Sharepoint 2007 enhanced by SQL 2008

A quick update about SQL 2008 and how that can enhance Sharepoint 2007. The main word is compression of data in different scenarios. Backups from SQL-server can now be compressed which saves space needed for backups, which have been a big problem for us as it admins. Also the replication traffic between sql nodes in the sql cluster is compressed which makes mirroring easier and more effective if the infrastructure isn’t a high-bandwith one. I have just installed my first SQL 2008 machine in production and will be updating with more info as soon as I have something fun to tell you about it! =)

More detailed information can be found at Technet.

About security groups and Sharepoint.

Almost every week I welcome a new class at the CPLS where I work. Every week I have to teach people – who thougth they knew sharepoint security – some fundamental knowledge about security. This is a article to try and explain some of the main points.

Sharepoint security can be devided into three basic areas: Groups & Users, Permissions and Securable objects. Groups and users are thought to be straigt foward. Users are present in a database, and can be devided into groups. Groups do not have any permissions. Permissions are then set in access list at each securable object. A securable object is basicly list item, list, library, site or site collection.

  • Groups are “global” (site collection)
    Microsoft have made it easy for us to find to People and Groups from every sites administration section. This is a bit confusing since it’s easy to belive that the groups are defined for each site, however when creating a group its always created in the site collection. A group name is therefore also global “Owner” is not a good name, it does not describe what that person ownes and where – “Global Finances Site Owner” would be a better name. If you are used to WSS 2.0 there were something called Site Groups which were groups on the site level – this feature is NOT availiable in WSS 3.0.
  • Group membership do not change on site level
    If you are member of the Approvers group you are a member of the approvers group everywhere in the site collection. The actual site permissions may vary, but you are always member of the Approvers group. I think the above mentioned link adds to this confusion. I think that if you where member of the Approver group that you would have Approver rights in the whole portal; so even if groups are named “Global Finances Invoice Approver” and is used mainly on the Global Finances site it’s still global.
  • Groups are not the same as permissions
    When you are the member of a group, no permissions is actualy assigned by the group membership. Most standard groups have default permission set. Permissions are set at the securable object level. This is made worse I think by the default groups in sharepoint as Approver: this falsely gives you the impression that if you are a member of that group you will get a specific permission; I will admit that in standard configuration this is true but not practical. What is that person to Approve? Perhaps you would create a “Global Finances News Approver” group which would be assigned the Approve permission level on the Global Finances site – but not a right to globaly approve everything.
  • Access list and inheritence
    By default access lists are inherited to subordinate securable objects (except when a web application policy overrides). Groups are global, so they are not “inherited”. When breaking the inheritance a copy is created of the access list; this cannot be partly inherited – either broken inheritance or not! Permission levels are also inherited, and still inherited even if we break the access list inheritance. To break the permission level inheritance that also must be broken – almost never needed. You are always free to restore inheritance – when you do: ALL subordinate permissions and access lists are also reset to inherit!
  • Some accounts are special
    There is some accounts who get access even though they are not in the access lists. This is true for the Primary and Secondary site collection administration accounts. This is setup elsewhere. Members of the built in Administrators group also have access for instance.

I hope this clears up some aspects of Sharepoint security administration.
More detailed information can be found at Office Online

Essential iFilter links for MOSS

Just finished a installation for a customer. After thinking a bit I decided that in addition to the out-of-the-box provided iFilters the following are quite usefull and should realy cover about 90% of files. Remember that all this indexing also adds to the load of the indexer… 

A great suprise in the Office 2007 pack is the support for zip-files – I have seen some realy expensive iFilters for that.. 
Office 2007  (.docx, .docm, .pptx, .pptm, .xlsx, .xlsm, .xlsb, .zip, .one, .vdx, .vsd, .vss, .vst, .vdx, .vsx, and .vtx): http://www.microsoft.com/downloads/details.aspx?FamilyId=60C92A37-719C-4077-B5C6-CAC34F4227CC&displaylang=en

XPS havent realy had its breaktrough yet, but the iFilter will be increasingly more sought after..
Microsoft XPS (.xps): http://www.microsoft.com/downloads/details.aspx?familyid=b8dcffdd-e3a5-44cc-8021-7649fd37ffee&displaylang=en&tm

Adobe have now released a x64 filter for PDF which finaly makes us be able to remove the FoxIT PDF iFilter if you use x64 which you should..
Adobe PDF x64 (.pdf): http://labs.adobe.com/wiki/index.php/PDF_iFilter_8_-_64-bit_Support

Missing file for ShareCheck

Got a mail this weekend from Russell Davies asking me where to download the actual file for ShareCheck, a program you can find described here. And the answer was simply: nowhere! I had forgotten to upload the file! Stupid misstake, anyway; the file can now be found here. Don’t forget to run with -whatif switch when you are testing it out!

Wildcard searches as a dropin solution

One of the most commonly asked for feature are wildcard searches. There is lots of solutions to provide this function in atleast as many different ways. One simple and easy method I have been trying a while in my lab is WildcardSearch from Corey Roth published at CodePlex. The solution work as a dropin replacement of the CoreResultsWebpart and is compatible with almost all aspects of normal search functions in Sharepoint (which most others are not!). The solution just came out in a version 2 which now support Search Scopes. You will find the download here: http://www.codeplex.com/WildcardSearch

There are a couple of cavets and sacrifices you should know about.. http://www.dotnetmafia.com/blogs/dotnettipoftheday/archive/2008/09/18/what-you-give-up-with-full-text-sql-queries-using-wildcard-search.aspx

Name ActiveX Control and public facing sites

Once again today I stumbled on a website built on MOSS where the designer of the site haven’t thought of Name ActiveX Control. The control loads on the visitors computer to access information from the installed IM about current online status. In Internet Explorer the site must be on the trusted sites list, otherwise the famous golden bar appear. For most public sites this IM status information isn’t needed anyways. And I cannot seem to get over the fact that so many ignores this.

So this is my “save-the-world-from-name-activex” blog post =)

The reason that so many sites forgetts to remove this is that the author proably doesn’t know it loads. This component loads silently when your on the intranet, because the Internet Explorer looks at the url and and determines that it’s a trusted site, ie executing the activex without further questions. However when accessing the site via internet, and the site is not a trusted site..

Well the solution is known and have been around as long as IE almost. The solution is documented here, http://support.microsoft.com/default.aspx?scid=kb;en-us;931509. The recomended solution is number 3. If you don’t like flying around to all IE owners in the world =). What this solution do is essentaly commenting out ProcessImn() and the actual call to the dll never occurs and.. no golden bar!

Search Server Express enhancing WSS

If you are used to MOSS it will feel like beeing run over by a truck to configure a WSS search. The WSS is very limited in the searching department, by obvoius reasons, and there isn’t realy that many options. Today I got a bit of time over to setup a Search Server Express next to my development WSS-server, and I spent the day by tweaking away to prepare a seminar the comming thursday.

The Search Server Express adds to WSS by adding a Shared Services Provider (a limited one) with just ability to configure search. You are able to setup Content Sources, Crawl Rules, File Types, Metadata and Federated locations (which isn’t availiable in MOSS without the infrastructure update). You will also find options on the site collection level.

So if you want to get good search right out-of-the-box without spending the money for MOSS this is the way to go. As usual there is already detailed information on technet about this. Follow this link: http://technet.microsoft.com/en-us/library/cc297193.aspx

Old news: Sharepoint End User Training

For the sysadmins, and site owners, out there who has not yet seen the Sharepoint Training Kit this is a absolute must have to educate the hords (your users). Unfortunaly the materials are only available in English, but if your userbase understands english it’s perfect. Best of all? Its based in Sharepoint. As the title says this is old news, but I think its underestimated and not deployed enough, and I haven’t written about it yet.. =)

SharePoint End User Training http://www.microsoft.com/downloads/details.aspx?FamilyID=673dc932-626a-4e59-9dca-16d685600a51&displaylang=en