Backward inheritance in SharePoint 2010 and 2013

My users are “challenging”. You guys know what that is code for, right? For some reason they decided that they want the extranet to have over 40 site collections but all the users would have access to are sub-sites of these site collections. Why? Only they know and they aren’t sharing that information with yours truly.

Here’s the problem. They want to store images, etc. at the site collection level and use those images in the sub-sites. Problem is, the users don’t have access to the site collection level so when they bring up a page with the image, you guessed it, they get the BFRX (Big F***ing Red X). Bummer.

So the users are screaming “Fix it, John” (best whinny voices here). Guess what, I said, there is no backward inheritance of permissions. Too bad for you. “Fix it, John” they continue to whine. Crap. So here is the solution: copy all the users from all the sub-sites to the visitors group in the site collection. That way they have read-only rights to the site collection and thus the images. By happy accident this also fixes a bug in the Google Analytics feature I downloaded from Codeplex (more on that later). So it’s off to PowerShell world to take care of business (TCB, baby!).

To pull this off, it’s a pretty simple matter to iterate through all the sub-sites, then iterate through all the users and add them to the visitors group. Not a bad solution but it takes forever. I know because I tried it. You are pulling duplicate users which eats up time (no need to worry about creating duplicate users in the visitors group, though. SharePoint won’t let you). So one of my users said “Why not use the All People list?”. I said they were aggravating, not stupid.

The All People list contains every user from the target site collection and all users from the sub-sites. It’s a pretty handy thing and is really called the User Information List. Below is the PowerShell code I used to pull out all the users and add them to the site collection visitors group.

I add the SharePoint snapin because I’m going to run this from Task Manager. The next blog will be on how to run this in batch. Next we define the site collection URL. Next, we iterate through the “User Information List” (All People) and finally, put them in the site collection Visitors group. Works like a charm!

The downside is that I had to create a separate .ps1 file for each site collection. I suppose if I was smart (and had more time), I could write some code to iterate through the site collections and make life easier. Maybe when I have some spare time…

So there you have it. Backward inheritance! This works in both 2010 and 2013. Next I’ll show you how to run PowerShell from the DOS command prompt. Stay tuned!

Add-PSSnapin ‘Microsoft.SharePoint.PowerShell’
$SiteUrl = “http://yoursitecollectionurl”
$web = Get-SPWeb $SiteUrl
$ListName = “User Information List”
$List = $web.Lists[$ListName]
#$List.Items
foreach ($ListItem in $List.Items)
{
$prefix=”i:05″
if($ListItem.Name.StartsWith($prefix))
{
Write-Host “username=” $ListItem.Name
Set-SPUser -Identity $ListItem.Name -Web http://yoursitecollectionurl -Group ‘group name (visitors in this case)’
}
}

Publishing Sites Without Workflows

Let me start by saying I HATE publishing sites. Sure they are great for branding and such but they are a pain on so many levels.

However, that’s what we use as our baseline site collection. Recently, I created a new site collection as a publishing site and it decided it needed a workflow to run when you decided to publish the site. We didn’t want that since the designers were just modifying the page and it was a laborious process to go through the workflow. So how do you disable this? Pretty easy, actually!

Navigate to the Pages library (View all site content for example). Click on the Library tab then Library Settings. Under General settings, click on Versioning settings. For “Require content approval for submitted items?” select the No radio button. That’s it!

You can go to Workflow settings and delete the workflow if you want but it’s not necessary.

PNG files not showing in SharePoint 2010

One of our users made a discovery that was brought to my attention. Actually, it was two issues, if you could call them that. First, they reported that when they upload a .png file, it gets converted to a .jpg file. Second, the .png files were not showing up and giving the infamous red X.

Let’s start with issue number 1. This is by design in SharePoint 2010.

SharePoint automatically creates two JPG images every time you upload image to a Picture Library: they are the thumbnail image and the web preview image. They’re stored along with the original image in the Picture library.

No in-place conversion happens: the image is converted only once during the initial upload process.

SharePoint needs these extra images to display picture library thumbnail views and item forms correctly, quickly and not causing excessive server load. However, when you add the image to a page or image web part, it actually displays the .png file. So no conversion, no problem.

Now on to issue number 2. You upload a .png file to picture library. The thumbnail looks great, the preview image looks great, you copy the link and open it in a new tab and you get the big, fat, red X.

This is all because of the color profile of the image. If the web designer used PhotoShop or some other similar application, they may have saved the image with a CMYK color profile. Browsers can’t display CMYK images. Thus, the red X. The thumbnail and the preview are .jpg files (see above) so they look fine.

To solve the issue, just open up the image in your choice of editing software and save it as an RGB image. Re-upload the file and everything is fine!

Create a Site Collection in a new Content Database with PowerShell

Creating a SharePoint site collection has always been a pain. Especially if you do it properly so that there is only 1 site collection per content db. In the past, we always used stsadm but with the improvements in PowerShell, it can be done without much user intervention.

My goal was to create a PowerShell application that would only prompt for the bare requirements to build a new site collection. The long term goal is to add an interface so that site managers (essentially power users) can manage all this themselves. Personally, I think this would make a great SharePoint 2013 app which could be easily accomplished with NAPA.

What we did was create a site collection baseline. This is just a site that we will base all our site collections on. It has all the custom templates, list/libraries, branding, and so forth. That being said, let’s step through the code!

The first step is to gather the required information for the new site collection, create a new content db, and create the site collection. We are not adding a template because we will be importing the baseline site collection for that.

$ErrorActionPreference = “Continue”;

#Get input from user
$name = Read-Host “Enter New Site Collection Name”; #Prompts for Site Title (you can change this later)
$site = Read-Host “Enter New Site Collection URL”; #Prompts for your new site collection URL (https://url.webapp.com/sites/newsitecoll for example)
$dbname = Read-Host “Enter Content Database Name”;

#Default values, change to your values
$owner1 = “domain\owner1”;
$owner2 = “domain\owner1”;
$server = “MY_CONTENT_DB_ALIAS”; #This is the alias you setup to your database server. You did do that, right?
$webapp = “https://url.webapp.com”; #This is the root URL to your web app

#Create content db
Write-Host “Creating Content DB”
New-SPContentDatabase -Name $dbname -DatabaseServer $server -WebApplication $webapp
Write-Host “Content DB Created Sucessfully”

#Create the site collection
Write-Host “Creating Site Collection $site”
New-SPSite -URL $site -OwnerAlias $owner1 -SecondaryOwnerAlias $owner2 -ContentDatabase $dbname
Write-Host “Site Collection $site Created Sucessfully”

#Set the content db so it will only contain 1 site collection
Get-SPContentDatabase -Site $site | Set-SPContentDatabase -MaxSiteCount 1 -WarningSiteCount 0
Write-Host “Set Content DB to only contain 1 Site Collection”

At this point we have a new site collection so we are going to export the baseline site collection and import it into the new site collection. I do a fresh export every time in case the users have made changes.

#Export baseline site collection
Write-Host “Exporting New Baseline Site Collection”
export-spweb -identity https://url.webapp.com/sites/extranetbaseline -path d:\backup\baseline\baseline.cmp -force -includeusersecurity
Write-Host “Exported Baseline Site Collection Sucessfully”

#Import the baseline site to the new site collection
Write-Host “Importing Baseline into new Site Collection”
Import-SPWeb -Identity $site -Path d:\backup\baseline\baseline.cmp -includeusersecurity -force
Write-Host “Baseline Imported Sucessfully”

At this point we have a new site collection that is identical to the baseline site collection. My customer wanted to delete some of the default security groups. So the code below will do just that. You can either not use this or change it as needed.

#Delete the unwanted default groups
Write-Host “Deleting Site Groups”
$web = get-SPWeb $site

$objSiteGroup = $web.SiteGroups[“Designers”]
$web.SiteGroups.Remove(“Designers”)
Write-Host “Designers Deleted”

$objSiteGroup = $web.SiteGroups[“Hierarchy Managers”]
$web.SiteGroups.Remove(“Hierarchy Managers”)
Write-Host “Hierarchy Managers Deleted”

$objSiteGroup = $web.SiteGroups[“Approvers”]
$web.SiteGroups.Remove(“Approvers”)
Write-Host “Approvers Deleted”

$objSiteGroup = $web.SiteGroups[“Style Resource Readers”]
$web.SiteGroups.Remove(“Style Resource Readers”)
Write-Host “Style Resource Readers Deleted”

Now comes the fun part. They also wanted to add their group to site collection administrators. As simple as that sounds, the SharePoint team didn’t plan for that. On top of this, we are using claims based authentication which has no groups. Otherwise, I would just put in the AD group and be done with it. Below is a the more long winded approach.

#Add additional users as site collection administrators
$sp_web = Get-SPWeb $site

#Add first user
$Account=”domain\user1″
$Email = “user1@domain.com”
$sp_web.AllUsers.Add($Account, $Email, “”, “”)
$user = Get-SPUSER -identity $Account -web $site
$user.IsSiteAdmin=1
$user.Update()

#Add second user
$Account=”domain\user2″
$Email = “user2@domain.com”
$sp_web.AllUsers.Add($Account, $Email, “”, “”)
$user = Get-SPUSER -identity $Account -web $site
$user.IsSiteAdmin=1
$user.Update()

Write-Host ” “
Write-Host “Site Collection at” $site “has been created in the” $dbname “content database” -ForegroundColor Yellow

That wraps it up. If you need to add anything to this script, just leave me a comment. Next time you see this, it will be 2013 App!

Here’s the whole script for you to copy and paste. Just save it as a .ps1 file and run it as a farm account:

$ErrorActionPreference = “Continue”;
#Get input from user
$name = Read-Host “Enter New Site Collection Name”;
$site = Read-Host “Enter New Site Collection URL”;
$dbname = Read-Host “Enter Content Database Name”;

#Default values
$owner1 = “domain\owner1”;
$owner2 = “domain\owner2”;
$server = “MY_CONTENT_DB_ALIAS”;
$webapp = “http://my.rootwebapp.com”;

#Create content db
Write-Host “Creating Content DB”
New-SPContentDatabase -Name $dbname -DatabaseServer $server -WebApplication $webapp | out-null
Write-Host “Content DB Created Sucessfully”

#Create the site collection
Write-Host “Creating Site Collection $site”
New-SPSite -URL $site -OwnerAlias $owner1 -SecondaryOwnerAlias $owner2 -ContentDatabase $dbname | out-null
Write-Host “Site Collection $site Created Sucessfully”

#Set the content db so it will only contain 1 site collection
Get-SPContentDatabase -Site $site | Set-SPContentDatabase -MaxSiteCount 1 -WarningSiteCount 0
Write-Host “Set Content DB to only contain 1 Site Collection”

#Export baseline site collection
Write-Host “Exporting New Baseline Site Collection”
export-spweb -identity http://my.rootwebapp.com/sites/baseline -path d:\backup\baseline\baseline.cmp -force -includeusersecurity
Write-Host “Exported Baseline Site Collection Sucessfully”

#Import the baseline site
Write-Host “Importing Baseline into new Site Collection”
Import-SPWeb -Identity $site -Path d:\backup\baseline\baseline.cmp -includeusersecurity -force
Write-Host “Baseline Imported Sucessfully”

#Delete the unwanted default groups
Write-Host “Deleting Site Groups”
$web = get-SPWeb $site

$objSiteGroup = $web.SiteGroups[“Designers”]
$web.SiteGroups.Remove(“Designers”)
Write-Host “Designers Deleted”

$objSiteGroup = $web.SiteGroups[“Hierarchy Managers”]
$web.SiteGroups.Remove(“Hierarchy Managers”)
Write-Host “Hierarchy Managers Deleted”

$objSiteGroup = $web.SiteGroups[“Approvers”]
$web.SiteGroups.Remove(“Approvers”)
Write-Host “Approvers Deleted”

$objSiteGroup = $web.SiteGroups[“Style Resource Readers”]
$web.SiteGroups.Remove(“Style Resource Readers”)
Write-Host “Style Resource Readers Deleted”

#Add additional users as site collection administrators
$sp_web = Get-SPWeb $site

#Add first user
$Account=”domain\user1″
$Email = “user1@domain.com”
$sp_web.AllUsers.Add($Account, $Email, “”, “”)
$user = Get-SPUSER -identity $Account -web $site
$user.IsSiteAdmin=1
$user.Update()

#Add second user
$Account=”domain\user2″
$Email = “user2@domain.com”
$sp_web.AllUsers.Add($Account, $Email, “”, “”)
$user = Get-SPUSER -identity $Account -web $site
$user.IsSiteAdmin=1
$user.Update()

Write-Host ” “
Write-Host “Site Collection at” $site “has been created in the” $dbname “content database” -ForegroundColor Yellow

Interesting Article: Great SharePoint Interview Questions – What they should ask, what you should say

http://news.dice.com/2013/05/02/interview-questions-sharepoint-architects

I heard a new term today from one of our SharePoint site managers:

PICNIC – Problem In Chair, Not In Computer

Getting a list of sites that a user has access to in SharePoint

My customer needed a way to show all the sites and site collection where the user had access. This is for an extranet which we decided would be driven off the MySites. The idea is that the user logins in and is directed to their MySite. There they would see a list of all their sites and can navigate from their. You would think somebody would have built a web part by now but if they have, I couldn’t find it!

So I came up with the idea of using the search results web part and contentclass managed property. Since SharePoint security trims everything for you, it was simple to get a list of sites. Well, there was a bit of head banging as usual. But the results are pretty sweet!​

The contentclass managed property is a property that means something to the SharePoint search. You can think of them as search scopes but they can be added directly into the search query box. For example, go to your SharePoint site and enter this into the search: contentclass:”STS_Web” and hit search. The search results will be all the sites in the web app. You might notice that none of the root web site for the site collections are displayed. Just add STS_Site and you get the root sites. You can simply combine the parameters as such:

contentclass:”STS_Site” contentclass:”STS_Web”

Now comes the fun part. We are going to use the Search Results web part to add the list of sites to the page. Simply add a Search Results web part to your page and edit the web part properties. Add the contentclass parameters to the search query.

Because of security trimming, the logged in user will only see their sites.

Now you can go in with SharePoint Designer and modify the XSLT to make things look a little nicer. I’ll go into that in a future post. Until then here are some links to using the contentclass managed properties:

http://blog.slalom.com/2010/04/07/sharepoint-2010-search/

http://www.dotnetmafia.com/blogs/dotnettipoftheday/archive/2010/07/20/some-handy-keywords-you-might-find-useful-in-sharepoint-enterprise-search.aspx

SharePoint 2010 Search Lockup

I just got through building a HUGE extranet for one of my clients. Since it hosts a large number of customers from different companies, the security requirement was to limit them to only the sites they have access granted. We decided to drive the users off the MySites and I created a custom web part to show all of the sites they were members of (I’ll blog on how I did that later). The key was it used the search and security trimming to work.

Now here’s what happened. Everytime I ran a full crawl,​ the search query component locked. This caused my web part to throw one of those lovely correlation error messages. No luck checking through the ULS logs. It just stopped and no amount of turning the service on and off or an IIS reset would work.

As a last ditched effort, I rebooted WFE. No problem since I have 2 and they are load balanced. Low and behold! It worked!

Now both the WFEs are in a DMZ and locked down at the firewall. That just doesn’t seem like it would be the issue though. A Microsoft buddy of mine admitted that it was one of those rare and known bugs.

So there you go. You know what they say: “When in doubt, reboot!”