Question: I don't want all my users to create mysites and/or use social features. How can I accomplish this?
Answer: The "Manage User Permissions" link (under "People" category) in the User Profile Service Application's Central Admin page provides ACLs to accomplish this.
Question: How can I delete a tag or note from the system?
Answer: If someone leaves you a note on your profile, you can directly delete it from the profile page itself. For a noteboard on a team site, a user with full control permissions can delete notes directly. A user profile admin can also delete tags and notes from the user profile service application's central admin page, by using the link "Manage Social Tags and Notes" at the bottom of the page.
Question: I'd like to create different profiles, for example for a full time employee vs interns. How can I accomplish this.
Answer: 2010 has a new concept of 'sub-types'. These sub-types can be used to selectively use existing or custom properties for different types of user profiles.
Question: Why is there nothing showing in anyone’s Newsfeed?
Answer: By default, the timer jobs which fill in this information are disabled. You need to enable the Activity Feed Job and the Activity Feed Cleanup Job for data to appear here. Please refer to the planning documentation for complete information about this.
Question: I did what you said earlier, but now there’s no Tags or Notes in the Newsfeed. What’s happening?
Answer: Tags and Notes (as well as a few other things) are Security Trimmed in the Newsfeed. This relies on Search, so if Search has not run recently you will not get the right data. After completing a Search Crawl, people will be able to see Tags and Notes in the Newsfeed.
Question: A user’s name has changed in AD and in their User Profile, but it is still the old one in the Welcome menu on sites. Why?
Answer: You need to run the User Profile to SharePoint Full Synchronization timer job to bring data from a user’s User Profile into the sites that they visit.
Question: My users get “there was an error creating your personal site” and no further details when I try to create a My Site, what happened?
Answer: Check whether there is a root site collection on your Web App. You need this in order for Self Service Site Creation to function properly.
Question: I have two web apps, one legacy and one using Claims, and the My Site Host is on the legacy web app. Can Claims users use My Sites?
Answer: Not in this configuration. If you have multiple auth modes, in order for all users to use the same My Site Host you need to have it on a multi-auth Web App.
Question: How can I customize the My Network page?
Answer: As an end user, you can’t. This page exists on the My Site Host, which is shared with all users, and as a result individual users are unable to edit it. You are the owner of your My Site (under the My Content link) and you have full control over that page.
Question: People’s pictures look weird in the noteboard and other places, what is going on?
Answer: After upgrading you need to run the update-spprofilephotostore cmdlet. This will convert users’ photos to three thumbnails that are the correct size for the various web parts and controls. It is also possible for users of 14 to set their pictures through the OM to pictures that are the wrong size. This situation can be solved with the same cmdlet.
Question: I had a theme on my My Site, but after upgrade it’s gone. What happened?Question: I chose to use Visual Upgrade and leave all my sites with their old Look and Feel, but the My Sites changed their Look and Feel anyway. Why?
Answer: Themes do not upgrade from 2007 to 2010. There are many themes available in Site Settings.
Answer: Due to deep changes in the My Sites for 2010, My Sites and My Site Hosts will upgrade to the new Look and Feel no matter what.
USER PROFILE SYNCHRONIZATION
Question: Why are replicate-directory-changes permissions needed to synchronize with AD and on what in AD?
Answer: In order to interrogate AD about “what has changed since time xyz”, we need the replicate-directory-changes permissions on partitions being synchronized, for example the domain partition being synchronized.These permissions are needed in particular to be able to read data within the deleted objects container of the partition. Standard users do not have permissions to read the content of this container, and we cannot simply grant rights over that container to the synchronization account.
In RC we also require these permissions on the cn=configuration container, in order to access the netbios information for the domain (we are working to fix this for RTM, so this container permissions will be required only if your netbios name is different than your domain name)
Question: Do the replicate-directory-change permissions allow the holder to modify AD?
Answer: Holder cannot modify AD using these permissions
Question: What additional privileges are granted (beyond the ability to read and inquire of delta changes) with replicate-directory-changes permissions?
Answer: Holder can read all AD data for the domain, except passwords. Note that most of the directory information is by default readable by everyone, including data in the configuration partition.
Question: I have very sensitive information in AD, such as pay-levels and now I am worried that these permissions will expose that information
Answer: The replicate-directory-changes permissions will only expose sensitive data if explicitly mapped and imported into SharePoint. SharePoint out-of-the-box mappings do not expose custom AD data. This account cannot use LDAP querying to access information otherwise not available for read; it has to specifically use replication interfaces of the system to trigger sync in order to access the data.
Question: Why do I need the Replicate-directory-changes permissions at all if I am only doing a full sync?
Answer: Replicate-directory-changes permissions can also be used to do a full import as well, to get consistent read, for the respective delta-imports. SharePoint admin must explicitly map a property for export, there is no out-of-the-box mapping to export to AD . Even if the SharePoint admin creates a mapping, there will be no export of the data unless additional AD permissions allow so. Replicate-directory-changes do not allow for creation, modification or deletion of data in AD.
Question: Is there a local box admin requirement for provisioning user profile synchronization service?
Answer: When provisioning sync (hitting start on the user profile sync service in the central admin services on server page), you must be logged in as a farm "account" who is also the local box admin on the box you are provisioning the sync service. This requirement exists because sync process needs to make some changes in the local groups and modify registry entries on the machine. This is typically done at the early install time, but with sync SP2010 follows a two-phased provisioning process which necessitates this for provision time of the sync service. Note that this requirement exists only during provisioning (moving to another machine or starting for the first time). This requirement will remain for SP2010 RTM.
Question: User profile synchronization service on the “Services on Server” page continues to stay in the starting state. How can I reset it to stopped state?
Answer: Fire up powershell. Get a handle for the respective user profile service application (UPA), say $UPA. Then use the method $UPA.ResetSynchronizationMachine().
Question: I see obsolete users in the profile store, for example, on the org chart. These users are no longer in AD.
Answer: There can be two reasons for obsolete users in the profile store:
1. MySite clean up timer job is not active. The user profile synchronization job marks users deleted from the directory source to be deleted. When the MySite cleanup job runs, it looks for all users marked for deletion and deletes their profiles. Respective mysites are then assigned ownership to the deleted profile’s manager and an email is sent to the manager.
2. There were users that existed in the profile store and were not brought in by user profile sync. This can occur, for example, if a customer upgraded from previous version of SharePoint. And chose to only synchronize a sub-set of domains with 2010. You can find these users by utilizing the following commandlet:
$upa = Get-spserviceapplication –identity <UPA ID>
a) To view users and groups that’ll be deleted:
Set-SPProfileServiceApplication -Identity $upa – GetNonImportedObjects $true
b) To delete these users and groups (this action can’t be undone):
Set-SPProfileServiceApplication -Identity $upa – PurgeNonImportedObjects $true
To view or delete users only, please select users-only option in the user profile synchronization settings through central admin. Similarly, to view or delete both users and groups, please select users and groups option in the user profile synchronization settings through central admin.
Question: I know my netbios and domain name are different or I am seeing wrong samAccountnames after import. What gives?
Answer:If your NetBIOS name is different from your domain name, at least Replicate Directory Changes permission is also needed on the cn=configuration container and you must enable NetBIOS domain names on the corresponding User Profile service application. For more information about enabling NetBIOS names on a User Profile service application, see Get-SPServiceApplication.
The UPA property NetBIOSDomainNamesEnabled is used to control whether the CNC partition is included in the AD Connection or not. By default it is false (not enabled) and the CNC and associated run steps are not included in the AD Connection configuration. If it is enabled, then the CNC partition and run steps are included.
When editing a connection, the flag is ignored. If the CNC was included in the AD Connection when it was created, then it will continue to be included in the AD Connection. If the CNC was not included when the AD Connection was created then it will never be included in the AD import.
To "enable" NetBIOS domain names once a connection is created requires the connection to be deleted and a new connection created with the flag turned on (set to 1 or true). This will delete all the users which had their SAMAccountNames incorrectly formed due to the NetBIOS domain name being incorrect.
How To: Enable import of NetBIOS Domain Names
Using the 2010 SharePoint Management Shell:
<lists the Service Applications and their GUIDs>
$UPA = Get-SPServiceApplication –Id <GUID of User Profile Service Application>
Question: For whatever reason, I’d like to reprovision the sync service from scratch. How can I reset sync and will resetting harm my user profile data?
Answer: User profile sync serves as a staging area for data, and the data in profile store and social databases is the data consumed by the user profile service. So if the right steps are followed, you should be able to reset the sync service and related databases, without harming the user profile data. Here are a set of suggested steps:
1) Login as farm account
2) Backup the User Profile DB and the User Profile Sync DB
3) Stop the SharePoint 2010 Timer service:
PS D:\> net stop sptimerv4
4) Delete the data in the Sync DB using the following PowerShell script:
PS D:\> Get-SPDatabase
5) Copy the GUID associated with the User Profile Sync DB in the command line below
PS D:\> $syncdb=Get-SPDatabase -Id <GUID of User Profile Sync DB>
6) Execute these commands, in exactly the following order. This is not a script. So please cut and paste each of these commands one by one.
PS D:\> $syncdb.Unprovision()
PS D:\> $syncdb.Status='Offline'
PS D:\> Get-SPServiceApplication
#Copy the GUID associated with the User Profile Service and paste it after "Id" in the next command:
PS D:\> $upa=Get-SPServiceApplication -Id <GUID of User Profile Service
PS D:\> $upa.ResetSynchronizationMachine()
PS D:\> $upa.ResetSynchronizationDatabase()
7) Provision the Sync DB:
PS D:\> $syncdb.Provision()
8) Add the User Profile Synchronization service account (farm account) as the dbowner on the Sync DB (using SQL Server Management Studio).
9) Start the SharePoint 2010 Timer service
PS D:\> net start sptimerv4
10) Start the User Profile Synchronization Service in the Central Administration UI.
11) After the User Profile Synchronization Service is started, reset IIS.
PS D:\> iisreset
12) Create connections to data sources in the Central Administration UI.
13) Run full user profile synchronization.Thursday, February 25, 2010 5:41 PM
Shouldn't they (answers to frequently asked questions) be put on a web site with an RSS feed?It's a very easy way for instance to follow newly issued (and updated) articles so why not use the same technique for faqs?)It's not really the function of a forum in the technet/msdn forum space to provide more than threads containing questions from users and possible answers from other users (and MS), there already is a set of forums (the Answers set) for Microsoft to post faqs. Why not use that?
FAQ sites: (SP 2010) http://wssv4faq.mindsharp.com; (v3) http://wssv3faq.mindsharp.com and (WSS 2.0) http://wssv2faq.mindsharp.com
Complete Book Lists (incl. foreign language) on each site.Friday, February 26, 2010 7:08 AM
I administer a complex set of subsites run by individual teams, each with their own permission settings. Recently, we had a team member leave, and I was asked to remove their permissions from the site. Is there a way, other than laboriously crawling the site to check individual subsite settings, to find out a user's permissions on an entire site?Thursday, April 08, 2010 4:25 PM
Shouldn't they (answers to frequently asked questions) be put on a web site with an RSS feed?
It's a very easy way for instance to follow newly issued (and updated) articles so why not use the same technique for faqs?)
It's not really the function of a forum in the technet/msdn forum space to provide more than threads containing questions from users and possible answers from other users (and MS), there already is a set of forums (the Answers set) for Microsoft to post faqs. Why not use that?
FAQ sites: (SP 2010) http://wssv4faq.mindsharp.com; (v3) http://wssv3faq.mindsharp.com and (WSS 2.0) http://wssv2faq.mindsharp.com
Complete Book Lists (incl. foreign language) on each site.
holas como estas porque tu foro tiene acceso directo??????????????Monday, June 14, 2010 2:08 AM
We notice that there are many sub-forums(well-categorized) for SharePoint 2007 forums:
When are we getting such well-categozied sub-forums under SharePoint 2010 forums:
Thanks & Regards,
Kamlesh | Blog | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.Monday, June 14, 2010 1:02 PM
Tuesday, August 03, 2010 10:33 AM
Thank you for posting this ... I am concerned about the requirement for the additional permissions in AD for the SharePoint ID. With your post, I am a little less concerned - but still wish that there was more "OFFICIAL" documentation such as your article. -GregFriday, August 20, 2010 5:11 PM
I have an opportunity to learn SP in March. I was wondering what is the learning curve compared to open-source CMS's such as Joomla or Drupal? I know that it emphasizes user/team permissions more but other then that I would love to know others experiences in adapting to it.
Mixing web dev with beer pong|kings. Why not... "There are no pacts between lions and men"-AchillesSaturday, February 26, 2011 2:08 PM