SharePoint 2013 and One-Way Forest Trusts

Hello Everyone,

Simple fix for a environment where you have a one way forest trust between an environment that hosts a SharePoint site and several other forests where you would like to use those accounts to login to the site. After establishing required trusts and domain settings the only SharePoint setting that needs to be updated is the people picker. The people picker only looks up naively to the local forest. The steps to get this working are as follows:

1. Create service accounts in each other forest that will be used to
2. Execute the following command, you will need to adjust it for your environment in this sample i’m adding 3 forests.

stsadm -o setproperty -url -pn peoplepicker-searchadforests -pv ",acme\sp_adtrust,password; forest:northwinds.local,northwinds\sp_adtrust,password;,microsoft\sp_adtrust,password"

Note: you always need to add ALL the domains if your updating just one it will override the ones saved. So make sure to include existing ones if your just adding one.

How to Manage Site Permissions – SharePoint 2010

SharePoint default site permissions are controlled by 3 groups that are created when the site is created.

 Site Name Owners Group – This is the “superadmin” “Sysadmin” group, these permissions should only be given out to users that need to make permission or system changes

Site Name Members Group – This group is the read/write user group. This group has the ability to edit, create, delete and view content on the site.

Site Name Visitors Group – The members of this group can only consume content, view and read. They have no access to change or modify files.

Permissions by default can only be edited by members of the owners group. When you are a member of the owners group can select site settings > site permissions from the ribbon.


Once you have selected this you are now on the permissions screen. Click on the group name you would like to add members to.


Now click new, add users to the group.


Enter names separated with semi-colons or click the address book to search from the company directory. Select if you would like SharePoint will send a message letting them know that they have access. You’re Done! The users you enter will now be displayed in the group list!

IE11 and Sharepoint 2010 Problems

Surprise Surprise(remember 9 & 2003), IE11 is released and it won’t work with SharePoint 2010 regardless of the version (December 19, 2013). The cause is due to the changes in IE11 compatibility mode (MSDN details).

Initial thoughts are to hard code the version from 8 to 9, (<meta http-equiv=”X-UA-Compatible” content=”IE=8″/>)

in the master page and this alleviates some problems(Infopath Forms now work(previous error was: Critical Error: Object doesn’t support this property or method addeventlistener)) but it creates more as well(Users can’t be added to sites(System.InvalidOperationException: Namespace prefix ‘xsd’ is not defined.).

Based upton my trial and error today I would recommend until MS released a CU, the farm running is a 2010 Enterprise with all standard features and items in use.

Add this javascript to the master page just above the body close tag.

<script language=”javascript”>
/* IE11 Fix for SP2010 */
if (typeof(UserAgentInfo) != ‘undefined’ && !window.addEventListener) {
UserAgentInfo.strBrowser=1; }


Powershell Script to Create SharePoint Service Accounts

I find myself creating lots of of SharePoint 2010 Farm deployments these days and with that comes the requirement to create the required user accounds. I have created a quick powershell script below that you can use to script this.

Import-Module activedirectory
$password = "PW”
$domain = “Domain.local”
New-ADUser -SamAccountName sp_install -name sp_Install -UserPrincipalName sp_install@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to install SharePoint on farm servers."}
New-ADUser -SamAccountName sp_farm -name sp_farm -UserPrincipalName sp_farm@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Farm account"}
New-ADUser -SamAccountName sp_webapp -name sp_webapp -UserPrincipalName sp_webapp@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Farm account"}
New-ADUser -SamAccountName sp_svcapp -name sp_svcapp -UserPrincipalName sp_svcapp@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run IIS application pool for service app web services"}
New-ADUser -SamAccountName sp_search -name sp_search -UserPrincipalName sp_search@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run Enterprise Search service"}
New-ADUser -SamAccountName sp_crawl -name sp_crawl -UserPrincipalName sp_crawl@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Default content access account used by crawler to crawl SharePoint sites."}
New-ADUser -SamAccountName sp_ups -name sp_ups -UserPrincipalName sp_ups@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run User Profile service"}
New-ADUser -SamAccountName sp_ups_import -name sp_ups_import -UserPrincipalName sp_ups_import@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to sync profile information with AD"}
New-ADUser -SamAccountName sp_superreader -name sp_superreader -UserPrincipalName sp_superreaderc@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to sync profile information with AD"}
New-ADUser -SamAccountName sp_superuser -name sp_superuser -UserPrincipalName sp_superuser@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used for IIS caching"}

Add-ADGroupMember "Pre-Windows 2000 Compatible Access" sp_search
Add-ADGroupMember "Pre-Windows 2000 Compatible Access" sp_ups_import