European SharePoint Best Practice Conference 2011


I attended the SharePoint Best Practices Conference 2011 in April and came away with lots of great handy tips. Here is a quick summary of some of what I came across.

IIS caches user AD group membership –

You may have wondered why adding someone to an AD security group does not give someone instant access to a SharePoint site? Although SharePoint’s people picker reads directly from Active Directory, the actual group membership of clients is cached in IIS. So if you have accessed a site before and recently been added to a group in AD, it does not guarantee instant access to the new SharePoint sites. Even if the AD imports are run from Central Admin, it does not guarantee access to the site.

Using PowerShell to search error logs-

I went to a couple of talks by world famous SharePoint expert Gary La Pointe which was based on the use of PowerShell with SharePoint. He did a talk on using PowerShell for administrators and another talk on the use of PowerShell for developers. One of the things that always disappoints me is seeing another correlation ID appearing in a SharePoint error. Now using PowerShell we can write a function to quickly search the log files and return the recent matches to our correlation ID.

Get-SPLogEvent -StartTime (Get-Date).AddMinutes(-10) | ? {$_.Correlation -eq “8db5e7ed-075c-46cc-8d7c-e2cb78f15f7e”}

It was a very eye opening talk by Gary and really made me realise the potential of PowerShell as an administration tool and also a very powerful development tool. Note that you can call these PowerShell commands/functions from c# code making some very interesting application pages.

Updating Display Name in profiles-

When a user logs into a SP2010 site, their display name in displayed in the top right corner of the page (when using v4 master). Sometimes a user may need their display name updating (e.g. marriage, legal, etc…). This is usually changed in AD and expected to replicate through to the SharePoint site.

This doesn’t always happen automatically and the reason for this is that if someone has not contributed to a site collection, then the site collection will not check that the profile information is up to date. One solution to this would be to delete the user from the site collection and get them to access it again. The most obvious solution though would be getting the user to contribute to the site collection in some way (adding announcement, uploading a file, etc…). Once the user has contributed to the site and the sync-profiles job has run, the display name will be updated!

Mysite Provisioning in 2010-

If your profile is not found when the profile sync job is run (your profile has probably been deleted from AD), then your profile is flagged for deletion by SharePoint. It is not deleted automatically in SharePoint 2010. The user will no longer be able to login. Public access is stopped and the manager of the user is now the site collection administrator. The manager is atomically sent an email asking them to backup any data on the site before it is deleted after x days.  The Mysite clean-up job will delete any users flagged for deletion. This will not remove the user from the info table (this is so you can still see who created/modified documents still on the system). There are 14 timer jobs relating to social and profile imports!

If a user is disabled in AD and later re-enabled, you will have to reinsert the profile property (URL) manually into the profile. If a user has been recreated (deleted and made again), the only option is to create a new Mysite and migrate any content across manually. Even with the same username, all the permissioning will be broken as AD uses the GUID rather than the actual username to permission items.

There was far more and much more detail but unfortunately I have run out of time. My train journey is coming to an end so I have to wrap up.

Will try to get more up soon….

Tony Phillips

Leave a Reply

Your email address will not be published. Required fields are marked *