SharePoint 2013/SharePoint 2016 – Applying Cumulative Update removes all users with db_owner

Hey All – Recently ran into an issue where a customer had AvePoint installed in the farm (Which requires the DocAve account to have db_owner) and after every CU it’d remove an user that was manually granted db_owner. This is actually a security measure in place to make sure there isn’t an errant account left with db_owner permissions on the database. There are times when we want that account to stay (For things like third party tools or RBS..though they should find a way to use SP_DATA_ACCESS instead!) There is a registry key BypassDboDropMember that was added to SP2013 in the October 2016 CU and to SP2016 in the October 2017 CU (Note: You will need to be on these CU levels to gain access to this functionality) for bypassing this behavior:

Instructions For SP2013 (From support.microsoft.com link above):

Note: For SP2016 just change the registry subkey to 16.0

  1. After you install this update, you can follow these steps to control the metafiles optimization:
    Start Registry Editor:

    • In Windows Server 2012, if you’re using a mouse, move it to the upper-right corner, go to Search, enter regedit in the search text box, and then select regedit.exe in the search results.
    • In Windows Server 2008, go to Start, enter regedit in the Search programs and files text box, and then select regedit.exe in the search results.
  2. Locate and then select the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS\
  3. On the Edit menu, point to New, and then select DWORD Value.
  4. Enter BypassDboDropMember, and then press the Enter key.
  5. In the Details pane, press and hold (or right-click) BypassDboDropMember, and then select Modify.
    In the Value data box, enter 1, and then select OK.
    Note If you don’t want to bypass the behavior, you can set the value to 0.
  6. Exit Registry Editor.

Add-SPShellAdmin and SPWebApplication.GrantAccessToProcessIdentity. What’s the difference?

TLDR – The Add-SPShellAdmin and SPWebApplication.GrantAccessToProcessIdentity are very similar in what they do, but there are a few key differences:

  1. Add-SPShellAdmin: Should be used for granting admin accounts access to run PowerShell commands against the farm. This grants the account 2 database roles (SharePoint_Shell_Access and SPDataAccess) to the specified content database.
  2. SPWebApplication.GrantAccessToProcessIdentity: Should be used for granting service accounts access to the content database. This grants Full Control User Policy to the Web Application and adds the account to the SPDataAccess role for the specified content database.

OK, if you’re still reading…here’s the longer version:

      • SharePoint_Shell_Access Role:
        • Members of the SharePoint_SHELL_ACCESS role have the execute permission for all stored procedures for the database. In addition, members of this role have the read and write permissions on all of the database tables.
      • SPDataAccess Role:
        • The SPDataAccess role will have the following permissions (SPDataAccess should be used for all object model level access to databases):
        • Note: The SP_DATA_ACCESS role replaces the db_owner role in SharePoint 2013. (From https://technet.microsoft.com/EN-US/library/cc678863.aspx#Section4)
          • Grant EXECUTE or SELECT on all SharePoint stored procedures and functions
          • Grant SELECT on all SharePoint tables
          • Grant EXECUTE on User-defined type where schema is dbo
          • Grant INSERT on AllUserDataJunctions table
          • Grant UPDATE on Sites view
          • Grant UPDATE on UserData view
          • Grant UPDATE on AllUserData table
          • Grant INSERT and DELETE on NameValuePair tables
          • Grant create table permission
  • SPWebApplication.GrantAccessToProcessIdentity (https://msdn.microsoft.com/en-us/library/ee556553.aspx):
    • Used for service accounts requiring elevated access to the content database(s)
    • Most Common Use – Needs to be set for service accounts (If using least privileged) running Excel, PerformancePoint, SSRS, etc.
    • First, this sets a full control User Policy for the Web Application:
    • clip_image004
    • Then, this adds the user to the SPDataAccess role for the specified database(s) for the Web Application:
    • clip_image005

-AJB

Long Live SSRS SharePoint Integrated Mode

On 11/17/16 the SQL Server Reporting Services Product Team announced that starting with SQL Server v.Next, there’ll be only one installation mode for Reporting Services: “Native” mode. Check out the blog here – https://blogs.msdn.microsoft.com/sqlrsteamblog/2016/11/17/simplifying-our-sharepoint-integration-story/

I’ve blogged about SSRS a little bit here and there so making sure everyone is aware of this as you look into future deployments of SSRS!

-AJB

SharePoint Patching 101 – Don’t forget to save all those CAB files in the same folder as the EXE!

Hey All – I’ve seen people run into this issue a few times now so I figured it’d be worth a quick post. A lot of the SharePoint 2013 Cumulative Updates include 3 files – 2 CAB’s and an EXE. These used to be included in the same self-extracting executable file, but now are 3 separate downloads. Make sure to select ALL 3 from the Microsoft Download Center and then make sure they are all in the same folder when you go to run the EXE and patch that beautiful SharePoint farm of yours.

These guys…

blogcabfiles

-AJB

SharePoint SSRS – Orphaned SQL Agent Jobs Causing Subscriptions to Fail

Weird/crazy issue recently. Subscriptions were getting bogged down/failing in a SSRS SharePoint Integrated Mode environment. This issue seemed sporadic..some days subscriptions would fire off at the scheduled times and sometimes they’d get stuck processing for a few hours before users would receive the subscriptions. After some troubleshooting/digging into this issue we noticed something off. We ran a query in SQL to compare the SSRS Subscriptions with the SQL Agent Jobs on the server. These numbers did not match..There were around 70 additional SQL Agent Jobs on the server..and they were not attached to a subscription. Opening one of them up shows that it was a SQL Agent Job created by SSRS for a subscription..but no subscription was associated. Disabling these jobs fixed the issues.

Here’s the SQL script (This renames all SQL Agent Jobs to have a prefix of ZZZZ_ and disables the job):

SharePoint 2013 InfoPath Form: Object doesn’t support this property or method ‘addeventlistener’ in IE 11

During an upgrade project we noticed that one of the pages that displays an InfoPath Form was throwing the error:

Object doesn’t support property or method ‘addEventLister’

InfoPath Error

This error wasn’t appearing anywhere else, so it was isolated to this specific page and also it worked in Chrome (The user was on IE 11). This led me to believe it was an IE 11 issue. I found the following post:

https://social.technet.microsoft.com/Forums/sharepoint/en-US/8a6ca7f7-3e4d-4210-a5a6-caa2e1c06cc3/infopath-form-page-object-doesnt-support-this-property-or-method-addeventlistener-in-ie-11

Adding the site to compatibility mode for IE 11 users fixed the issue..

-AJB

SharePoint 2010/2013 Content Query Web Part..Please Open in Office Web Apps..Ugh, I loathe you right now

First off, thank you very much Ben Prins for getting me moving in the right direction on this one – www.benprins.net/2014/05/19/sharepoint-2013-cqwp-office-online-hyperlink

Here’s the scenario: A client was looking into rolling out Office Web Apps as the default open behavior for documents in a recently upgraded SharePoint 2013 farm (Started as a 2007 farm and upgraded to 2010 and 2013 throughout the years). Cool right? Follow this document (https://technet.microsoft.com/en-us/library/ee837425.aspx) and turn off OpenInClient and you should be rocking and rolling in the deep with those web apps..

Everything was looking great except throughout the site they were using content query web parts #CQWPFail. Content query web parts have their place and this client did not want to revamp a ton of pages and replace them with the shiny new SharePoint 2013 search web parts (The CSWP can span site collections like a boss, but the CQWP is pretty simple/easy to configure if you’re just looking at one site collection..unless XSLT is involved. Keep reading..). The content query web parts had no honor..they refused to acknowledge the OpenInClient setting. Not cool CQWP…

Since this was an upgraded SharePoint site as a troubleshooting step we create a brand new “Vanilla” SharePoint 2013 site collection and did a quick test. These CQWP’s seemed to have a little more honor..If the query was set to a specific list/library it would open in the web app. If the query was set to a site collection/site level..it would try to open in client. Unfortunately that was the entire reason the client wanted to use CQWP’s back when they set it up in 2010..to cross sites and surface documents using custom content types.

I think you know where this is going…time to brush up on those XSLT skills. After some research I found this page which states the files used for the CQWP: https://msdn.microsoft.com/en-us/library/office/bb447557(v=office.14).aspx I did a (insert favorite file comparison tool here..I used WinMerge) against these 2 files (Comparing the 2010 upgraded site to the vanilla 2013 site):

  • /Style Library/XSL Style Sheets/ContentQueryMain.xsl
  • /Style Library/XSL Style Sheets/ItemStyle.xsl

What do you know??…there were differences. We updated the 2010 upgraded site’s ContentQueryMain.xsl and ItemStyle.xsl files and now at least queries directly to lists/libraries started working.

After this I found Ben’s awesome blog post and ran through the steps on there (I did have to make a few changes so I’ll post my detailed steps and I posted comments on his blog):

  1. Crack open that ItemStyle.xsl file (I checked it out first and then opened with NotePad)
  2. Right underneath this line (Since we’re editing the default style…you could create you’re own, but we wanted to update all existing web parts without too many changes)

<xsl:template name=”Default” match=”*” mode=”itemstyle”>

Paste the following lines:

  • Some things to note about this:
    • ?web=1 is what forces the document to open in Office Web Apps. Pretty nifty..instead of using a hard-coded link to WopiFrame.aspx and trying to parse the LinkUrl field..which I tried and failed because the URL passed to WopiFrame.aspx must contain be in this format: http://webappurl/sites/sitecollectionurl/siteurl/_layouts/WopiFrame.aspx?sourcedoc=/relative path to file
    • Feel free to add additional entries for doc/xsl/ppt
  1. After this I found the <div class=”link-item”> and updated it with this code:

Check these guys out:

2010 Fails on ALL Queries:

clip_image002

2013 is a little better..but falls short when a query is set at the “site level”

clip_image004

Here’s the site collection with the updated XSLT (Check out that sexy hyperlink at the bottom!)

clip_image006

Cool Stuff. Also another plug for Ben Prin’s blog…check out this post: http://www.benprins.net/2012/05/20/show-all-fields-and-values-with-xslt/

The XSLT snippet from this post allows you to see all fields and values that are available..which was super useful in troubleshooting.

SharePoint 2010/Server 2012 R2: Config Wizard Fails with Error “Value Does Not Fall Within The Expected Range”

Ran into an interesting installation error – SharePoint was failing to create the Configuration Database..or so it appeared. Running New-SPConfigurationDatabase and running the SharePoint Products Configuration Wizard were both failing with the error “Value does not fall within expected range.” We were able to track down this issue in the ULS Logs and noticed all sorts of IIS-related errors:

Creating new application pool ‘SecurityTokenServiceApplicationPool’.

Adding DOMAIN\spfarmacct to local group IIS_WPG.

Adding DOMAIN\spfarmacct to local group WSS_WPG.

Adding DOMAIN\spfarmacct to local group PerformanceMonitorUsers.

Attempting to give SE_ASSIGNPRIMARYTOKEN_NAME privilege to application pool user DOMAIN\spfarmacct

Attempting to give SE_INCREASE_QUOTA_NAME privilege to application pool user DOMAIN\spfarmacct

An exception occurred while committing IIS configuration changes: Value does not fall within the expected range.

Unable to unprovision metabase object IIS://localhost/w3svc/AppPools/SharePoint Central Administration v4: System.Runtime.InteropServices.COMException (0x80070003): The system cannot find the path specified.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

at System.DirectoryServices.DirectoryEntry.Bind()

at System.DirectoryServices.DirectoryEntry.get_AdsObject()

at System.DirectoryServices.DirectoryEntry.DeleteTree()

at Microsoft.SharePoint.Administration.SPMetabaseObject.Unprovision()

Removing the Web Server (IIS) Role Service and letting the prerequisite installer configure IIS was the ticket to get “past” the SharePoint Products Configuration Wizard. It looked like something was up with the client’s Windows Server 2012 R2 image which caused IIS to get a little out of whack. Some other items to watch out for in this configuration (SP10/Svr 2012 R2):

image

SSRS Migration – Do not change ReportServer database names

IMPORTANT: Do not rename the ReportServer database. This is unsupported according to Microsoft per:

This is the “official” SSRS migration for SharePoint document (Doesn’t say anything about database renaming..I’m writing this article for the people who probably didn’t see the links above):
https://technet.microsoft.com/en-us/library/hh759331(v=sql.120).aspx

This is why we run always recommend “dry runs” for all migrations! 🙂 There’s a few reasons why it’s unsupported, but I was able to do some digging and found where is hard-coded and how to fix it if needed. In the end your best bet is to revert back to the original database name (ReportServer most likely), but it’s always nice to know and could potentially help someone if they have their heart set on a rename and understand it is unsupported.

  1. This is because the ReportServerTempDB database is referenced in dbo.schedules >Triggers > Schedule_UpdateExpiration
  2. There are 83 stored procedures that reference the ReportServerTempDB database http://sql-articles.com/reporting-services/how-to-rename-your-existing-report-server-database/ 
    • NOTE: As part of the SharePoint service application creation process (Only when you are upgrading the ReportServer database), SharePoint actually goes through and updates all of these stored procedures. This wasn’t needed in this case, but good to know!
  3. Whenever you create a new subscription it creates a SQL agent job. Most SQL Agent jobs (Existing ones. New ones will be fine) have an entry pointing to the original reporting services database name. You could use the following script to update. Or just keep the database name and save yourself some work. I’m showing you this in case the damage is already done. Here’s a sweet SQL script to fix this: