AD | Bugra Postaci's Blog

Get SID by Powershell for SharePoint

05/02/2014 Leave a comment

You can use following powershell to check SID from AD.

$NTAccount = new-object System.Security.Principal.NTAccount(‘SamAccountName’)
$TranslatedToSidObject = $NTAccount.Translate( [System.Security.Principal.SecurityIdentifier])
$SID = New-Object System.Security.Principal.SecurityIdentifier($TranslatedToSidObject.Value)
$TranslatedToNTAccount = $SID.Translate([System.Security.Principal.NTAccount])
Write-host $TranslatedToSidObject.Value `t`t $TranslatedToNTAccount.Value

You can use following powershell to check SID in SharePoint

$site = get-spsite http://blog.bugrapostaci.com
$web = $site.OpenWeb()
$user = $web.EnsureUser(“BLOG\bugra”)
$user.Sid

Filed under Sharepoint 2010, SharePoint 2013 Tagged with AD, PowerShell, Sharepoint, SID

Using Distribution Groups in SharePoint for securing SharePoint securables is not possible.

01/08/2012 Leave a comment

Using Distribution Groups in SharePoint for securing SharePoint securables is not supported. So if you checked fallowing article on SharePoint side,

http://technet.microsoft.com/en-us/library/cc261972.aspx

“In Active Directory Domain Services (ADDS), the following groups are commonly used to organize users:

Distribution group A group that is used only for e-mail distribution and that is not security-enabled. Distribution groups cannot be listed in discretionary access control lists (DACLs), which are used to define permissions on resources and objects.
Security group A group that can be listed in DACLs. A security group can also be used as an e-mail entity.

You can use security groups to control permissions for your site by adding security groups to SharePoint groups and granting permissions to the SharePoint groups. You cannot add distribution groups to SharePoint groups, but you can expand a distribution group and add the individual members to a SharePoint group. If you use this method, you must manually keep the SharePoint group synchronized with the distribution group. If you use security groups, you do not need to manage the individual users in the SharePoint application. Because you included the security group instead of the individual members of the group, ADDS manages the users for you.”

You can not use any Distribution Group for providing permission on SharePoint securables. Because distribution groups cannot be listed in discretionary access control lists (DACLs), which are used to define permissions on resources and objects.SharePoint is using this ACL objects to make security operations. There is no way or workaround for using Distribution Groups in SharePoint for securing SharePoint objects.

So we have some other options.

1) As mentioned in above article : you can expand a distribution group and add the individual members to a SharePoint group and using this SharePoint groups for securing objects.

2) Changing Distribution Groups as Security Group in AD and use it in SharePoint. (I am suggesting this step because AD Groups will provide more gain on performance issues)

Filed under Sharepoint 2010 Tagged with ACL, AD, DACLS, Distribution, group, Permission, Securable, security, Sharepoint

Sharepoint 2010 How to give “Replicate Directory Changes” permission to User Profile Sync Account

28/03/2012 1 Comment

in Technet sometimes is getting hard to find what you are seeking because of it separated more than one article. So i decided that create and collect in one article for this issue for easy share. As you know the synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:
Before do apply this permissions you already decided which account is your user profile sync account and needless to say it must be an AD account .

1) It must have Replicate Directory Changes permission on the domain that you will synchronize with.
Important: The Replicate Directory Changes permission allows an account to query for the changes in the directory. This permission does not allow an account to make any changes in the directory

To grant Replicate Directory Changes permission on a domain:

On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
On the first page of the Delegation of Control Wizard, click Next.
On the Users or Groups page, click Add.
Type the name of the synchronization account, and then click OK.
Click Next.
On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.
Click Finish.

2) If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container

To grant Replicate Directory Changes permission on the cn=configuration container:

On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
If the Configuration node is not already present, do the following:
1. In the navigation pane, click ADSI Edit.
2. On the Action menu, click Connect to.
3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Configuration from the drop-down list, and then click OK.
Expand the Configuration node, right-click the CN=Configuration… node, and then click Properties.
In the Properties dialog box, click the Security tab.
In the Group or user names section, click Add.
Type the name of the synchronization account, and then click OK.
In the Group or user names section, select the synchronization account.
In the Permissions section, select the Allow check box next to the Replicating Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.

3) If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with.

To grant Create Child Objects and Write permission:

On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
If the Default naming context node is not already present, do the following:
1. In the navigation pane, click ADSI Edit.
2. On the Action menu, click Connect to.
3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Default naming context from the drop-down list, and then click OK.
In the navigation pane of the ADSI Edit window, expand the domain, expand the DC=… node, right-click the OU to which you want to grant permission, and then click Properties.
On the Security tab of the Properties dialog box, click Advanced.
In the Advanced Security Settings dialog box, select the row whose value in the Name column is the synchronization account and whose value in the Inherited From column is <not inherited>, and then click Edit. If this row is not present, click Add, click Locations, select Entire Directory, click OK, type the synchronization account, and then click OK. This adds the appropriate row, which you can now select.
Important:Do not select the row for the synchronization account that is inherited from another location. Doing so would only enable you to apply the permissions to the OU and not to the contents of the OU.
In the Permission Entry dialog box, select This object and all descendant objects from the Apply to box, (select This object and all child objects on Windows Server 2003), select the Allow check box in the rows for the Write all properties and Create all child objects properties, and then click OK.
Click OK to close the Advanced Security Settings dialog box.
Click OK to close the Properties dialog box.
Repeat steps 3 through 8 to grant permissions on any additional OUs.

For default configuration, i mean if you just read from Active Directory and not planning to export , you may need to apply just first 2 permission.
If you want to test that 2 permissions are correct you can use fallowing script described fallowing article.
https://blog.bugrapostaci.com/2011/04/27/checking-replication-directory-changes-for-account-by-powershell/

For more information please read:
http://technet.microsoft.com/en-us/library/8451dde9-bbd1-4285-bc24-71bd795fb912
http://technet.microsoft.com/en-us/library/0eeb69e0-c799-4da1-b3ec-c0cc4efd585e

Filed under Sharepoint 2010 Tagged with Account, Active, AD, ADSI, Changes, CN=Configuration, Directory, Grant, Permission, Priviledge, Profile, Replicate, Syncronization, user

MOSS 2007 – Welcome name is not updated problem.

23/01/2012 Leave a comment

This is a very well know problem. Even if you run full profile import on sharepoint 2007 the user’s which is name property has changed in AD , not updated on your site welcome name.
First of all you have to detect that the problem has encounter between Sharepoint and AD connection issues. If you see the updates in Profile Store in SSP correctly but not affecting welcome name this article may help you. If it is not updated correctly in Profile Store , it is another problem that out of scope for this article.

So what you can do :

Here is the command for force the sync operations.

stsadm -o sync -ignoreisactive 1
stsadm -o sync -deleteolddatabases 0
stsadm -o sync -synctiming m:5
stsadm -o sync -sweeptiming m:5
stsadm -o sync

Wait min 5 minutes. and check.

You can get more information about stsadm -o sync operations.
http://technet.microsoft.com/en-us/library/cc263196(office.12).aspx
If this is not solve your problem you can use fallowing tool for a workaround;
https://blog.bugrapostaci.com/2012/01/22/sharepoint-tools-wsscontentdbsync-v1-0-command-line-tool/

Filed under Sharepoint Tagged with AD, deleteolddatabases, ignoreisactive, listalldatabases, stsadm, sweeptiming, Sync, WssContentDBSync

Sharepoint Tools – WssContentDBSync v1.0 (Command Line Tool)

22/01/2012 Leave a comment

Hello Everyone,

You can use this tool when common problem has occured with your users Wellcome name is not updated even if you try the tradational ways.
it’s a command line tool that using Sharepoint Object Model so you can only run this tool on sharepoint installed servers.

The tool has compare your profile store and your content database UserInfo table and find out that not updated (sync) usernames and emails and if you want it equalize these problematic names.

Usage :
WssContentDBSync <Site Collection Url> <Equalize:true:false> [AccountName]

Parameters:
Site Collection Url (Required) : For your site url
Equalize (Required) : if you select true , the tool equalize your users name and email within user profile prefferedname and workemail. if you select false , it will just report mismatch issues not execute any sync operation .
AccountName : to be a domain account name. it only sync or report the given accounts status.

Examples:
WssContentDBSync http://blog.bugrapostaci.com true
WssContentDBSync http://blog.bugrapostaci.com true Blog\bugra

For Download :
http://spstools.codeplex.com/releases/view/80949
WssContentDBSync x86 can be used 32 bit Sharepoint 2007 systems.
WssContentDBSync x64 can be used 64 bit Sharepoint 2007 systems
!!! Not tested for Sharepoint 2010 .

🙂

Filed under Sharepoint Tools Tagged with AD, ContentDB, Sharepoint, Sync, Syncronization, tools, User Profile, Welcome, WssContentDBSync

← Older posts

Bugra Postaci's Blog

Get SID by Powershell for SharePoint

Sharepoint 2010 How to give “Replicate Directory Changes” permission to User Profile Sync Account

MOSS 2007 – Welcome name is not updated problem.

Sharepoint Tools – WssContentDBSync v1.0 (Command Line Tool)

RSS Register

Search

Inside my brain

Categories

Top Posts

My Recents

Archives