Author: givenscj

Posted on

Latest SharePoint Jokes

Here's my latest attempt to lighten up the SharePoint community.  You can check out my blockbuster first of a kind 2007 jokes.

  • After installing SharePoint 2010 and running the Farm Configuration Wizard, IT found that users were not able to load Excel Workbooks in the browser.  When IT called Microsoft support, they replied:
    • "Ok, this is very good, this won't take a minute…"
  • What did Hostess Bread Company say to the SharePoint product team?
    • We charge extra for Service Application breadcrumbs
  • How many internal developers do you need to deploy a bad SharePoint Solution?
    • None, you only need a Site Collection admin to upload to the "Solutions" Gallery from codeplex
  • A developer had a monthly meeting with his manager and when the manager asked what he had been doing for the past month
    • He replied "Installing SharePoint 2010 on my Windows 7 Machine
  • An Microsoft Certified Trainer (MCT) was delivering a public SharePoint course and one of the students asks "Can you come to my office and train our company"
    • The MCT replies "I don't have 45 open training days in 2011"
  • A customer asked a consultant, "How long does a SharePoint backup take?"
    • The consultant replies, "Do you actually want it to restore successfully?"  
  • An Older SharePoint 2010 Farm was just sitting around responding to HTTP Requests, when all of a sudden the Farm stopped responding.  The Administrator immediately asks, "What's wrong Farm?" , the Farm responds, "I forgot all the managed accounts passwords can you help me sonny?"
  • What did the lazy SQL server say to the SharePoint Farm?
    • I have to host *how* many databases, can't you just put these on DB/2?
  •  An End User was told by his management to tag all content appropriately and to ensure that he ranks all the data.  A week later the manager calls the employee in and the employee sees an HR rep in the room.  The Manager asks "I'm sure you know why you are here?".  The employee says "No, Sir".  The manager says "What is this tag called sh*t with a rank of 1 on your collegues content?". 
    • The employee responds, "You told me to tag everything appropriately"
  • A CTO saw a cool demo of SharePoint 2010 and decided to convert his internal Lotus Notes applications to SharePoint, when he asked the Microsoft Sales rep what product he would need, they replied, "Well….you'll need this, this, this, this and this, one of these and this, but if you upgrade to an EA agreement, then it will only be $40,000 more and I'll throw this picture of Steve Balmer in for free"
  • An End User was filling out a BCS External List new item form and was getting an error when saving. 
    • After calling the helpdesk the helpdesk replied, you are doing it wrong, you can't type "Alaska", you have to type "1"!!
  • What did one child SPPersisted object say to another? 
    • Hey, do you know where my parent went?
  • What did the JavaScript and JScript say to the SharePoint ECMA script? 
    • When did you get a legal name change?
  • What did the SP WCF service say to the client when it errored? 
    • Don't tell me no lies and I won't tell you any details!
  • Police were called to a technology company on Wednesday for a mysterious death. 
    • After interviewing witnesses investigators found out an IT person attempted to configured SharePoint 2010 User Profile services and then proceeded to jump out a 5-story window.
  • What did SharePoint say to the SQL Server? 
    • HELLOCAN-YOUC-REAT-EADA-TABASEFORME?
  • A hacker was asked how much he would charge to steal information from a company.  He replies, "it depends".  The inquirer asks "on what".  The hacker replies, "On the technology".  The inquirer says "it is a SharePoint
    Farm".  The Hacker says in his best Thai-land voice, "Easy, five-dollar"!
  • One day two older SharePoint ghosts were talking to each other about the upcoming upgrade to 2010.
    • Ghost 1: "Hey, did you hear about the new guy?"  Ghost 2: "No, what about him?"  Ghost 1: "I heard he just got de-rezed!"
  • What did SharePoint 2010 say to the 2007 content database? 
    • "I'm putting you on the RBS diet plan"

       

  • What did the Hyper-V team ask the VMWare team? 
    • Can you help us?
  • How many IT guys does it take to install SharePoint?
    • I'd say one, but Spencer Harbars is too good to do any *real* work, so the real answer is 4 SharePoint MVPs, 25 SharePoint Microsoft Consulting Services guys, and half the SharePoint Product Team
  • What did one SharePoint Saturday say to another?
    • I'll trade you this MVP for that MVP… 

 

Posted on

SharePoint 2010 Delegated Administration

Have been wanting to try this for a while now and just now got some time to do it today.  The Central Administration site is just a SharePoint site with libraries and links, so I was curious what would happen if you were added to the site as a simple reader.  Here's the results:

As a reader and contributor, you do not gain access to Central administration and you will get the access denied error message.  The real magic comes in being in a specifically names group, there are two groups in the SCA:

  • Farm Administrators
  • Delegated Administrators

Full Control, Contributor and Read permission levels have no role to play in the links on the SCA.  What does matter is what group you reside in.  Being a Farm Administrator allows you to do anything in the SCA.  Being a Delegated lets you do a subset of actions, one of the items you cannot do is to create new Web Applications, but when it comes to the majority of other things, you can do them!  The thing that I would be more insterested in how one would target the links in Quick Launch to specific people.  IE, something like the following:

  • Web Application manager
  • Service Account Manager
  • Service Application Manager (like a global service app manager role rather than manually apply to each one)
  • Backup Restore Manager
  • Content Deployment Manager

Service applications have a completed different architecture to them.  Each service application can have an "Administrator" assigned to it.  I found a great article that describes this process here:

http://www.sharepointanalysthq.com/2010/10/creating-a-delegated-administrator-for-a-service-application/

However, this also doesn't have much in terms of granular controls.  Its all or nothing for most of them.  These need more granular controls setup for them.  Security seems to be an afterthought in SharePoint, has been, probably always will be.

Chris

Posted on

Records Center and Document Sets

Got this question asked last week for the second time.  What happens when you submit a document set to a record center?  Can you even do it?  Answers please!  Here we go…

Can you submit a document set to a records center? 

  • Yes!  it is not the typical "Send To->" menu in the drop down, but it does say "Send to another location", then you are presented your send to options. The directory is turned into a ZIP file and submitted!  Jury is still out on if this is a good way to go or not.

What happens if the document set is versioned?  Do the versions get submitted? 

  • No, only the latest version is submitted to the records center.  However, when the record is submitted, if it has the same name as another "record" it will get a unique ID appended to the record's file name.  This means that on top of every version that you submit and approve, you will also need to submit the record to the record center to keep track of its progress.  It will not move automatically if you don't do this.

 What will happen if you submit a document set with a document set?

  • You can't put a document set inside another document set.  At least, not with the UI anyway.  NOTE:  A document set is a folder, folders CAN contain folders and with some database magic you can make this occur. 

Therefore, what happens when you have a document set with a folder and/or a zip file in it? 

  • Simiarly, you can't add folders to a document set! You can however add a zip file to the document set, this works simiarly to simply adding a zip to a zip.  NOTE:  The zipping code is calling .NET Packaging and that's why you get the extra items like "_rels" and "resources" in the file.  I do a similar call in my course bulider tool

Can you rate a Document Set?

  • No, just like folders, you cannot rate a document set

Can you rate documents in a Document Set?

  • Yes, a document set is just like a folder and therefore any document inside of it can be rated.

Enjoy!
Chris

 

Posted on

SharePoint Auditing For Black Hats

SharePoint is not a secure application.  But neither are any other applications out there.  Their are some mechanisms in SharePoint that allow overriding the access permissions to SharePoint sites.  These mechanisms can allow access to resources without the content owners knowing about it. There are however ways to learn of these individuals access via Auditing.  The problem with auditing is that you can clear the audit log.  Let's take a look at how this all works:

Basic site permissions:

Open SharePoint 2010 Central Administration
Create a new web application on port 100
Create a new site collection with a team site template
For the site collection owner assign as user, in my example I'm using ContosoSP_Admin

You should now be able to open the site using the browser (http://servername:100) as the SP_Admin user:

 

Create a new document in the "Shared Documents" library
Try to login using a different account (in my example "Dan Jump"), you will get access denied:

Advanced Web Application Permissions:

Switch back to Central Administration
Click "Manage web applications"
Select the port 100 web application
In the ribbon, click "user policy"

Click "Add Users"

Select "all zone", click "next":

Type a user, in my example I use "Dan Jump"
Click the "Full Control" checkbox:

 

Click "Finish"
Switch to the browser, try to access the site using "Dan Jump"
You will be allowed access!:

Click "Site Actions->Site Permission", notice the permissons on the site, it does not show "Dan Jump" having access
 

Notice that Dan can see the document even though no visible permissions are present
Delete the document in the document library and from the recycle bin. 
It lets you do it!  Poor SP_Admin won't know where his document went!

 

This scenerio presents some challenges around accountability.  SharePoint administrators can at will assign permissions to sites, that by default are not tracked!

Site Collection Auditing:

Login to the team site as SP_Admin
In the Team site, click Site Actions->Site Settings
Under Site Collection administration, click "site collection audit settings":

In the documents and items section, check all the checkboxes
In the list, libraries and sites section, check all the checkboxes

Click "Save"
Add a new document to the document library
Login to the team site as "Dan Jump"
Delete the document

Now where to find reports?  In some cases, you have to enable the site collection feature called "SharePoint Server Standard site collection features" first to get this link:

Click "Audit log reports"
Click "Deletion"

Click "Browse"
Select the "Shared Documents" library
Open the library, click "You should see the information that "Dan Jump" did in fact delete the document:

Sweet right!?!  The audit log will record everything that happens on the site (as long as you tell it to anyway), even permission changes. But what if "Dan Jump" is an admin up to no good? "Dan Jump" could simply clear that audit log using a couple of methods.

Clear the Audit log:

You can clear the audit log by using the Object Model, PowerShell, or simply running this command:

SQL:

truncate table auditdata

PowerShell:

$spsite = get-spsite "http://servername:100"
$spsite.audit.deleteentries([System.DateTime]::Now.ToLocalTime().AddDays(1))
$spsite.audit.update()

 Trying to rerun the report will result in an error, which is a bug in SharePoint by the way (a null/empty report is being returned and it can't handle it):

 

If "Dan Jump" wants access to the data without any auditing, he can also do that by accessing the database directly. See this post on how to dump the contents of the content database:

http://bit.ly/3pdf45

And with this guidance, black hat paradise awaits you…this post is designed to bring focus to security and governance.  If you haven't thought about it yet, well….all you should be focused on
is Governance, Governance, Governance BEFORE you deploy SharePoint 2010.

Chris

For other security holes that you may not know about, check out this older blog post:

http://bit.ly/4rhTz

NOTE:  The only way to ensure full compliance of auditing is to turn C2 Auditing on and let the SQL Server storage explosion begin!

Posted on

SharePoint 2010 IIS Application Pool Recycle???

Do you still need to recycle the application pool/ResetIIS in SharePoint 2010?  Yep. This is actually setup for you by default, out of the box when you create a new web application in central administration.  You can see this for yourself by doing the following:

Create a new web application
Be sure to create a new application pool:


Open IIS Manager
Select Application Pools:

 
Select the "SharePoint – 200" application pool
Right-click it, select "Advanced Settings":


In the "recycle" category, notice the "Specific Times" property:

 

Don't want it to recycle?  Just remove the TimeSpan value and it will stay up forever, but be forewarned, out of the box memory leaks will eventually exhaust your SharePoint/web server memory!
Click the Ellipsis, click "Remove" for the timespan values
Click "OK", now your SharePoint Application Pool won't recycle!

You still need those handy warm up scripts running every 30 minutes to keep your environment running tip-top!

Chris

Posted on

The Halloween Bounty!

Ever wonder what the distribution of candy is these days?  Here's the breakdown…

Generic Lolipops – 53 
Snickers – 52
Twizzlers – 50
Milkyway – 47
Butterfinger – 37
3-muskateers – 37
Baby Ruth – 32
Laffy Taffy – 30
Jolly Ranchers – 28
M&M's – 17
Toothbrushes – 17
Swedish Fish – 14
Crunch bars – 14
Lemonheads – 10
Starbursts – 10
Kitkats – 10
Twix – 7
Skittles – 6
Reeses – 5
Gobbstoppers – 5
Sour patch – 4
Almond joy -1
Misc(s) – 1 – everything else we had one of…

This is the stuff marketing people love to know…

Posted on

Missing Features from SharePoint Designer 2010

SharePoint Designer 2010 is missing a pretty important feature.  The ability to rollup data from child sites and rolldown information from Parent sites.

Here's what we use to be able to do in SPD2007:

1) You could open the Data Source library by clicking "Data View->Manage Data Sources" and then you could then add a new data source library by clicking the button at the bottom:

2) This link would allow you to type a url to another site:

3) This would then allow you to see the other data source library's data sources

4)  You could then use the "Linked data source" wizard to select from the current and newly added data source library

 

The ability to do this is missing in SPD2010, you will see no link that allows you to add these external libraries:

In software design, it is a sin to remove features that your users have grown accustom too.  The only work around that
I have found it to try to utilize the REST or SOAP data source to connect to the other libraries:

This of course means that you will need to setup the authentication:

Only problem, every time I have tried to do this, Designer 2010 gives an error, which basically leaves us without this
valuable feature we had in 2007.

Marc has posted a workaround to create the manual code that uses data sources in seperate sites

Posted on

SharePoint Health Analyzer Jobs

SharePoint has the ability to heal itself.  Pretty cool concept invented by the guys at IBM a long time ago and finally being
worked into Microsoft products.  In central administration you will find the 'monitoring' page has some pretty neat things on it:

One of the coolest is the Health Analyzer Rules. By clicking on Review Rule Definitions, we will see several of these:

I have explored several of these jobs and being it is RTM, not all of them are working exactly like they were intended to.  One
example is the 'One or more categories are configured with Verbose trace logging.' rule.  This rule is designed to check
if anyone has set the logging setting to 'verbose'.  If they have, it can automatically fix this condition.

Out of the box, we can see the settings are 'Information' for Event Level and 'Medium' for trace level:

As an unexperieced SharePoint admin, you may end up clicking the "All categories" checkbox and then setting the values to
their highest level 'Verbose":

 

This is bad as it will generate VERY large log files in a production environment.  We are talking
gigabyptes/minute.  This is very bad for a virtualized image as the image file will grow very large.  Then try backing it
up by copying it…not fun copying a several 100's gigabyte VM file around.

Luckily, the health rule will watch for this condition and when it finds it will give us the nice red or yellow bar at the top of the Central
Administration site.  We will also see that the condition has been noted in a rule status list.  Clicking on the item, we will
get a definition of what is misconfigured, note the ability to "Repair Automatically":

Unfortunately, the logging health analyzer job needs an update.  It is suppose to reset the levels back to the default settings.  It does this for the
Trace level setting, but it doesn't touch the event level settings:

These still remain at 'Verbose' after the job runs.  The job should also set these
back to 'Information' as per the out of the box settings.

Posted on

Dead Beat Training Centers – The Disgraceful List

Ok, so I have a potential dead beat training center that I'm going to embarass pretty heavily if they don't pay up.  I will be posting their name here on our "Dead beat Training Centers" list.  If you are an MCT or a training broker and have some outstanding payments, this will be a potential outlet to let the community know about them.  Email me your deadbeat center and what they have or have not done and I will post it here (please note that this will NOT be anonymous).

 MCTs' beware the following training centers:

Chris