- Posted by ploft on July 14, 2011
Separated SharePoint site collections aren’t secure enough – People Picker gives you and your clients away.
Now let’s change all that.
Scenario:
You and your clients are using the extranet site, with separated site collections for security reasons, isolating the People and groups only to the people inside the collection, and not the whole application. This is good, but not good enough.
Creative minds and people with SharePoint insight could use the out-of-the-box People Picker inside a SharePoint site, to actually browse your whole Active Directory (depending on how much the SharePoint profile system scrapes when synchronizing information). That is why the People Picker would give you, your clients or your projects away, if someone stumbles upon some secrecy-giveaway-named user accounts, only intentioned for internal use.
Now if you are working on a project, with a non-disclosure agreement, you better make sure that this isn’t possible, because the default settings in SharePoint aren’t the secure approach, or you could get into a heap of trouble.
Now to the fix:
It’s actually quite simple.
The SharePoint stsadm tool, allows for changes inside the configuration database, that isn’t possible from the normal web administration interface. The property we will be looking into is the “peoplepicker-onlysearchwithinsitecollection”.
You can check your current property flag by typing this in a command prompt:
(-o for Operation, -pn for PropertyName and –pv for PropertyValue)
stsadm -o getproperty -pn peoplepicker-onlysearchwithinsitecollection -url http://external.mycompany.com/mysecretproject
The default feedback would be:
Property Exist="Yes" Value="no"
To change this, we execute the following command:
stsadm -o setproperty –url http://external.mycompany.com/mysecretproject –pn peoplepicker-onlysearchwithinsitecollection –pv no
If successful, run the getproperty operation again, and you should now see that the value has changed to “yes”, and by browsing the site, the People Picker, should only look into the people and groups within the Site Collection.
If you are running extranet- or site collections like this, you should change this globally by not defining an URL in the operation, like this:
stsadm -o setproperty –pn peoplepicker-onlysearchwithinsitecollection –pv no
You have now fixed, what should have been default from the beginning.
- Posted by ploft on September 8, 2010
As the SharePoint configuration-go-to-guy at Vertica (the company where I work) had a customer today who experienced some trouble with SharePoint Services 3.0 after they ballooned their SQL volume, to achieve more space.
I’m not sure how it happened, but for some reason the embedded SQL broke during this transition and along the way, their systems administrator somehow managed to delete the VirtualDirectories for all the SharePoint sites located in the C:\Inetpub\wwwroot\wss-folder.
Yaiks!...
Well, since the customer earlier had a request to move from the embedded SQL to a somewhat real SQL version (though still the Express-version), I started deploying SQL 2008 R2 Express to their server.
I pulled the database files from their backup, and attached them to my new SQL 2008 R2 database instance, but prefixed both the files and databasenames with “old_”.
Afterwards since the SharePoint installation was smashed up, I decided redo the setup progress, and ordering SharePoint to use the new database instance:
Source:
http://technet.microsoft.com/en-us/library/cc263093(office.12).aspx
psconfig.exe –cmd –create –server “sharepoint-srv” –database “sharepoint30” –admincontentdatabase “SharePoint_AdminContent”
Followed by a the “SharePoint Products and Technologies Configuration Wizard”, which sets up the necessary IIS sites, which I had deleted earlier, since they broke when the underlying files was deleted.
Next up, entered the SharePoint Administration site and created a new Application, but didn’t create a Site Collection, since I just needed to attach the content database from the backup.
Selected the “Content databases” in Application Management, selected the Web application, and clicked the “Add a content database”.
Typed in the server and name for my attached backup content database, in this case “WSS_Content_portal”. Finished off by clicking OK.
Visited the site from my browser, and the site was back in its glory. Yeay!
Bonus tip:
Uninstalling the SQL Embedded instance, isn't as easy as Add/Remove programs, but following this tip, makes it possible:
Credit to: http://jemm.wordpress.com/2007/08/06/how-to-uninstall-sql-server-2005-embedded-edition/
To uninstall SSEE:
Start Registry Editor, and then locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
In the left pane, click each GUID.
For each GUID that you click, look for a display name in the right pane that matches
“Microsoft SQL 2005 Embedded Edition…”.
When you see a display name that matches the name,
copy the value of the Key named “UninstallString”
Open a Command-Window (Start->run->cmd)
Paste the Copied string.
Append “CALLERID=OCSETUP.EXE"
Example: “MsiExec.exe /X{BDD79957-5801-4A2D-B09E-852E7FA64D01} CALLERID=OCSETUP.EXE”
- Posted by ploft on June 23, 2009
If you have a Discussion Board in SharePoint 2007, and have successfully deployed a workflow which triggers when new items is added or created in the list, and decides to switch on "E-mail enabled list", you normally (unfortunate) see that the workflow isn't firing.
To make this work, you have to apply what must be somewhat of a long operationcommand via stsadm-tool:
"stsadm -o setproperty -pn declarativeworkflowautostartonemailenabled -pv true"
Note that I've only tested this on WSS 3.0 with SP2 installed, and didn't need to install the kb953749 fix.
If you have WSS 3.0 or WSS 3.0 SP1 you might need to install this fixes before the above command works.
Battle plan:
Install Windows SharePoint Services 3.0 Infrastructure Update:
http://support.microsoft.com/kb/953749/
Run the very-long-command as described above and in this Microsoft Knowledge Base article:
http://support.microsoft.com/kb/953289/
Happy e-mail-enabled-discussion-board-workflow'ing, and my you have a lovely summer =)