.
You can achieve the registry fix with PowerShell. Just run these commands in Windows PowerShell.
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value "0"
Shutdown -r -t 0 
This script disables UAC and restarts your Server automatically!

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


You might also like:

Related Posts Plugin for WordPress, Blogger...