Tuesday, 21 June 2011

Modified AD attributes not in sync with SharePoint portal

Changes made in the User attributes of Active Directory are not reflected in SharePoint portal (MOSS2007)

Queries:
i) created a new User Property attribute and mapped it to the MiddleName. now can’t see it in the list when defining the column type as ‘Person or Group’.

ii) unable to pull the AD attributes and fields on intranet site

 


I have made a connection to our Active Directory and the Synchronization of profiles is working like a charm
Solution is:
Access the SharePoint CA (central admin) using the Farm Admin account,  under Shared Services Administration » select the SharedServices » click user profiles and properties »
click custom source »



and then EDIT the existing connection



just maintain the same fields except for the authentication information where you have to reapply the credentials preferably with domain power user rights.

and then click ok. After which you have to start the crawling services so that the AD fields are fetched immediately.. if on production environment please note to avoid such crawling (full or incremental) after business hours as this will utilise higher resource bandwidth.

the above screen-shots were the recommended solutions from microsoft recently on our portal which I have snipped from our prodcution servers to share with the SharePoint professionals.

leave your comments if interesting or need further descriptive solution.
-Rinith




Monday, 20 June 2011

VBScript to get Hostname and Whoami

you may wonder what're whoami, systeminfo, and other simple dos commands, the o/p for which you have to at least click 5-10 clicks using web interface.. unix, dos and shell savvies would love such commands including me which is what being fetched by the web apps codes to populate currently logged-in user, machine name, current logged in email account, so on and so forth.

'---- your code starts here ... KTR
Dim objNet
On Error Resume Next

'In case we fail to create object then display our custom error
Set objNet = CreateObject("WScript.NetWork")
If  Err.Number <> 0 Then                'If error occured then display notice
 MsgBox "Don't be Shy." & vbCRLF &_
               "Do not press ""No"" If your browser warns you."
 Document.Location = "UserInfo.html"  
                                        'Place the Name of the document.
                                 'It will display again
End if

Dim strInfo
strInfo = "User Name is     " & objNet.UserName & vbCRLF & _
          "Computer Name is " & objNet.ComputerName & vbCRLF & _
          "Domain Name is   " & objNet.UserDomain
MsgBox strInfo

Set objNet = Nothing                    'Destroy the Object to free the Memory

'---- your code ends here --- copy and paste with .vbs extenstion if needs testing

VB Script to send email

VBscript to send email without SMTP service running on your local machine:
dont burn up your mind to know how..
just copy and paste the below vbscript in a notepad and save with the name say send.vbs
you can also copy the below code to embed within your custom developed programs (.net/ aspx/..)
I have tested this in the access, .aspx for sharepoint, and customised applications. You wont believe  this can be also embedded within Excel if you are interested in getting an email every time an excel file is updated by someone in your organisation.. what you are waiting for just adapt and transform the below code :)
'------------------------------------ vbscript begins here
Set objMessage = CreateObject("CDO.Message")
objMessage.Subject = "User account unlocked"
objMessage.From = "itsupport@yourdomain.com"
objMessage.To = "abc@yourdomain.com"
objMessage.TextBody = "This is some sample message text."
'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
'Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "your smtp server address, can also specify IP address"
'Server port (typically 25 or check with your exchange admin)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update
'==End remote SMTP server configuration section==
objMessage.Send



'-------------------------------------------------------- vbscript ends here



you can either execute the above script manually, or create a scheduler task to execute the above .vbs so that it can be used as an automated process.



To know more about Ports and how to independently search for it from your machines without an domain admins assistance.. will be posting the infos soon under IT» Scripts and Tips Unleashed .
please comment if you have better suggestion so that I can review, test and share the info.

Single signon issues with Sharepoint (MOSS2007)

for some reason if your sharepoint server or any other application server is creating an authentication issue (especially with credentials pop-up) please consider reading the below article which is already puplished at the microsoft site. re-registering will do no harm with the FQDN. I have highlighted the commands which you need to look at. let me know in case of any doubts which I would be happy to explain.

Kerberos Authentication and Delegation.. one of the areas which needs to be looked at

The Kerberos authentication protocol is a technology for single sign-on to network resources. This enables web parts to access remote resources i.e. it makes it possible for web part to access cube information from Analysis Services running on another machine then your SharePoint machine with logged on/page user identity.


Requirements

  • All accounts (including machine accounts) must belong to the same Windows 2000/2003/2008 based Active Directory domain (or to trusted domains in the same forest).
  • User account (s) must allow delegation (default). The user account (s) you want to be delegated must have the Account Is Sensitive And Cannot Be Delegated option cleared (i.e. not checked). You'll find this property in Active Directory Users, under the Account property tab.
  • If running Analysis Services 2000 you must have SP3 or higher. SP3 or higher version of PTS needs to be installed both on the server and on the client. In this case the client is the SharePoint Server.
  • SPN (Service Principal Names) configuration utility. To configure SPN's you need the tool setspn.exe that can be downloaded from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp.
  • For more in detail requirements please read following articles:

- Enabling Kerberos Authentication for Analysis Services 2000 or Analysis Services 2005


Configuration

1.            Enable Kerberos in the IIS Metabase on your SharePoint machine

To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS. To enable Kerberos on the virtual server, first you need to shutdown IIS (iisreset /stop in the command window) and then follow these steps:

a.     On your SharePoint server, start Notepad, and then open the \system32\inetsrv\Metabase.xml file located on the hard disk.

b.     In the <IIsWebServer> section, locate the following line:

NTAuthenticationProviders="NTLM"

Modify the line so that it reads exactly as follows:

NTAuthenticationProviders="Negotiate,NTLM"

c.     Save changes and then quit Notepad.

d.     Start IIS (Run iisreset /start in the command window).

2.            Configure SharePoint machine to be Trusted for Delegation

To configure your SharePoint server to be trusted for delegation, follow these steps:

a.     On the domain controller, start Active Directory Users and Computers.

b.     In the left pane, click Computers.

c.     In the right pane, right-click the name of your SharePoint server, and then click Properties.

d.     Click the Delegation tab (or General for WinSrv2000), click to select the Trust computer for delegation check box.

e.     Quit Active Directory Users and Computers.

3.            Configure the domain account to be trusted for delegation

This is only necessary if the application pool for your SharePoint service is running under a domain account. To configure the domain account to be trusted for delegation, follow these steps:
                  a.     On the domain controller, start Active Directory Users and Computers.

b.     In the left pane, click Users.

c.     In the right pane, right-click the name of the account that runs the SharePoint application pool, and then click Properties.

d.     Click the Delegation tab (or for WinSrv2000 Account tab) click to select the Account is trusted for delegation check box, and then click OK.

e.     Quit Active Directory Users and Computers.

4.            Configure Service Principal Names

You only have to configure SPN's if SharePoint Service and/or Analysis Services is running under a domain account (I.e. you do not have to perform this step if your services is running under a built-in security principal such as NT Authority\Network.

a.     Perform this step if SharePoint Services runs in a application pool under a domain account. Type the following line at the command prompt on your SharePoint machine, and then press Enter, where ServerName is the NETBIOS or DNS name of your SharePoint server machine, Domain is the name of your domain, and UserName is the name of the domain user account running your SharePoint Services application pool:

setspn -A HTTP/ServerName Domain\UserName

b.     Perform this step if Analysis Services runs under a domain account. Type the following line at the command prompt on your Analysis Services machine and then press Enter, where ServerName is the NETBIOS or DNS name of your Analysis Server machine, Domain is the name of your domain, and UserName is the name of the domain user account running your MSSQLServerOLAPService:

Analysis Services 2000: setspn -A MSOLAPSvc/ServerName Domain\UserName

Analysis Services 2000: setspn -A MSOLAPSvc.3/ServerName Domain\UserName

5.    Configure connection string for the data sources

Each data source definition must have the SSPI property set to Kerberos to enable Kerberos Authentication. Add ;SSPI=Kerberos; to the connection string on all defined data sources. See how to configure a data source. Note: To verify that Kerberos Authentication works for your OLAP server you can run the MDX sample application locally on the OLAP server. In the Connect dialog add the string ;SSPI=Kerberos after the server name and try to connect.

Example to register a Server Principal Name

Say your MSOLAPServices runs on a machine called IM-PROD and you've decided to run the service under a domain account named F.Lastname. In this case, you add a SPN (Service Principal Name) on your IM-PROD machine for MSOLAPSvc with F.Lastname as the service account:

setspn -A MSOLAPSvc/IM_PROD.Mydomain.com MyDomain\F.Lastname

setspn -A MSOLAPSvc/IM_PROD MyDomain\F.Lastname

this way you register with the AD

Register NETBIOS or/and DNS name
It can be convenient to use both NETBIOS and DNS name because it allows the client to specify either name, but bear in mind that NETBIOS names might not be unique across the directory and, if a duplicate SPN is found in the directory, authentication will fail. If you're worried about this, use only DNS names when registering SPNs, and make sure your clients always use the fully qualified DNS name when making authenticated connections to a server using Kerberos.

AD permission to unlock user account

How To Delegate the Unlock Account Right to a group or user:
  1. Create the group or user account that you want to have the right to unlock user accounts in Active Directory Users and Computers (for example, Help Desk Admins).
  2. Right-click the domain (yourdomain.com) in Active Directory Users and Computers, and then click Delegate Control from the menu that is displayed.
  3. The Delegation of Control Wizard should be displayed. On the Welcome dialog box, click Next.
  4. On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next.
  5. On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.
  6. On the Active Directory Object Type dialog box, click Only the following objects in the folder:. In the list, click User objects (the last entry in the list), and then click Next.
  7. On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next. (you can also select other relevant permissions like for ex "read accountexpires" which may help the help desk officer to inform the locked out user about the account expiry time and advise them to action it asap)
  8. On the Completing the Delegation of Control Wizard dialog box, click Finish.

Saturday, 18 June 2011

Check out Hindi/ Malayalam Online FM

Check out Malayalam/ Hindi Online FM access from your iPhone/ Blackberry.. cool stuff.

Friday, 17 June 2011

Script Backup

Backup folders/ files to network share using simple DOS command.
(save money by purchasing softwares which can do the below process)
so here we go:
simple xcopy command needs to be created on a bat file so that the .bat can be automated by windows scheduler.
for eg:
xcopy "D:\GP Backup\SQL Svr Bkp\09" \\qdc-gp\Backup /E /R /Y /D /Q
the above command says to copy everything (files and folders) under 09 directory to a network path under folder Backup. make sure you follow the syntax and the path should be specified within "" so that any spaces in between will be taken care of. 
/E stands for .. Copies directories and subdirectories, including empty ones
/R stands for .. Overwrites read-only files
/Y stands for .. Suppresses prompting to confirm you want to overwrite an existing destination file.
/D stands for .. If no date is given, copies only those files whose source time is newer than the destination time. if you want a specify date, provide in /D:m-d-y format.
/Q stands for .. Does not display file names while copying.


Make sure that the destination share folder has write permission to the account with which the batch file will be executed.
you may apply the above command which are legitimate form your perspective.


xcopy /? will give you the syntax and the relavent usage of switches
Interesting part is scheduling the batch file and alerting the concerned staff with an automated email after the backup completes.