Global Administrator role in Office 365

There are several administrator roles available in Office 365, like the billing administrator, password administrator, service administrator, and user management administrator, but the most important one will probably be the global administrator. The reason for this is because it is the only administrator account that is able to assign other accounts administrator roles.

The account signing up for a new Office 365 subscription will automatically be assigned the Global Administrator role. After signing up, you are free to have more than one global administrator.

In order to assign the global administrator role to an active user, follow the steps below:

  1. Go to http://portal.office.com and log in as a global administrator.
  2. Go to the Office 365 admin center site.
  3. Click the USERS link in the left navigation and choose Active Users.
  4. In the list of Active Users, locate the user you wish to assign the global administrator role to and check the checkbox next to it.
  5. Click the EDIT link to the right below the avatar for the user.
  6. In the left navigation choose the link Settings.
  7. In the section called Assign role, choose the radio button Yes and select Global administrator in the dropdown menu.
  8. Provide and alternate email address for the user.
  9. Hit the Save button at the bottom of the page.

In order to find the all users who have been assigned the global administrator role, you can use the following Windows Powershell.

(Please note that you need to install Microsoft Online Service Sign-in Assistant for IT Professionals RTW first and afterwards Azure Active Directory Module for Windows PowerShell (64-bit version) on the system you are running the script from. Otherwise it will not work.)

$credentials = Get-Credential
Import-Module MsOnline
Connect-MsolService -Credential $credentials
$companyAdministratorRole = Get-MsolRole -RoleName "Company Administrator"
Get-MsolRoleMember -RoleObjectId $companyAdministratorRole.ObjectId

The tenant name in Office 365

The Office 365 tenant name is an important subject to cover before diving deep into the Office 365 world. I would therefore like to take the opportunity to explain what it is, its limitations, and how it works.

When you sign up for an Office 365 subscription, you are asked to provide a domain name which will be your tenant name and used for .onmicrosoft.com. At this point you will have to consider this choice carefully, since you will be unable to change this at a later time. If you want to change the tenant name, you will need to sign up for a new subscription again with a new tenant name.

If you plan to use your trial tenant for production, be sure to choose a name for the tenant that is different from your planned production tenant name. It’s a common mistake to use a company name for the trial. The name of the tenant appears in Lync invites and SharePoint Online, but Microsoft does not currently have tools to rename a tenant or migrate data from one tenant to another. If you change your mind later, you have to create a new tenant and manually move your data and settings. (https://technet.microsoft.com/en-us/library/hh852435.aspx)

The tenant name will be under onmicrosoft.com, which is globally signed. This means that if a company in Europe has already signed up for a domain name called ex. foobar.onmicrosoft.com where the tenant name is foobar, then a company in Asia will be unable  to sign up for the same domain name. This limitation has not always been true. Under the predecessor Business Productivity Online Standard Suite (BPOS), which was the previous name and version of Office 365, the subscriptions was divided into three regions called microsoftonline.com, emea.microsoftonline.com, and apac.microsoftonline.com. But now we only have onmicrosoft.com available in Office 365.

Another important point to consider when choosing the tenant name, is that it will be a part of your SharePoint URL which comes with the Office 365 subscription. Ex. http://yourtenantname.sharepoint.com.

If you want to check whether a tenant name is available for a new Office 365 subscription, I will recommend using the following website: http://office365check.azurewebsites.net.

Change existing list’s URL using Powershell

Today I was faced with the challenge of changing an existing list’s URL in SharePoint 2010. I found a simple way to do this using SharePoint Designer, but I wanted to be able to do this using Windows Powershell. It turns out this is pretty easy and can be accomplished by using the following script snippet: 

$site = Get-SPWeb http://yourwebapplication/yoursite/
$site.Lists["ListName"].RootFolder.MoveTo("NewListName")

The script snippet above will change the URL of the list.

Cannot complete this action as the Secure Store Shared Service is not responding. Please contact your administrator.

After creating a Secure Store Service Application through the Central Administration interface in SharePoint Server 2013 and trying to access the new Service Application, I receive the following error message from the system:
Cannot complete this action as the Secure Store Shared Service is not responding. Please contact your administrator.

In order to solve this, you can use the following Windows Powershell:

$service = Get-SPServiceInstance | Where-Object {$_.TypeName -eq "Secure Store Service"}
$service.Provision()
IISRESET

The Windows Powershell worked for me, and you should now be able to continue configuring the Secure Store Service Application.

Understanding device channels in SharePoint 2013

Public facing websites today requires different rendering on different devices (laptops, smartphones and tablets).

SharePoint 2013 Publishing Sites has introduced a concept called Device Channels which renders publishing sites in different ways by using different designs.  This is controlled by a substring of the User-Agent string which comes when the user requests a specific site. Based on this particular substring, SharePoint 2013 is able to use the defined device channels and redirect the user to the correct masterpage view.

Keep in mind that this is a feature only available for SharePoint 2013 Publishing Sites.

You are able to add a new device channel by going to Site Settings and in the Look and Feel section click the link Device Channels. If you enter this device channels page for the first time, you will see a default entry in there already. If you want to add a new device channel, you simply add a new list item to the list.

You are asked to provide the following information:

 

Field Mandatory? Description
Name True Specify the name of the device channel
Alias True Alias of the device channel to reference it using code/markup.
Description False Specify a description of the device channel.
Device Inclusion Rules True This is the most important part of the device channel
Active False Checking this checkbox will activate the channel.

 

Once the information above has been specified for a new device channel, you will have to associate a master page to the newly created device channel. Specifying the master page can be accomplished by going to Site Settings and in the Look and Feel section click the link Master page. All the device channel that you have created and specified as active, will show up on this Master page settings page, and you are able to choose what master page to use for each device channels.

Preventing anonymous access to built-in web services in SharePoint 2013 publishing sites

After creating a new public-facing website in SharePoint 2013 and having configured anonymous access to the site, the structure in the virtual library _vti_bin is still accessible without you having to log in. Each web application web service is installed in the _vti_bin directory, which maps to the following file system location:
%COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\15\ISAPI

For an example, if anonymous users access the page http://publishing/_vti_bin/spdisco.aspx within this particular directory, a list of all available web services is shown. (In my example I am using a web application called http://publishing.)

In order to change this behavior so that anonymous users cannot access the web services, a small modification to the web.config file for the web application on each frontend server has to be made.

Place the following XML above the tag at the bottom of the web.config file. 

<location path=”_vti_bin”>
<system.web>
<authorization>
<deny users=”?” />
</authorization>
</system.web>
</location>

When the web.config file is saved, the application pool is automatically recycled and anonymous users are now required to log in when trying to access http://publishing/_vti_bin/spdisco.aspx.

How to determine what version of PowerShell is installed

The other day I was using a Windows Powershell script from the TechNet Gallery. The script required Windows Powershell version 3.0 in order to execute so I had to find out what shell version I was using on my virtual machine.
Instead on going through the file system to locate the version (if possible at all?) I found out that this can actually be done using a simple command in the shell window.

In order to determine what version of Windows Powershell is installed, you can enter the following command in a Windows Powershell window:

$PSVersionTable.psversion

psversion

As you can see from the screenshot above, the output shows Major, Minor, Build, and Revision for the specific version. The information above tells me that I am currently running Windows Powershell 4.0.

SPManagedAccount could not be deleted because other objects depend on it.

After removing a Service Application from SharePoint 2013, I wanted to clean up the corresponding Service Accounts. Normally I would do this using the following Windows Powershell commands. In this example I am trying to delete an account called KJAERULFF\UPAAppPool: 

Get-SPManagedAccount | Where-Object {$_.UserName -eq "KJAERULFF\UPAAppPool"} | Remove-SPManagedAccount

But this time I receive the following error:

Remove-SPManagedAccount : An object in the SharePoint administrative framework, “SPManagedAccount Name=managed-account-S-1-5-21-1832481381-4025055587-3373917466-1113”, could not be deleted because other objects depend on it. Update all of these dependants to point to null or different objects and retry this operation. The dependant objects are as follows:
SPIisWebServiceApplicationPool Name=Contoso User Profile Service
SPIisWebServiceApplicationPool Name=SharePoint – UPA
At line:1 char:1
+ Remove-SPManagedAccount -Identity $account
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Share…eManagedAccount: SPCmdletRemoveManagedAccount) [Remove-SPManagedAccount], InvalidOperationException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletRemoveManagedAccount

The error occurs because one or more service application pools has a dependency to the account you are trying to delete. In this case the two dependencies are:

  • Contoso User Profile Service
  • SharePoint – UPA

In order to solve this problem we will first need to delete the dependencies using Windows Powershell. This can be done using the following commands in Windows Powershell:

Get-SPServiceApplicationPool | Where-Object {$_.Name -eq "Contoso User Profile Service"} | Remove-SPServiceApplicationPool
Get-SPServiceApplicationPool | Where-Object {$_.Name -eq "SharePoint - UPA"} | Remove-SPServiceApplicationPool

After performing the steps above, you are now able to delete the account using the following command:

Get-SPManagedAccount | Where-Object {$_.UserName -eq "KJAERULFF\UPAAppPool"} | Remove-SPManagedAccount

Defining managed paths in SharePoint 2013

A huge part of structuring a SharePoint web application involves creating site collections with sites and having them in a logical structure that reflects different parts of your organisation. Managed paths can help you with just that. Managed paths are a mechanism that enables the user to create uniform navigational structure related to multiple site collections in a farm.

There are two types of managed paths. Wildcard and explicit:

As you can see from the examples above, managed paths are defined per web application and can be created from the Central Administration interface or from Windows Powershell. In this blogpost I will show you both methods from a SharePoint 2013 farm. It is important to point out that neither of these methods are prefered from another. It really depends on the situation.

Using Central Administration

To create a managed path using the Central Administration Interface, do the following.

  1. Open Central Administration and go to Application Management.
  2. In the Web Applications section, click the link Manage web applications.
  3. Select the web application in the list that you want to create a managed path for, and click the button Managed Paths in the ribbon.
  4. This opens up a page where you are able to specify a name for the new managed path and the type.
  5. Click OK to create a new managed path for the web application you selected in step 3.

Using Windows Powershell

To create a managed path using Windows Powershell, you can use the cmdlet called New-SPManagedPath (http://technet.microsoft.com/en-us/library/ff607693.aspx).

  1. Open the SharePoint 2013 Management Shell.
  2. Execute the following: $wa = Get-SPWebApplication -Identity “http://portal
  3. When the web application has been assigned to the variable, execute the following: New-SPManagedPath “departments” -WebApplication $wa

I hope the information I have described in this blogpost about managed paths helps you understand this important concept in SharePoint.

Access the GAC (Global Assembly Cache) using network drive mapping

Now and then I need access to the physical DLL files located in the GAC (Global Assembly Cache). This can be done by mapping the GAC folder as a network drive. The steps below shows how to do in Windows Server 2012

Open up the File Explorer and go to Computer.

Capture1

Choose the Computer tab and click the button Map network drive.

In the dialog that opens, you are able to enter the server name and folder (\\SERVER\FOLDER). In my case it is \\DEMODEV2013\c$\windows\assembly.

Capture2

After mapping the Network drive using the steps shown above, you should be able to browse all the physical files located in the GAC (Global Assembly Cache).