Tag Archives: Active Directory

User License Enforcement In SharePoint 2013

One of the great features of SharePoint 2013 is User License Enforcement.  This enables you to map users, or Active Directory security groups to a SharePoint license level.

User License Enforcement is disabled by default and is dependent on Claims authentication.  However, Claims authentication is the default in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc262350.aspx.

To enable User License Enforcement, open the SharePoint 2013 Management Shell and type Enable-SPUserLicensing.  To confirm User Licensing is enabled type Get-SPUserLicensing.  Enabled, True should be the output if it’s enabled.

To map an Active Directory security group to a SharePoint Enterprise license enter

$a = New-SPUserLicenseMapping -SecurityGroup “yoursecuritygroup” -License Enterprise

Add-SPUserLicenseMapping $a

Replace Enterprise with either “Standard”, “Project”, “DUET”, or “WAC” depending on the license level you wish to enable.  Project is for Office Project Server, DUET is for SAP and WAC is for edit rights in Office Web Apps.

In the screenshot below I’ve mapped two Active Directory security groups to different license levels, one to an Enterprise license and one to a Standard license.

UserLicensing1

Once you have configured the license mapping, enter Get-SPUserLicenseMapping to view the mappings.

UserLicensing2

Once the User License Enforcement has been configured users will see a different view dependent on their license level.  Below you can see a user mapped to an Enterprise license can create sites, such as Business Intelligence Center.

UserLicensing3

The user in the screenshot below is mapped to a Standard license and has a different set of site creation options.

UserLicensing4

If a user with a Standard license accesses a page containing an Enterprise level web part they may see an error relating to a lack of license.

UserLicensing5

For a full list of licensing PowerShell cmdlets visit the TechNet site http://technet.microsoft.com/en-us/library/jj219609.aspx

Advertisements

User Context Sensitive Searching In SharePoint 2013 Part 1

The purpose of this two part series is to demonstrate how you can alter SharePoint 2013 search results based upon the current user.  The example I’ll use here is promoting specific search results to the top of the search result list based on the user’s department in Active Directory.  This feature is known as User Segmentation and the method I describe is my take on the information and code available here http://blogs.technet.com/b/speschka/archive/2012/12/02/using-user-context-aka-as-segmentation-in-search-with-sharepoint-2013.aspx and here http://msdn.microsoft.com/en-us/library/jj870831.aspx

In order for this to work you need SharePoint 2013 Enterprise, as the code makes use of the Content Search Web Part (CSWP), which is only available in SharePoint 2013 Enterprise.  You need to have an instance of the User Profile Service Application working with users imported from Active Directory and the department field populated.  You also need to have configured the Managed Metadata Service Service Application as we make use of the people taxonomy.  You’ll also need Visual Studio 2012 with the Office Developer Tools for Visual Studio 2012 (http://aka.ms/OfficeDevToolsForVS2012) to edit the web part.

An overview of the method I’ll cover in the two posts is as follows:

Create a web part which is an extension of the CSWP.  The web part retrieves the current user’s department from the User Profile Service Application within SharePoint.  Next the web part looks up the term ID of the user’s department within the People taxonomy in the Managed Metadata Service.  The department tag ID is added to the User Segment terms.

A query rule is created within the Search Service Application which fires for a specific department in the User Segment terms.  The query rule is used to alter the search result ranking.

The Visual Studio solution is available to download here https://1drv.ms/u/s!AnQuhI0KfyfurTYC0BlSPffu1r_I You can open the solution in Visual Studio and deploy it, or just deploy the wsp file from Search User Segmentation\Search User Segmentation\bin\Debug folder within the zip file using PowerShell, or STSADM.

Extend SharePoint 2013 People Search Using Business Connectivity Services Part 4

In this four part series I will describe the process of extending the SharePoint 2013 user profile from Active Directory with additional data from a SQL Server table.  The additional data will then be displayed in users’ My Sites and SharePoint people search.

Part 1 will show the process to create the SQL Server table.  Part 2 will show the process to make the data in the SQL Server table accessible to SharePoint.  Part 3 will show the process to extend user profiles and My Sites to include the additional user data.  Part 4 will show the process to make the new user profile properties accessible in SharePoint Search.

The SharePoint environment is SharePoint 2013 Standard, with SQL Server 2008 R2 and SharePoint Designer 2013.  The steps are based on an environment where the User Profile Service has already been setup, users have been imported from Active Directory and My Sites have been configured.  It is assumed that SharePoint Search has been configured and a search site using the Enterprise Search Center template has been created.

In this post I’ll describe the process of making the custom user profile properties you populated in the last post visible within SharePoint Search.

Open Central Administration -> Application Management -> Manage service applications and open your Search Service Application.  Click on Content Sources, then click on the drop down for your user profile content source and run start an incremental crawl.

BCS - Search1

Once the crawl has completed click on Search Schema under Queries and Results.

BCS - Search2

Click on Crawled Properties, then in the managed property box search for one of your custom user profile properties.

BCS - Search3

Your custom property should be listed as People:XXXX as the property was added as a user property.  Click on the custom property and check the Include in full-text index box is ticked.

BCS - Search4

Return to the Managed Properties screen and click on New Managed Property.

BCS - Search7

Enter a property name, e.g. Jurisdiction and select the correct data type.

BCS - Search8

There are many options to experiment in this screen, but as a minimum for this example tick Queryable (this appears to be a requirement for the refiner option), Retrievable, which allows us to display the property in search results and set Refinable to Yes – active as I want to be able to refine search results using this custom property.  Finally, map this new managed property to the custom user profile property and click Ok.

BCS - Search9 BCS - Search10

Repeat these steps for all the other custom properties you wish to use in search.  Once you’ve created all your managed properties run a full crawl of your content source.

BCS - Search12

Once the full crawl has completed we need to add the custom properties to the list of refiners and search result.  Navigate to your search site and search for a user that will have the custom properties populated.

BCS - Search5

Edit the search results page, and click on Edit Web Part for the Refinement web part.

BCS - Search6

In the Properties for Search Refinement screen click on Choose Refiners.

BCS - Search11

From the screen that loads, select the custom property you wish to add as a refiner and click Add, then click Ok.

BCS - Search13

Click OK on the Properties for Search Refinement web part.  You should now see your new refiner.

BCS - Search14

If you’re happy check in and publish the page.

BCS - Search15

Now we I’m going to show you the process to display a custom property under the user’s details.  Edit the Search page and click on the display template link.

BCS-SDT1

On the display template page choose to download a copy of the existing People Item template.

BCS-SDT2

Create a copy of the downloaded template and open it in a text editor like Notepad++.  Update the title field to indicate this is your custom display template.

BCS-SDT2.5

Add your custom user property name to the ManagedPropertyMapping section.

BCS-SDT3

Create a variable for your custom property.

BCS-SDT4

I’ve copied the department section and replaced the variable etc. with jurisdiction.  I’ve also added Jurisdiction:  in the value DIV as this will add a prefix to the value on the search result screen.

BCS-SDT5

Open SharePoint Designer, connect to your SharePoint site and navigate to Page Layouts -> Display Templates -> Search.  Click on Import Files in the ribbon and upload your custom display template.

BCS-SDT6

Navigate to the display template gallery and publish a major version of your template.

BCS-SDT7

Using the link on the search results page, open the Manage Result Types page.  Use the drop down for the Person result type to create a copy.

BCS-SDT8

Enter a name for the new result type and select your custom display template.

BCS-SDT9

In my environment the updated display template worked straight way.  However, if you need to change the display template, on the people search results page edit the web part properties on the People Search Core Results.

BCS-SDT10

Select your custom display template and save changes.

BCS-SDT11

You should now see the custom property in the search results.

BCS-SDT12

Troubleshooting

If you have problems getting this to work the following tools may help:

Monitor connections to the SQL Server during the user import task using SQL Server Profiler.  This will enable you to see if SharePoint is connecting to the SQL Server and the commands that are being run.

Monitor the user import process using Synchronization Manager Service, which can be found at “C:\Program Files\Microsoft Office Servers\15.0\Synchronization Service\UIShell\miisclient.exe”.

Monitor SharePoint logs using the ULSViewer.  You can create a filter to include results only from Business Data Connectivity Services. http://archive.msdn.microsoft.com/ULSViewer

Extend SharePoint 2013 People Search Using Business Connectivity Services Part 3

In this four part series I will describe the process of extending the SharePoint 2013 user profile from Active Directory with additional data from a SQL Server table.  The additional data will then be displayed in users’ My Sites and SharePoint people search.

Part 1 will show the process to create the SQL Server table.  Part 2 will show the process to make the data in the SQL Server table accessible to SharePoint.  Part 3 will show the process to extend user profiles and My Sites to include the additional user data.  Part 4 will show the process to make the new user profile properties accessible in SharePoint Search.

The SharePoint environment is SharePoint 2013 Standard, with SQL Server 2008 R2 and SharePoint Designer 2013.  The steps are based on an environment where the User Profile Service has already been setup, users have been imported from Active Directory and My Sites have been configured.  It is assumed that SharePoint Search has been configured and a search site using the Enterprise Search Center template has been created.

In this post I’ll describe the process of extending the Active Directory user profiles with information from SQL Server and how to display this data in SharePoint people search and My Sites.

Open Central Administration -> Application Management -> Manage service applications and open your User Profile Service application.  Click on Configure Synchronization Connections.

BCS - AD1

On the Synchronization Connections page click on Create New Connection.  Enter a name for the connection, change the connection type to Business Data Connectivity.  In the Business Data Connectivity Entity section, select your External Content Type.  Choose to connect using a 1:1 mapping and return items based on the WorkEmail property.  Click Ok.

BCS - AD2

We now need to map the fields returned by the connection to SQL Server to fields in user profiles.  Return to your User Profile Service application in Central Administration and click on Manage User Properties.

BCS - AD3

On the Manage User Properties screen click on New Property.  I’m going to show the process to create a property called jurisdiction, which will be mapped to the jurisdiction field in SQL Server.  The process needs to be repeated for all fields you wish to add to the user profile.

Enter a name, display name and change the data type and field length to match the field you’re mapping.

BCS - AD4

Change the Policy Setting to optional, and the Default Privacy Setting to Everyone.  This allows the field to be displayed in the profile properties section of the user’s profile.  I don’t want users to be able to change the jurisdiction value, so update the Edit Settings as appropriate.  In order to display the value on the user’s profile page tick the box under Display Settings.  Ensure the Indexed box is ticked to make the property searchable.

BCS - AD5

You now need to map the user profile property to the field in the External Content Type.  Choose the Employees data source and the appropriate field to map to the user property.  Leave the direction as import and click Add, followed by Ok to save the new property.

BCS - AD6

Repeat this process for any other properties you wish to map to user profile properties.  Once you’ve mapped all the user properties run a full user profile synchronization process from Start Profile Synchronization.

BCS - AD7

Once the profile synchronization has finished, click on Manage User Profiles, then search for a user that should have been populated with data.

BCS - AD8

If you scroll through the user profile you should see your custom user profile properties have been populated.

BCS - AD9

Visit a user’s My Site and click on SHOW MORE under the user’s details to see your custom user profile properties.

BCS - AD10

In the final part of this series I’ll show you how to make the custom properties visible within SharePoint Search.

User Profile Synchronisation Errors In SharePoint 2013

During testing of SharePoint 2013 I experienced the Application Event Log errors below.  When the errors occurred I was unable to run a User Profile Synchronisation with Active Directory.

Event ID 6398, category Timer

The Execute method of job definition Microsoft.Office.Server.UserProfiles.UserProfileImportJob (ID 0afab701-a201-4df9-bfc7-590838da8809) threw an exception. More information is included below.

Generic Failure

Event ID 1004, category None

Detection of product ‘{90150000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’, component ‘{1C12B6E6-898C-4D58-9774-AAAFBDFE273C}’ failed. The resource ‘C:\Program Files\Microsoft Office Servers\15.0\Service\Microsoft.ResourceManagement.Service.exe’ does not exist.

Event ID 1001, category None

Detection of product ‘{90150000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’ failed during request for component ‘{1681AE41-ADA8-4B70-BC11-98A5A4EDD046}’

The resolution is to grant read access to the Network Service account to the c:\Program Files\Microsoft Office Servers\15.0 folder

SharePoint People Picker, Audiences And Active Directory Trusts

The following post covers issues I came across when configuring SharePoint 2010 to work with an Active Directory (AD) trust.  In this scenario, SharePoint and user accounts are in domain A and a two-way transitive trust has been created with domain B.  Domain B holds news users who need access to SharePoint.

The first issue was the error below, which occurred when setting permissions for AD users and groups from domain B using the People Picker.

No exact match was found. Click the item(s) that did not resolve for more options

As a two-way trust exists between the two domains and the web application is using Windows authentication, SharePoint should have been able to locate users and groups in the trusted domain.  However, this wasn’t the case and I had to run the commands on this page http://technet.microsoft.com/en-us/library/cc263460.aspx.  The STSADM –o setapppassword –password <password> command has to be run on every SharePoint server running the Windows SharePoint Services Web Application service.  The stsadm.exe –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <webapp> command is run on one SharePoint server running the Windows SharePoint Services Web Application.

The next issue occurred when using the Audience Picker to set an audience on a web part for a group from domain B.  Unlike the People Picker which queries AD, the Audience Picker queries the user profile database for imported users.  In this case I was able to search for the security group from the trusted domain, the group was listed as containing members, but the audience setting failed to work.  This error was caused by a mismatch between the NETBIOS name of domain B and the FQDN, e.g. the NETBIOS name was DOMAINB-XY and the FQDN was DOMAINB.COM.  In order to fix the problem I followed the steps listed here http://blogs.msdn.com/b/russmax/archive/2010/03/20/sharepoint-2010-provisioning-user-profile-synchronization.aspx.  The basic steps are:

  1. Ensure Grant Replicate Directory Changes has been correctly assigned on domain B http://technet.microsoft.com/en-us/library/hh296982.aspx
  2. Set the NetBiosDomainNamesEnabled property to true for the User Profile Service Application
  3. Delete and recreate the AD connection within SharePoint for the import of users from domain B
  4. Import users from domain B.