Archive for May, 2014

MySite Deleted by MySite Cleanup Job

Wednesday, May 21st, 2014

Version 1.5

Applied To: SharePoint 2010, 2013, 2016, SharePoint Online

Situation:

Lot of users lost their SharePoint MySite. The site got deleted and they were not able to see any data in their MySite. In some situations, users were prompted for the creation of new MySite. Most of the deleted sites were for inactive users though.

MySite Cleanup Process Chart:

I created an initial version of the following MySite Cleanup Job Process for overview.

SharePoint User Profile MySite Cleanup Job Process by Softvative Inc

Cause:

SharePoint Server has a ‘My Site Cleanup Job’ as a Timer Job. The job runs every hour. You can view the job at this location:

SharePoint Central Administration website > Monitoring > Under ‘Time Jobs’ click ‘Review Job Definitions‘ > Scroll to the bottom of the page and go to next page. Look for ‘My Site Cleanup Job‘ and click on it.

SharePoint My Site Cleanup Job

The function of My Site Cleanup job is to delete the user profile and My site of users that are queued for deletion.

Conditions that will mark the account for deletion:

The user profile and My site will be marked for deletion if any of the following conditions is met.

a. account is deleted in AD (Active Directory)
b. account is disabled in AD
c. SharePoint Profile Sync connection is modified with additional filters, deleted, recreated (e.g filter like exclude user with Department = Terminated)
d. account is moved to an AD OU that is not part of SharePoint Profile Sync

Test Scenario:

I used six test accounts with few of those having managers listed in AD account. The SharePoint Profile Sync added those to the SharePoint profile. Later I logged in as those test users and created their my sites by clicking on the link. Alternatively click username drop down on top right, choose My Site from dropdown. Then click on ‘My Content‘ link on top left.

http://mySiteHost.domain.com/_layouts/MySite.aspx

Then I deleted one, disabled two and moved to a different OU one account. That left the two out of six test accounts as untouched in AD.

Subsequent user profile run marked the accounts based on those conditions with bDeleted =1 in SQL tables. That in layman terms – the site is queued for deletion.

I got following email notification for one of the test account that was setup as my Direct Report in AD accounts properties.

The My Site of Test User 5 is scheduled for deletion in 14 days. As their manager you are now the temporary owner of their site. This temporary ownership gives you access to the site to copy any business-related information you might need. To access the site use this URL: http://mysiteHost.domain.com/personal/testuser5

After 11th day, I got same email but with deletion in 3 days.

SharePoint MySite Cleaner job then looks at the bDeleted=1 and notifies the user’s Manager if one was listed in AD, or Secondary MySite Owner if no manager was configured. It sends second notification after 11 days. After 14 days it deletes the site. In few situations, I’ve seen users were actively working in SharePoint when their My site got deleted. That happens after changes made by AD Team or SharePoint team (conditions above – Conditions that will mark the account for deletion) but after 14 days the site will be deleted even if the changes were reverted.

 

SQL Query to check SharePoint user profiles / My Sites marked for deletion:

I then used the following SQL queries to find the status. It is not a recommended method, use it at your own risk.

1. Use the following query to check the accounts that are marked for deletion. 
— Check the Sharepoint User Profile accounts that are marked for deletion
select * from [Profile DB].[dbo].[UserProfile_Full] with (nolock)
where bDeleted =1
order by PreferredName

2. SQL Query to check the Email Notification Status sent to Manager or Secondary Mysite Owner:
–Query the MysiteDeletion Email Notification status in User Profile DB in Sharepoint
select * from [Profile DB].[dbo].[MySiteDeletionStatus] with (nolock)
–where NotificationStatus = 1 — Email sent to Manager or Seconday contact that site will be deleted in 14 days
— where NotificationStatus = 2 — Email sent to Manager or Seconday contact that site will be deleted in 3 days

3. SQL Query to find the users My Site in MySite Content DB – AllWebs Table
–SQL Queries to check the users under MySite Web App / Content DB
SELECT FullUrl, Title, RequestAccessEmail 
FROM [WSS_Content_MySites].[dbo].[AllWebs]
order by FullUrl

4. SQL Query to check the users info in MySite content DB – UserInfo Table
— Another Query to check users Info under MySite Content DB / MySite Web App
select * from [WSS_Content_MySites].[dbo].[UserInfo] with (nolock)
order by tp_Login

Recommendations:

a. Make sure to test your User Profile Synchronization Connections in pre-production first.

SharePoint Central Admin > Application Management > Manage Service Applications > Click on User Profile Synchronization service application > Click ‘Configure Synchronization Connections’ under Synchronization section. Hover mouse over the connection name, click on drop down, and choose Edit to change the selection of Active Directory OU in the sync. Choose ‘Edit Connection Filters’ from the previous connection page to review / update filters.

SharePoint User Profile Service Application – Synchronization Connection

b. Partially Disable the ‘My Site Cleanup Job’ when editing Profile Sync connection. Later make sure to enable the job. My Site Cleanup Job performs some other cleanups as well like Organization Browser list, People Picker etc.

c. Make sure the ‘Secondary MySite Owner’ account listed has an email address that is monitored by the SharePoint Team or those email get forwarded to SharePoint Team to act on it.

d. Make it as part of SharePoint Governance & training that Managers should notify SharePoint Team when they get the email notification for site deletion with in 14 days.

e. Monitor / control changes done in Active Directory that will impact SharePoint users. Example like moving AD account to a different OU that is not part of share point User Profile Sync.

SharePoint Online / OneDrive for Business

OneDrive for Business stores documents under user’s mysite (part of User Profile) in SharePoint Online (Office 365). Use the following Microsoft KB article for reference:
 
OneDrive for Business retention and deletion – https://support.microsoft.com/en-us/kb/3042522
 
Use OrphanedPersonalSitesRetentionPeriod parameter of Set-SPOTenant PowerShell cmdlet to increase the value of 30 content deletion from default value of 30 days to a higher value. Email notification will still be sent notifying contents will be deleted in 30 day and 7 days. https://technet.microsoft.com/en-us/library/fp161390.aspx
 
Use IncludeOnlyPersonalSite and Limit parameters of Get-SPODeletedSite Powershell cmdlet to get the list of Personal sites (OneDrive for Business contents) that are marked for deletion. https://technet.microsoft.com/library/fp161365.aspx
 
Use SharePoint Online eDiscovery to put a hold on deletion of Mysite (OneDrive For Business) contents. Create a new site collection using eDiscovery template in your SharePoint Online Tenant if you don’t have eDiscovery site in place.
 

Note:
I’ll cover the process on how to analyse and recover the deleted MySites in situations where bulk of Mysites got deleted. That is to see which sites had data and which ones were just not actively used MySites or deleted MySites without any documents to recover. I’ll try to cover the use of PowerShell commands Get-SPDeletedSite and Restore-SPDeletedSite.

References:
1. http://blogs.msdn.com/b/kaevans/archive/2012/06/25/top-recommendations-for-managing-the-my-site-cleanup-timer-job.aspx
2. http://blogs.technet.com/b/fromthefield/archive/2013/07/25/windows-powershell-script-to-output-site-collection-information.aspx

Search Keywords:

MySite Deleted by SharePoint User Profile MySite Cleanup Job
MySite Deleted by MySite Cleanup Job
MySite Cleanup Job
User Profile Sync removed mysite
SharePoint MySite Removed
SharePoint MySite deleted
SharePoint User Profile deleted
How A User Profile is Deleted?
How A MY Site is Deleted?
My Site deletion Mystery
Process of My Site Deletion
My Site Deletion Process
Lost MySite Data
Lost SharePoint Mysite
Onedrive for Business deletion
Prevent OneDrive for Business deletion
Retain OneDrive for Business contents
Prevent SharePoint Online user site deletion
SharePoint Online mysite deletion
SharePoint eDiscovery to prevent OneDrive Deletion

Symantec Antivirus for SharePoint Doesn’t Allow File Upload

Friday, May 16th, 2014

Scenario:

A user tries to upload a file to a SharePoint document library and get the following error message:
The installed virus scanner is currently unavailable. If the problem persists, contact your administrator.
Symantec Antivirus for SharePoint causing Upload Error – The installed virus scanner is currently unavailable

Cause:

Symantec Antivirus for SharePoint has two components. Console and Protection Engine. Symantec Protection Engine if disabled or not running, can prevent users from uploading files to SharePoint. That behavior is triggered by the default configuration settings of the Symantec Antivirus for SharePoint. Notably under ‘Real-Time scan Settings‘ area within SharePoint Central Administration site.
Symantec Antivirus for SharePoint – Real-Time Scan Settings – Default

Resolution:

Make sure to allow the Bypass configurations in cases where Protection Engine is disabled / offline.
Steps:
1. Go to Central Administration home
2. Click on ‘Real-time Scan Settings’ under ‘Symantec Protection 6.0 for SharePoint Servers’ section.
Symantec Antivirus for SharePoint – On Central Admin Site Home
3. Enable these settings by configuring the check boxes:
   a. Bypass scanning when all Symantec Protection Engines are busy or offline 
   b. Bypass scanning when all Symantec Protection Engines are disabled
   c. Scan all content that was bypassed when all Symantec Protection Engines were offline or busy
The first two (a and b) settings will allow the users to upload files even when Symantec Protection Engines are busy, Offline or disabled. The third c setting will scan the files that were bypassed when Protection engine was offline or busy.
Symantec Antivirus for SharePoint – Real-Time Scan Settings – Revised
4. Click Save button at the bottom
After saving these configuration changes, the users should be able to upload files.
Symantec Antivirus for SharePoint – Allowed the File Upload after Revised Settings

Security Risk:

There is security risk there though. Doing so will allow users without Antivirus to upload infected files to SharePoint. That will be a major risk for internet facing deployments. In my case it was a non-production SharePoint. Always weigh-in the pros and cons of productivity loss versus the security issue in some of these situations.
Few Related Search Terms:
Symantec Antivirus for SharePoint Doesn’t Allow File Upload
Upload failed when antivirus scanner is unavailable
Symantec Protection Engine failure stops the file upload in SharePoint

MS14-022 Critical Vulnerabilities in SharePoint ProjectServer

Tuesday, May 13th, 2014
Recently Microsoft Security Bulletin MS14-022  has been released as Critical. It covers following products:
  • Sharepoint Server 2007, 2010, 2013
  • WSS 3.0
  • Sharepoint Foundation 2010 / 2013
  • Office Web Apps Server 2010 / 2013
  • Sharepoint Designer 2010 / 2013
Risk: High
Discovered: 05/13/2014
The security update addresses the vulnerabilities by correcting how SharePoint Server and Web Applications sanitize specially crafted page content.
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)
MS Knowledge Base Article
MS14-022: Vulnerabilities in Microsoft SharePoint Server could allow remote code execution: May 13, 2014
Vulnerabilities Summary:
#
Vulnerability
CVE
Mitigating Factors
1
To exploit any of these related vulnerabilities, an attacker must be able to authenticate on the target SharePoint site. Note that this is not a mitigating factor if the SharePoint site is configured to allow anonymous users to access the site. By default, anonymous access is not enabled.
2
Microsoft has not identified any mitigating factors for this vulnerability.
3
To exploit this vulnerability, an attacker must be able to authenticate on the target SharePoint site. Note that this is not a mitigating factor if the SharePoint site is configured to allow anonymous users to access the site. By default, anonymous access is not enabled.
Security Resources
It is good to review the SANS Internet Storm Center for the criticality of these updates
https://isc.sans.edu/
SANS Internet Storm Center – May 2014 Patch Tuesday
Search on the Security Focus site
Recommendation
Run all software with less-privileged user with minimal access rights.

Add new Server in Farm with SharePoint, MSPS, OWS and LPs

Tuesday, May 13th, 2014
How to add a new server to the SharePoint Farm when the farm is running:
a. SharePoint 2010
b. MS Project Server 2010
c. Office Web App Server 2010
d. Language Packs

I ran through these steps.

1. Attach Setup files to new server [CD, Virtual Cd image, or setup files]
2. Start SharePoint setup and begin the SharePoint Pre-Req install
3. It failed listing update KB976462 as causing install error
4. Re-Ran the pre-req and it worked
5. Run the SharePoint 2010 setup
6. Change drive letter for Setup Data folder to D: drive. Leave the folder location with D drive as same. Also leave the SharePoint installation directory to C: drive default location
7. At the end of setup uncheck the option to Run Configuration Wizard and click close button.
8. Install Project Server 2010 setup (follow steps 6 & 7 during its setup and don’t run config wizard)
9. Install Office Web App 2010 setup (follow steps 6 & 7 during its setup and don’t run config wizard)
10. Install Language Packs for English, Chinese, Arabic or others. Install language packs for SharePoint 2010 Server version. (follow steps 6 & 7 during each setup and don’t run config wizard)
11. Install Service Pack 2 for SharePoint 2010 Server, Project Server 2010, Office Web Apps 2010, Language Packs SP 2 for each language listed in step 10 above. (follow steps 6 & 7 during its setup and don’t run config wizard)
12. Current Farm patch version was 14.0.7105.5000
13. Download Aug 2013 CU update that matches the version number for this patch.
14. Run SharePoint Config Wizard to join the server to the farm
15. Configure and verify the new server.

Sharepoint Personal MySite Quota Limit Reached

Thursday, May 8th, 2014

Scenerio:

The default personal MySite storage limit in Sharepoint 2010 is 100 MB with warning email sent after 80 MB. A user exceeded the default MySite storage limit of 100 MB. When changing his Mysite permissions user got the following error:

Error:
Your changes could not be saved because the SharePoint web site has exceeded the storage quota limit.
You must save your work to another location. contact your administrator to change the quota limits for the web site.
Correlation ID:
Date and Time:

SharePoint User’s Personal MySite Storage limit reached Error

Resolution:

I increased the Quota limit of personal MySites to 250 MB with Warning email notification to user at 200 MB. The new quota  template was applied to user’s Mysite.

Resolution that was followed:
1. To update Quota Template limit, go to SharePoint Central  Administration website
2. Click on Application Management > Specify Quota Template (under Site Collection section)
3. Edit the ‘Personal Site’ Template (that is applied by default to mySites). Enter the limits for maximum storage and warning email under ‘Storage Limit Values’ section
4. Click OK

This only updates the quota Template limit and doesn’t actually apply it to the users’ mysites. Now apply the quota template to Mysites that are having issue using following steps:

1. Go to Central Admin > Application Management
2. Click on ‘Configure quotas and locks’ under Site collection section
3. Select the user’s site collection from the drop down by selecting the Mysite web application and user’s Mysite Site Collection.
4. Under ‘Site Quota Information’ section select the ‘Personal Quota’. Make sure it shows the updated limits (grayed out).
5. Click Ok

That single user’s Mysite has the updated quota applied to it. The other Mysites of users will still have the previous 100 MB limit until you apply the quota template on those MySites again.


Keywords:

  • SharePoint mysite
  • SharePoint mysite quota
  • check storage quota sharepoint mysite
  • SharePoint MySite Quota limit
  • MySite Quota limit
  • MySite Storage Quota limit
  • SharePoint MySite storage Quota

Test Your MS Project Server & sharepoint Deployment using Multiple Browsers and Platforms

Wednesday, May 7th, 2014
No wonder why it’s a nightmare to support your application across all platforms and browsers.  There are few good resources out there that help to quickly test applications on multiple browsers, platforms and devices. Organization who don’t have any standard as to which browser should be supported and which should not be; or don’t maintain and enforce the list of approved applications can benefit from these services / solutions.
I recently found the modern.ie. That saved me tens of hours of work for few MS Project Server EPM & SharePoint features.
Modern.ieMicrosoft Site that offers compatibility reports, browser screenshots, site scans and even free VMs with Ie6 to IE 11 for testing. you can download the test VMs for Windows, Mac or Linux and for Hyper-V, Vmware, VirtualBox and few other visualization platforms. After downloading VM, with 5 minutes I was able to validate the MS Project Server EPM scenario with IE 10.
BrowserStack.comBrowser Stack is paid service (as low as $35/m for 2 users). Browser based and doesn’t require VM deployments.

Project Web Access Issue when IE9 Upgraded to IE10

Tuesday, May 6th, 2014

Scenario:

Recently I came across an issue where a user’s Internet Explorer 9 on Win7 x32 was upgraded to Internet Explorer 10. He then started getting an issue where we could not create a new project in Project Web Access (PWA) > Project Center.

Issue Summary:

The user was not able to create any new projects because he was not able to select values for select-value fields that were configured as required fields. For example department or Project Status. User was taking these steps:

1. Go to Project Web Access site
2. Click on Project Center link under Project section on left navigation
3. Click ‘New‘ button from the top ribbon nav
Project Web Access PWA – Create New Project in PWA
4. Select a project Template – Enterprise Project Type
5. Enter project name
6. Click on ‘Select Value’ button (with three dots…) for those fields
7. Normally you should a list to select from but in this case you will see blank box. When you click away, it locks up with ‘not Responding’ error
Select Value fields when clicked doesn’t show options. Some of those fields are required

Resolution:

Few things to check:
a. Hit F12 key with PWA site open and check the Browser Mode and Document Mode settings. With IE 10 by default those should be IE 10 Compat View and IE 8 Standard respectively. [PWA site was in IE intranet zone and ‘Display intranet sites in compatibility view’ option was checked]
b. Confirm IE browser is 32 bit and not 64 bit. [Some PWA / SharePoint features don’t work with x64]

What Fixed the issue:
a. Reset IE settings by going to Tools > Internet Options > Advanced > Click ‘Reset’ button under ‘Reset Internet Explorer Settings’.
b. In ‘Reset Internet Explorer Settings’ dialog box, check the box ‘Delete personal settings’ and then click Reset button at the bottom.
c. Follow the prompts. Click OK and close all browsers.
d. Launch IE again and verify PWA Project Center > Create New Project feature.
I was able to select values for ‘select value’ fields.

After IE reset, select value fields when clicked display value to pick from

SharePoint 2010 Kerberos Delegation

Monday, May 5th, 2014
Kerberos Delegation Can Cross Domain Boundry Can Cross Forest Boundary
Basic Yes No
Constrained No No
Note:
Have the SharePoint and external data on same Active Directory Domain
SharePoint Service Application Kerberos Delegation Type
Excel Services Constrained Delegation
Performance Point Services Constrained Delegation
InfoPath Forms Services Constrained Delegation
Visio Services Constrained Delegation
BDC / BCS Basic or Constrained Delegation
Access Services Basic or Constrained Delegation
SQL Reporting Services SSRS Basic or Constrained Delegation
MS Project Server Basic or Constrained Delegation
Note:
1. Kerberos delegation method can only change from basic to constrained as identity travels between services to services
2. Services require translation of claims based credentials to Windows credentials. The Process of translation uses C2WTS service
3. C2WTS must be constrained

Excerpt from:

Configuring Kerberos Authentication for Sharepioint 2010 Products