Powershell Script to Create SharePoint Service Accounts

I find myself creating lots of of SharePoint 2010 Farm deployments these days and with that comes the requirement to create the required user accounds. I have created a quick powershell script below that you can use to script this.

Import-Module activedirectory
$password = "PW”
$domain = “Domain.local”
New-ADUser -SamAccountName sp_install -name sp_Install -UserPrincipalName sp_install@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to install SharePoint on farm servers."}
New-ADUser -SamAccountName sp_farm -name sp_farm -UserPrincipalName sp_farm@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Farm account"}
New-ADUser -SamAccountName sp_webapp -name sp_webapp -UserPrincipalName sp_webapp@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Farm account"}
New-ADUser -SamAccountName sp_svcapp -name sp_svcapp -UserPrincipalName sp_svcapp@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run IIS application pool for service app web services"}
New-ADUser -SamAccountName sp_search -name sp_search -UserPrincipalName sp_search@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run Enterprise Search service"}
New-ADUser -SamAccountName sp_crawl -name sp_crawl -UserPrincipalName sp_crawl@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Default content access account used by crawler to crawl SharePoint sites."}
New-ADUser -SamAccountName sp_ups -name sp_ups -UserPrincipalName sp_ups@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run User Profile service"}
New-ADUser -SamAccountName sp_ups_import -name sp_ups_import -UserPrincipalName sp_ups_import@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to sync profile information with AD"}
New-ADUser -SamAccountName sp_superreader -name sp_superreader -UserPrincipalName sp_superreaderc@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to sync profile information with AD"}
New-ADUser -SamAccountName sp_superuser -name sp_superuser -UserPrincipalName sp_superuser@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used for IIS caching"}

Add-ADGroupMember "Pre-Windows 2000 Compatible Access" sp_search
Add-ADGroupMember "Pre-Windows 2000 Compatible Access" sp_ups_import

Load Balance SharePoint 2010 Farm with Kemp

In this overview I will give the general guidance to load balance your existing 3 or 4 tier SharePoint 2010 Farm with 2 KEMP LoadMasters. This configuration starts after you have setup the farm and the LoadMasters as a HA pair.

1. Create your new VIP with the internal IP address you intend to use with your SharePoint site.

12. Make sure to Force Layer 7 and remove the Transparency or it will fail to allow user authentication.

23.  Persistence option is best set to active cookie and increase time-out to 1 hour. I use the scheduling method of round robin with the most success.

2a4. Under real servers check use HTTP/1.1 and add the host header that would be the URL of your site. This should match the AAM and IIS bindings.

45. Add you reel servers

56. Sit back and relax as you have now your farm balanced!




Getting Outlook 2013 to Work with Google Apps Sync

UPDATE*** Its now supported https://tools.google.com/dlpage/gappssync ***


Google Does not support Office 2013 yet with Google Aps sync. But I wanted to find a way for me to get it working, I found a detailed discussion on Google Groups that provided the answer. I have been able to get Outlook 2013 working with Google Apps Sync. Credits Go to  wcodyanderson of Google Groups, for finding the original DLL swap idea. These are the steps I took. I was on Windows 8 64-bit, with office 2013 32 bit to start.

  1. Removed all Office from PC
  2. Copied gsync32.dll and unifiedlogin.dll to these two locations; (DLL’s from C:\Program Files (x86)\Google\Google Apps Sync)
    1. – C:\Program Files\Microsoft Office\Office15
    2. – C:\Program Files (x86)\Microsoft Office\Office15
  3. Installed Outlook 2010 (32 Bit)
  4. Ran Application Sync and setup profile
  5. Upgraded to Outlook 2013 (32 Bit)
  6. Re-Ran Application Sync and setup profile
  7. Opened Outlook and it started syncing everything.
Of Course not supported by Google, Good Luck

Dealing with a seriously stuck message and how to create a new transport queue

Came across a interesting situation earlier this week that I had not come across before. All email messages in this small (<100 users) Exchange 2010 SP2 environment where being delayed at random intervals between a few minutes and 30 minutes. Checking the event logs, services and exchange management console did not show any real problems. Only one message was logged in the application log. Task manager did show issues as the transport service was up to several GB in memory and CPU over standard.

The execution time of agent ‘Journal Agent’ exceeded 90000 milliseconds while handling event ‘OnRoutedMessage’ for message with InternetMessageId: ‘Not Available’. This is an unusual amount of time for an agent to process a single event. However, Transport will continue processing this message.

Event ID 1050 Source MSExchange Extensibility

I checked the queue viewer and found that one of the queues for a mailbox database was in a connecting status. Upon further investigation I found some messages delivering and others being delayed before delivery. I found one message that was very large in size being delayed the longest. I attempted to suspend the message and was not able to given an error. It appears that this message was stuck, can’t delete or remove etc. After a long attempts at powershell to remove and suspend messages I had to delete and create a queue, its a fairly simple process here are the steps:

Note: If messages are in the queue when you stop and delete the queue they are lost, there is lossless methods to remove the Queue database.

  1. Stop Exchange Transport Service
  2. Browse to the queue in explorer, if its defaults its located at (C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue)
  3. Move the mail.que database file to a new folder inside the queue root.
  4. Start the transport service

This will create a folder called queue.old and place all logs and databases inside of it. It will also create a new queue database and messages should return.

Technet – Managing the Queue Database

Unable to delete Contacts in Business Contact Manager

Recently a problem occurred where a client was unable to delete contacts or accounts in business contact manager. The following error was displayed;

Error Converting Data type int to smallint.

The problem can be corrected with a change to one stored procedure on the SQL server called dbo.UpdatePhoneLogs, the corrected storedprocedure is below. Only two small changes are required at the top of the code stack. On lines 11 & 12. change the variable type from smallint to int. This is caused by the 32,000 limit of smallints in SQL.

/****** Object:  StoredProcedure [dbo].[UpdatePhoneLogs]    Script Date: 11/27/2012 10:05:00 ******/

ALTER proc [dbo].[UpdatePhoneLogs]
	@ContactServiceID int,
	@GrandParentContactServiceID int,
	@multiplier smallint

	DECLARE @Version bigint
	SELECT @Version = ClientDataVersion from OrgTable
	DECLARE @UpdatedCampaigns TABLE (ActivityID int NOT NULL PRIMARY KEY, ActivityGUID uniqueidentifier not null, NPhoneLogs int, IsDeletedLocally bit)

	Insert into @UpdatedCampaigns (ActivityID, ActivityGUID, IsDeletedLocally, NPhoneLogs)
		dbo.ActivitiesTable at_campaign
		INNER JOIN dbo.ActivitiesTable at ON at_campaign.ActivityGUID = at.ReferredEntryId
		INNER JOIN dbo.ActivityContacts ac ON at.ActivityID = ac.ActivityID
		(ac.ContactID = @ContactServiceID OR ac.GrandParentContactServiceID = @ContactServiceID)
		AND at_campaign.ActivityType = 21
		AND at.ActivityType = 15
		AND at.ReferredEntryId IS NOT NULL
		at_campaign.ActivityID, at_campaign.ActivityGUID, at_campaign.IsDeletedLocally

	UPDATE dbo.CampaignTable SET
		NumberPhoneLogs = ISNULL(NumberPhoneLogs, 0) + @multiplier * uc.NPhoneLogs
	dbo.CampaignTable ct INNER JOIN @UpdatedCampaigns uc
	ON ct.ActivityID = uc.ActivityID

	-- Add campaign to change queue (assumes client data version has already been bumped)
	-- FolderKind.Campaign ItemType.Campaign ChangeType.Modified
	Insert Into dbo.ChangeQueue (EntryGUID, EntityID, ViewRowID, FolderType, ItemType, Operation, Version, ChangeUser, ChangeTime)
	(SELECT uc.ActivityGUID,
		FROM @UpdatedCampaigns uc)

TMG 2010 Site 2 Site IPSEC Tunnel and HTTP Traffic Fails to flow

Have come across this several times now so thought it warranted a post. In an environment where a site tunnel is established between a TMG to Cisco ASA (IPSec) websites that are on other side of the tunnel cannot be displayed and give the following:

Technical Information (for support personnel)
Error Code 10060: Connection timeout
Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties. 

The TMG log view the outgoing connection attempt in the log then shows the follow error:

Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Allow access between Site A and Site B

The easiest fix was to open the HTTP protocol and disable the application filter. See eg:

This obviously disables some useful features; the better option is to create a custom HTTP protocol that is not associated to the web proxy filter. Then create a rule that applies to traffic between sites using this HTTP protocol.

Exchange 2010 SP2 Update Rollup 1 Fails

Exchange 2010 server that has User Access Control (UAC) enabled fails to install Update Rollup 1.

Symptoms: The install flys by with no waiting at steps, especially the generating assemblies.

Cause: The roll up requires .NET assemblies to be rebuilt. This step takes place BEFORE the msp asked for administrative control in UAC.

Resolution: Run a CMD as administration then execute the msp!

SharePoint 2010 Explorer View

If users are getting a password prompt when trying to open explorer view in SharePoint 2010 there are a few places to look. First understand there are two diffrent protocols, WebDAV and FPRPC. When using FPRPC there will always be a logon box. So how do we force webdav? Look at the quote below but just confirm that the Web Client Service is enabled and running on the client system.

The Explorer View prefers WebDAV over FPRPC. Because of the underlying design of the Explorer View and the default network provider order, it always tries to use SMB first, then WebDAV. Only when SMB and WebDAV have failed does it actually attempt to use FPRPC. This means that forcing the Explorer View to use WebDAV is more a case of creating an environment that makes sure WebDAV is successful instead of actually forcing the Explorer View to choose it.

The next logical question is what ensures WebDAVs success? Here is a list of things that you should avoid if you want WebDAV to be used as the underlying protocol for the Explorer View:

  • Make sure all computers accessing the Explorer View have the Web Client Service enabled and running. This is the default behavior for Windows XP, but not for Windows Server 2003.
  • Only host content on the default Web port of 80. If you need to host multiple Web sites on a single server, use host headers or multiple IPs to make those Web sites unique.
  • Do not encrypt Explorer View traffic using SSL. SSL uses port 443, and the Microsoft WebDAV implementation does not work on ports other than 80.

This was taken from a Microsoft While Paper title – Understanding and Troubleshooting the SharePoint Explorer View.


EDIT:: New Information if some cases are not resolved! Microsoft KB You also need to add a registry entry to the clients machine with the URL of the SharePoint site

Microsoft RDWeb Access , TMG 2010 & RSA Keys

A client recently needed to upgrade a  Server 2008 R2 RDWeb access to a two factor authentication solution. We decided to go down the TMG 2010 with RSA secure ID route.

After some googling I found this paper  http://www.scribd.com/doc/15682090/TS-Gateway-2008-RSA Its a great walk thru but leaves out some key steps. Also for 2008 R2 replace wherever he put TS with RDWeb. But the clients always need to logon twice once at the TMG and they are prompted with the RDweb Access form page. To remove this form page we will take a look at this C:\Windows\Web\RDWeb\Pages\web.config file scroll down to and you will find this, wow great! a few comments here and there and all of the sudden the

To turn on Windows Authentication:
              - uncomment <authentication mode="Windows"/> section
              - and comment out:
              1) <authentication mode="Forms"> section.
              2) <modules> and <security> sections in <system.webServer> section at the end of the file.
              3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                 Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                 click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.

After completing the comments restart the IIS session and tada! the forms based logon is gone.