Thursday, June 26, 2008
This is one of those small things that could produce a big productivity impact for many people.
Thanks to Mr. Brien Posey for sharing this tip.
Friday, June 20, 2008
Registration Approval Process
Define a list of approvers to review invited and/or anonymous registrations. When a user registers the account will remain unapproved until reviewed by an approver. One or more approvers will be notified of the pending registration. After reviewing the account the approver can approve or deny the request. The registering user will then be notified of the approval status.
Pre-Approved Domain Names
A list of pre-approved domain names can be defined. When a user registers for access to the site, his or her account will automatically be approved if the registering domain names exists in the pre-approved domain name list.
When a anonymous user registers for site access, a message will be sent to the user's e-mail address asking the user to verify the account. The user can access the site only after verification.
User Automation Job to Enforce Password Expiration and Account Activity Expiration
ExCM now contains a list of STSADM commands which can be use to create and manage user automation operations such as password expiration and account activity expiration. The job will notify users of pending expirations via e-mail. If a corrective action is not taken the account will be locked out. The age of the lockout and the notification window are customizable using STSADM. You can also customize the notification messages for each event.
Thursday, June 19, 2008
SharePoint 2007 Web Content Management Development is a must have for any serious SharePoint developer. Seriously, buy this book today.
ISSUE #2 – Your current user account has not been given permission to the SharePoint site, page, or list you are trying to access.
SYMPTOMS: You have already performed the steps listed in ISSUE #1 – Internet Explorer Security Settings, and you continue to receive the login prompt.
It is likely that your current Windows user account has not been given permission to access the site. This issue is most common if you are working from home (or another external computer) where you are logged into your computer with a non-domain account. There’s not much you can do to prevent this one – you’ll just have to login manually when you first browse to the site. After that you should not be asked to login again until you close Internet Explorer.
This scenario is also common when you are accessing a SharePoint site / page / list for the first time or after the Site Owner has reconfigured security. In this case, you will receive the login prompt 3 times, and then a full-color SharePoint error page will appear telling you that you are not authorized. If you experience this variation, either the Site Owner or the SharePoint Admin will have to verify the SharePoint permissions to make sure that the appropriate permissions are applied for you.
ISSUE #3 – You have checked the little ‘remember my password’ box, and then your password has changed since.
SYMPTOM: The login prompt is coming up every time you click a link within the site. When you enter a valid username and password, the page loads. However, it comes up again on every new page you visit. As a side-effect, sometimes your Windows user account will get locked out after a few pages.
This repeating login box is caused by a stored password that is no longer valid, and happens because the user has at some time checked the box to ‘Remember my password’ when they were logging in. It seems like a good idea at the time, but then it comes back to bite you later when your password expires or is otherwise reset. Windows automatically tries to use the stored credentials to login to the site again and again every time you try to open another page on that site, instead of using your current credentials as it normally would.
Removing these stored passwords is possible, but it can be a challenge if your domain security policies hide some of your Control Panel options. Here are a couple of ways to try:
- In Windows Vista, Open the Control Panel, and choose the ‘User Accounts’ applet.
- Click the link on the left side of the window that says ‘Manage your network passwords’.
- Select and Remove any sites that are related to your new password.
In Windows XP, the path is slightly different: CONTROL PANEL > STORED USERNAMES AND PASSWORDS.
If you do not have the option you need in the Control Panel, there is a way to bring up the box via the Run box.
- Go to START > RUN.
- Type the following:
If you are a domain administrator you can make a central setting with Active Directory Group Policy to disable the use of the 'Remember my password' feature, which is a good idea not only for SharePoint login purposes, but also for general network security concerns.
- Logon to a domain controller and go to START > ALL PROGRAMS > ADMINISTRATIVE TOOLS > ACTIVE DIRECTORY USERS AND COMPUTERS.
- Right-click the domain name (or the Organizational Unit that contains the users you wish to control), and choose Properties.
- Go to the 'Group Policy' tab, and edit the policy you created earlier for the IE Security Settings.
- Drill down to: COMPUTER CONFIGURATION > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICIES > SECURITY OPTIONS.
- Enable the setting called 'Network Access: Do not allow storage of credentials or .Net Passports for network authentication'.
- Close all open windows, and wait for the changes to replicate through your environment.
One or more of these issues has been the culprit in every instance of login problems that I’ve ever had to troubleshoot. If you have domain admin level privileges in your network, you can greatly decrease support calls and increase user adoption by implementing the Group Policy changes detailed in Issues 1 and 3. It is well worth the effort.
If your automatic login is working from Internet Explorer but not from your Office programs, take a look at this post.
Wednesday, June 18, 2008
Unfortunately, no one else can see the documents because they have never been checked in. Even the site owner can't see the documents.
Fortunately, there is an easy way to handle this situation. The site owner can go to the Document Library Settings page and click on the link to Manage checked out files.
From here, he can select the documents and click the Take Ownership of Selection link.
Now, the site owner can enter the missing metadata and check the documents in so others can see them.
Tuesday, June 17, 2008
ISSUE #1 – Internet Explorer Security Settings
SYMPTOM: Whenever you browse to your SharePoint site, the little popup dialog box appears asking for your user name and password. If you enter your credentials, it lets you enter the site – it’s just annoying to have to do this again each time you go to your site. If you enter the wrong credentials, leave off the domain name, or type the wrong slash, the box will reappear a total of three times. If you never get it typed correctly, you will receive a generic black and white error message stating that ‘You are not authorized to view this page’ (see example below).
If you are experiencing this combination of symptoms, you probably need to adjust your Internet Explorer Security Settings. Even if you are unsure if your symptoms exactly match – this is a good place to start troubleshooting.
In a nutshell, the SharePoint site(s) must be added to either the Local Intranet zone or to the Trusted Sites zone on the client PC. Most users are familiar with the Trusted Sites zone, and may already use it for some things. However, the default settings in Internet Explorer don’t always allow automatic login in the Trusted Sites zone – especially in IE7. Explorer won’t allow a site to be in both zones, so I recommend a package of settings to make sure that authentication continues to work. The good news is if you have Domain Admin privileges you can control all of these settings centrally by using Active Directory and Group Policy – more on that later.
- Open IE on your computer, go to TOOLS > INTERNET OPTIONS, and then choose the Security tab.
- Click on the ‘Local Intranet’ zone icon, and then the Sites button.
- That will give you a second box, where you must click the Advanced button before entering and adding the site URL(s) – see pictures below.
If you get an error when you click the Add button, you probably need to uncheck the ‘Require server verification (https:) for all sites in this zone’ box. Then try again.
You should add each SharePoint portal / web application to this list, or use a domain wildcard entry (http://*.domain) if that is acceptable and relevant in your environment.
If users are able to type a short NetBIOS style name (without any domain name) for any portal, the short names should also be added.
If SSL encryption is sometimes used for any portal / web application, you should add the name(s) twice – once with the http: prefix and again with the https: prefix.
- Click the Close and OK, and you should find yourself back on the Security tab.
(If you are looking for a quick fix, this alone might take care of the problem. Again though, I recommend following the rest of these steps to prevent things from ‘breaking’ again later.)
- We should now adjust the default security settings for each zone to allow for future user changes. The easiest way to do this is to set the ‘Local Intranet’ and the ‘Trusted Sites’ zones to the Low security level without Protected Mode, the ‘Restricted Sites’ to the High security level with Protected Mode, and the ‘Internet’ zone to the Medium-High level with Protected Mode (click each zone icon and then move the slide all the way down for each – see picture below).
If you don’t see the slider at all, click the ‘Default level’ button. That should bring the slider back.
Protected Mode is actually not directly related to the login process, but will simplify the use of some SharePoint integration features. If you uncheck ‘Protected Mode’ for the ‘Local Intranet’ zone, you will likely receive a dire-looking warning box when you click OK. You’ll have to use your own discretion as to whether this setting is appropriate for your end users.
Some administrators or users may not want to apply the entire package of settings incorporated in the Low setting. You can make a more surgical strike by using the ‘Custom level…’ button. The relevant setting in the Custom box is at the very bottom of the list of options. It’s called ‘Automatic logon with current user name and password (see picture below).
- Click OK to exit the Internet Options box, and then close all Internet Explorer windows.
- Open a new Explorer window and browse to your SharePoint site. You should be logged in automatically using your Windows credentials.
If you still receive the login prompt, you apparently have one of the other issues listed at the end of this post.
If you are a Domain Admin, you probably want to apply these settings to all of your users. That way they can quit calling you about it and move on to other problems… This can be done by using Active Directory Group Policies.
- Login to your domain controller using an account that has domain admin privileges, and perform the steps listed above to create the appropriate package of settings. The following steps allow you to import that package of settings into Group Policy.
- Go to CONTROL PANEL > ADD OR REMOVE PROGRAMS > ADD/REMOVE WINDOWS COMPONENTS > INTERNET EXPLORER ENHANCED SECURITY CONFIGURATION.
- Uncheck the Internet Explorer Enhanced Security Configuration option, and click Next until the wizard completes.This option can be re-enabled after step 10??, if you want or if your corporate policy requires it.
- Go to START > ALL PROGRAMS > ADMINISTRATIVE TOOLS > ACTIVE DIRECTORY USERS AND COMPUTERS.
- Right-click your domain name (or whichever Organizational Unit contains the users to which you wish to apply this fix), and choose Properties.
- Click the ‘Group Policy’ tab, and then the New button. Type in a descriptive name for the New Group Policy Object that appears.
- Make sure that your new policy is selected and click the Edit button.
- Drill down to USER CONFIGURATION > WINDOWS COMPONENTS > INTERNET EXPLORER MAINTENANCE > SECURITY > SECURITY ZONES AND CONTENT RATINGS.
- When you click the button labeled ‘Import the current security zones and privacy settings’, you will likely receive a warning about ‘Internet Explorer Enhanced Security Configuration’.
This is why we disabled the enhanced configuration in step 3, so that this policy would apply to normal workstations. Click Continue.
- Close all open windows.
You can now go back to the ‘Add/Remove Windows Components’ box and re-enable the Internet Explorer Enhanced Security Configuration if you wish.
The changes will take time to replicate through your entire network or enterprise, depending on your particular Active Directory replication topology. In a single-site network, you may see the changes take effect within 15 to 90 minutes. In multi-site networks, it may take a day or more.
This package of settings could also be rolled out via Microsoft SMS server instead of Group Policy. However, SMS is certainly not my area of expertise, so I’ll just mention that it’s possible. I have personally used the above Active Directory Group Policy method with very good results. Even after all of your desktop clients receive the settings, you may still have a few users report login problems. If that is the case for you, stay tuned for my next post regarding Issues 2 and 3 that relate to login issues.
Tuesday, June 03, 2008
Companies that I have worked with have had huge success using lunch menus, featured employee biographies, and bulletin boards to attract their users to the site. This type of content engages the user and will keep them coming to the site as you continue to add more business related content. One quick and easy way to add user catching content is to use Google Gadgets. Not only can Google Gadgets can help you attract users to your site, they can also keep users from navigating away from the intranet into the World Wide Web.
Google has hundreds of gadgets that you can be added to any web page. Many of these can be integrated into SharePoint using the Content Editor Web Part or the XML Web Part. Many of the Gadgets can allow users to access information from the web without leaving the comfort of your intranet page.
The example below shows how to use the Content Editor Web Part to add a weather gadget to a page.
- Browse and find a Google Gadget for your page. Enter the settings for the Gadget. Click the Get the Code button. Copy the code in the box
- Add a Content Editor Web Part to your homepage and modify the web part.
- Click on the Source Editor and paste the code from the Google Gadget into the box.
- Save the Changes to the web part. When you reload the page the weather gadget will appear on your page.
Google Gadgets can be an easy way to add external content to your SharePoint site. Be wary and selective when choosing your Gadgets. Not all Google Gadgets are appropriate for use on company portals and using too many gadgets can clutter and make your site less user friendly. Remember the goal is to add content that the users want or need. Some of the Google Gadgets that I think could be useful in a SharePoint environment are the weather gadget, the Count Down gadget (This could be used to countdown to a company event or deadline.), and Google Mini Web gadget.