Tag Archives: Permission Management

Installing SharePoint 2013 Foundation

Come along with me on a small adventure into the world of free SharePoint. Yes, free! SharePoint Foundation 2013 is technically free (well, included in your existing Windows licenses) and can do a whole lot for you without needing to spend significant amounts of money on Server editions. I am going to walk through a mini-series around SharePoint Foundation: installing (this post), what features it contains (and does not), how it can fulfill some use cases and finally a wrap up discussing if Foundation is a viable solution for companies both large and small.

Downloading SharePoint Foundation

Finding SharePoint Foundation was not as easy as one would expect. Going to www.sharepoint.com, and clicking Try or Buy didn’t render a link. I clicked Try Now under SharePoint Server 2013. Then off to the right under Related Downloads is a link for SharePoint Foundation 2013. Wait, that doesn’t have SP1 which is required for Windows Server 2012 (but SP1 has been retracted, hasn’t it?), so I searched some more and found it. Lucky for you, you can download it from: http://www.microsoft.com/en-us/download/details.aspx?id=42039. If you’re running Windows Server 2008, you can download it without SP1: http://www.microsoft.com/en-us/download/details.aspx?id=35488. Looks like Microsoft doesn’t necessarily want to show off this free version is readily available.


Requirements for Foundation are similar to the Server versions. Check out the hardware and software requirements here.

My Setup

I am installing it in VMWare, with 8GB RAM and 2 cores. It’ll be slow but that’s okay for now. I already have Windows 2012 R2 Standard installed, and I have SQL Server 2012 Standard with SP1 installed on another VM. SQL has been configured with a named instance SPF2013A for this specific instance of SharePoint.

I need SQL too?

SharePoint runs on Microsoft SQL, period. Sorry, you can’t run on MySql or any other variation out there. If you don’t have access to SQL server, you can either install SharePoint in a single server instance which includes SQL for you, or better yet, download and install SQL Express (free). Note there are limitations, but if you’re doing a quick POC or trying out SharePoint, SQL Express will probably be fine. I recommend installing SQL separately as it’ll allow you to expand on your new SharePoint farm in the future. Even if you don’t have plans to expand this farm, install SQL separately, as your production farm will be using this model. I do not cover installing SQL, as there are many flavors and options.

Service Accounts

SharePoint utilizes Active Directory for permissions and such, starting at installation. You cannot install it on a server without AD. You shouldn’t install it on a server that is the AD domain server, though it will probably work, it’s not supported by Microsoft.

Create the following AD accounts for your SharePoint install. You can go crazy and use a service account for every service in SharePoint, allowing for an incredible amount of security separation (and maintenance) but being realistic, I prefer to use the following. Each account has to be a domain account, not a domain admin, just a domain user.

  • Farm admin account, i.e. spfarm.
    • This account will be the installation account, and SharePoint will setup the permissions for the rest of the accounts.
    • Needs local administrative rights to your SharePoint server, excluding SQL.
    • Account must be setup with dbcreator and securityadmin roles in SQL.
  • Application service account, i.e. appsvc. This account will be used to run your service applications in SharePoint.
  • Web service account, i.e. websvc. This account will be used to run your web sites services and application pools.


Prior to installing SharePoint on your server, you’ll need to setup your server to handle a web site. Add the Application Server and Web Server (IIS) roles. Also include Application Server Role Services Web Server (IIS) Support.

Check your SQL Server’s properties, specifically the Max Degree of Parallelism of a value of 1. Check out http://www.sharepointpitstop.com/2013/04/max-degree-of-parallelism-error.html for more details, I ran into this issue myself ;).

Installing SharePoint Foundation

Now that you’ve found and downloaded SharePoint Foundation, got SQL setup, let’s install SharePoint! First, log in with your  spfarm account, and then run the install file you downloaded, and you’ll get the lovely blue splash screen.

SharePoint Foundation 2013 Splash Screen

Click Install software prerequisites, under the Install section. This installs all the stuff SharePoint needs to run.

SharePoint Prerequisite Installer

Just accept defaults and walk through this wizard. This wizard will probably require your server to restart. It may need to reboot a couple of times depending on how many updates it has to do.

Log back in and rerun the installer. Back at the blue screen, press Install SharePoint Foundation. Most of the installation will be pretty basic: accept the terms, press continue. For Server Type, select Complete and press Install Now.

server type

When done, you can go ahead and press Close.

install done

So far so good? The SharePoint bits, the binaries and files, are installed! Now onto the fun part and configuring SharePoint!

The SharePoint Products Configuration Wizard will appear next. Click Next then Yes to the warning. On the next page, select Create a new server farm.



On the next screen, enter your details for the SQL server, and use your spfarm account for its credentials. I have the \SPF2013A because I installed SQL with another instance, you can probably leave yours as the server name.


Specify a passphrase. Important! This passphrase will be needed if you want to add another server to your farm in the future. Keep it safe!



On the next screen, you can leave it as default, or specify a port number. If you decide to specify your own port, do not specify any of the standard web ports like 80, 443, 8080, etc. This should be a unique port number as central administration is the core of SharePoint, all configuration, permissions and such occurs here.


central administration port

Click Next a couple more times and the configuration will run. It may take a while depending on hardware and what not. Let it run. It will error if there’s a problem, otherwise, no news is good news.


Success! Click Finish and Central Administration will open.

Configuring SharePoint

After a successful installation, Central Administration should open. If for some reason it doesn’t, you can open it from the Programs menu.

When Central Administration opens first, it’ll ask if you want to help make SharePoint better. Do as you wish, it’s your conscience.

So you have an option to here to use a wizard to configure SharePoint.


I prefer not to use the wizard, I’m a hands on kind of guy. The wizard is ok, and if you’re going to do a quick and dirty proof of concept, I guess you could do that. I will, however, carry us through the entire process, I’m going to press Cancel. That will bring us out to Central Administration:

central administration

Before we make any new sites, we have to continue to configuring SharePoint to get ready. Click Security in the left quick launch, and then click Configure managed accounts.

register account


Add your service accounts. In my case, I added the 2. What’s nice is if you fat finger the password, it will prompt you. This is nice since that will not cause issues down the road.


added svc accountsOnce added, click Application Management, then click Manage Service Applications.

service application

If you click new in the top ribbon, you’ll see a few options. We’re going to add each of these. Start with the App Management Service. Fill out the following in the dialog:

  • Name. I go with something clear, like “App Management Service”
  • Database. This should default to your SQL server, and you can leave it as is.
  • Failover Server. If you have one, you can specify it, otherwise continue on.
  • Application Pool. We do want to create a new application pool.
    • Application pool name, specific Application Services.
    • For the security account, select Configurable and select the appsvc account from the picker.
  • Create App Management Service Proxy. Keep the Create option checked.
  • Click OK.

Next up, create a new Secure Store Service.

Why did I skip the Business Data Connectivity Service? Because we don’t need it. This service allows SharePoint to connect to external data systems, like another SQL database. If you want to use it, go for it, but for most POCs, we don’t need it.

Ok, back to the Secure Store Service.

  • Name: Secure Store Service.
  • Database. Again, this should default, let’s move along.
  • Failover Server. Ya, again, move along.
  • Application Pool. This time, let’s select an existing application pool, specifically the one we made before, Application Services.
  • Enable Audit. Keep that checked.
  • Click OK.

Outgoing Email

Couple more small things. Click on System Settings, then Configure outgoing e-mail settings. Specify your outgoing email server. You can simply put your Exchange server here. You’ll have to allow relaying from the SharePoint server IP address. SharePoint does not authenticate with the outgoing email server.

If you want, you can validate the outgoing email by setting up a relay on the SharePoint server. This works well with Exchange or any cloud based email service. Check out my other post on Sending SharePoint emails through the cloud.


Click System Settings then Manage Services on Server.

services on server

Now we have to turn a bunch of stuff on. Turn on the following:

  • App Management Service.
  • Microsoft SharePoint Foundation Subscription Settings Service.
  • Secure Store Service.

Create your first site

Now that SharePoint is configured and ready to go, let’s create a site. The site itself will be what your users access. Click Application Management then Manage web applications.

web app

Brief overview of SharePoint’s architecture

The SharePoint farm is what we have now. It’s SharePoint, installed and configured. It can be installed across multiple servers. Note we didn’t have to install SharePoint on SQL. SQL simply stores the databases, however SQL is still considered part of the farm.

Web applications are the top level of data collections. As you’ll see, Central Administration has a web app. A web app is a collection of Site Collections.

Site collections are a collection of sites, and can contain one to many sites.

Sites are the interfaces your users go to to access SharePoint. Sites contain lists, libraries and all the user data.

Create your web application

Click New in the ribbon. Fill out the page as follows:

  • IIS Web Site. SharePoint will create the following IIS web site on your farm. Keep port 80, specify a host header. For quick and dirty, you can specify your server’s name, in my case spf2013a. If you want something more meaningful, specify a valid name which has been setup in your DNS.
  • Security Configuration. You can leave this as is.
  • Claims Authentication Types. Leave it.
  • Sign In Page URL. Move on.
  • Public URL. Ditto.
  • Application Pool. We’re going to create a new one, keeping the default name is fine. Under the security account, select your websvc.
  • Database Name and Authentication. You can leave the database name as is, however I generally append the site name to the database name so I know what database goes to which site.
  • Failover Server. Ya, you know.
  • Service Application Connections. Move along.
  • Customer Experience Improvement Program. Again, up to you.
  • Click OK.

Create your site collection

When the web application finishes, the confirmation window will have a link to create a site collection, click that.

If you were so excited to have setup your web app that you closed that confirmation window. Click Application Management, then Create site collections.

In the Create Site Collection dialog, specify the following:

  • Title and Description. The title is the name of the site, what your users will see. This can be changed at any point later. Not as stressful as naming your kid, but close. You can leave description blank.
  • Web Site Address. Keep the / selection.
  • Template Selection. Select a Team Site. This is a basic site, a great starting point.
  • Primary Site Collection Administrator. Select the smartest person you know, yourself! Specify your user name in here so you can easily get into the new site.
  • Secondary Site Collection Administration. Select the other administrator of the site. You can specify more later on.
  • Quota Template. Leave with No Quota.
  • Click OK.

You’re ready to go!

new site

That’s it! You should be all set to go! We didn’t have to create a site, as a site collection always has a default root site within it.

If you try to hit the site from the server console, you may have an issue, check out this post for an easy fix.

Quick tips:

  • Click the cog, or the gear, or the little circle looking thing in the top right, then go to Site Settings. This is all the behind the scenese including permissions, Look and Feel, search settings and a whole lot more. Familiarize yourself with what’s here.
  • Click the cog, then Add an app. This is how you add new lists and libraries.
  • Click the cog, then Site Contents. This shows all content on the current site. This is also where you can create new sub sites, scroll down and you’ll see a link for new subsite.

Til next time, Happy SharePointing!

Looking for the next part? Sorry I’m a  slacker! Leave comments below and I’ll finish it off. 



My Users Don’t Like SharePoint Because They Can’t Do Anything!

This is Part 3 of my series on ‘My Users Don’t Like SharePoint…

Again, let’s take the Ford Mustang metaphor from the opening post. I get my 2013 Mustang, and it’s shiny and beautiful.

Credit Ford.com

It’s new, shiny, has the new car smell, spotless. I make the decision that my kids are not allowed in it at all. Period. My wife is only allowed after she has brushed her shoes off. And then once she’s in, no drinks, no food. I don’t even bring coffee in it. Is it still a beautiful car? You better believe it is. Will anyone want to drive with me? Meh, maybe the first time, but it’ll quickly get old (make sure your feet are clean, sorry you have cat hair on you, you can’t ride in my car). No one will want to drive with me since there are so many limitations.

This is also a common scenario for SharePoint, but sometimes it is deployed and locked down so tight that everything of significance is filtered through IT. All lists have requests and approval workflows setup. No one is allowed to create new lists or sites. Since it’s all going through IT help desk, a request takes an annoyingly long time to complete and eventually users decide to not bother with it.

Or following the second post in this series, if you just spent all of this time and effort cleaning, scrubbing, and reorganizing SharePoint, you may lean towards locking it down so much that it can never happen again.

from PhotoBucket

Loosen up!

I know, I’m sending you mixed signals. Last post I said to apply governance and kick people out of doing things, tighten down the reigns, now I’m telling you to loosen up.

There’s a balance.

I’ve worked with enough IT departments to know what they think of their end users. I understand most users don’t know how to change their screen resolution or use the Windows key. I honestly had someone think the CD-ROM was a cup holder, and used it as such… I’ve had a VP complain his laptop stopped working after he spilled coffee on it… I’ve had someone report that their new hard drive wasn’t working properly, upon assessment it wasn’t plugged in, it was resting on the computer… I’ve had a tech support rep from a computer company tell me to reboot and give it 24 hours for the settings to sink in… I’ve told users to straighten out their keyboard wires or the letters will appear upside down… ID-10T… and there’s more. I’m sure you have a long list as well. I know the stories and the pain. I do, I’ve been there, done that, got the T-shirt.

Since I know where you’re coming from, let me take a moment to vent… As the IT department, your job is to support and provide services to your users, assisting them in completing their jobs, not telling them how to do their jobs. Too many times the business is run by IT; IT is making business decisions (or forcing the business into choices) based on technology, instead of hearing and understanding what the business needs and then doing everything they can to make it work. Without the business, there’s no need for an IT department. IT departments can a note from consultants: do everything you can to make the customer happy. Just sayin… now back to SharePoint….

What I also learned is that not all of your end users are mindless lemmings. There are always a select few who should be considered power users. Leverage them! SharePoint is best used when power users are granted permissions to create some customizations on their own. Your governance plan should identify this, clearly.

How do you identify your power users? They’re the ones who do some cool stuff without hassling IT. Or they do something so big, that they need IT to help fix it (this is good, they’re venturing on their own). They’re users who customize their Excel worksheets with cool functions and macros, or actually know how to use PowerPoint and maybe embed a video. Get to know them, and adopt them into your team, they don’t have to join IT, but they can be a go-to-person for their department. Provide them additional permission to create a list or library. Explain to them the importance of organization and your governance. There can be a healthy balance between the junk drawer affect and the strict IT department.

Train your users.

“Tell me and I forget, teach me and I remember, involve me and I learn” – Benjamin Franklin

This can take time and is costly. If you were deploying a new ERP, CMS or a highly customized solution, you would provide training, manuals, quick reference cards, and more. But nooooo…. SharePoint is Microsoft and should be easy. Well it isn’t.

Start with finding some resources you like (some awesome resources online on sites like www.nothingbutsharepoint.com and sp365.co.uk, videos from www.criticalpathtraining.com, and many books are available as well). Take what you like and paraphrase it, highlight what you think your users need to know, and reference these sources in your own manuals.

Take screen shots or small videos to help explain the steps. Check out a great free screen shot app and 5 min video recorder: Jing by  TechSmith.

Hold small training sessions, I find that SharePoint training can be intimidating to users and they tend to ask loads of questions; small groups make it more manageable for the trainer. Make sure to allow time for question and answers, SharePoint can do a lot, let your users play with it and explore and come back with questions later on. Consider bringing in a trainer or consulting firm that can help train and answer the questions effectively.

Once your larger user base knows what is possible, two things can happen:

1. They appreciate your SharePoint implementation, they understand what it’s for and what it can do for them. This will drive user adoption and improve your users’ point of view.

2. They come back with additional ideas and feature requests: “since it can do ABC, can we have it do XYZ?”. Nothing drives user adoption better than buy-in.

Give them some space.

To play that is. After you spent the time to train your users, or provided the ideal manuals and guides, give them their space. Turn on My Sites and let them bang on their own site collection. They are their own masters in their My Site. Set quotas so they can’t run wild on space. If they blow up their site, wipe it out and create them a fresh one. No harm no fowl. Letting them play will help get additional buy-in and improve user adoption.

Allow them to customize their own web part pages. With the Personal Permissions section enabled (enabled on the Contribute rights by default), users can customize their own web part pages. The page has a shared and a personal view, allowing users to add and remove web parts as they want. As an admin, you can lock down web parts so they cannot be removed, which is important to ensure the company message is still present. Also, with this permission set, users can create their own personal views on any lists they have permission to. This enables users to create their own views of the data without bugging admins. Train your users on how to use this and you’ll have a happier user base.

If you get enough [happy | satisfied | content] people behind your SharePoint, and key stakeholders get wind of it, you have a better chance of additional resources for improving SharePoint (increase budgets for training, software, hardware, consultants, etc.).

Til next week, Happy SharePointing!

My Users Don’t Like SharePoint Because it’s a Complete Mess

This is Part 2 of my series on ‘My Users Don’t Like SharePoint…’

Let’s take the Ford Mustang metaphor from the opening post. I get my 2013 Mustang, and it’s shiny and beautiful.

Credit Ford.com

I then welcome my three children into it, and let them have their way. We go to McDonald’s, they get Happy Meals. I assume they know not to make a mess, so I leave them in my new car as I run into the store (no I don’t really, that’s not safe, but for the sake of the example). I come back a little later and much to my surprise, my car is a mess! French fries on the floor, wedged between the leather seats, ketchup smeared on the windows, salty finger prints on my dash and stereo, chocolate milk in the carpet, apple juice splashed on the ceiling… a complete mess.

Credit City-Data.com

I’m too busy to clean it out, I have other projects around the house I need to take care of. A week goes by, things really settle in, a nice odor forms and now no one wants to drive in my new Mustang, even the kids who made the mess! Should I call up Ford and scream at them, tweet hatred and complain about their sucky car?

If this rings a bell for you and your SharePoint implementation, there’s still hope. Depending on how long the milk was soaking in the carpet, you may have some heavy cleaning to do, but it’s possible! This by far is one of the most common issues I’ve come across.

Define a plan.

First thing you’ll want to do is reorganize things virtually, make a plan. Ignore what SharePoint is doing now and layout the perfect environment. Using Excel or your app of preference, layout the ideal topology: sites and sub sites, libraries, folders and files. Include metadata, if you’re using it, permission and navigation considerations. Define what the perfect world will look like. Who has access to what, where, and how much access should they have?

Here’s a basic example. Starting with something like this can help get the wheels spinning.

Once buckets are defined, people can select where things should go. You’ll see Secure sites in there. These are the private department specific work spaces and the goal there is to farm out what the secure site would look like to that department. Provide them this basic template and have them define what they want to see.


Governance, the art of governing what your users can do, might be a scary word, and is by far the largest challenge with information management (regardless of SharePoint, governance is an issue across the board, more on Joel Oleson’s blog), but it’s critical for a successful SharePoint deployment.

Taking the same document we had above, let’s add a few more columns to include basic governance. Who can access what bucket:

Pretty straight forward. There are many methods of defining governance and taxonomy, I find starting in Excel is fastest and easiest.

Microsoft’s site has a lot more on governance: http://technet.microsoft.com/en-us/sharepoint/ff800826.aspx. Go ahead and search for ‘sharepoint governance‘ and you’ll find some great articles by others.

Still not convinced governance is necessary? Check out my other post on governance.

It’s okay to have a growing document defining your governance. Clearly defining your buckets is a great first step, but applying permissions to each bucket and site will help keep sites clean. Once you have a clear, or clearer, plan on your permissions, execute it!

Clean up, clean up, everybody clean up!


Go-Slow-Horn-Caution-Sign-S-1962Pull in a few key players to assist. Giving them ownership of their own data will reduce your load as well as give more users buy-in (aka user adoption). Use the plan you defined and slowly begin to move data around, reformatting sites and libraries. SLOWLY.

Don’t spend a weekend and bust it all out. Monday will be chaotic as your users panic, scouring through your nice new layout cursing SharePoint.  Go slow, let everyone know what you’re doing. Get your users involved in cleaning up their sites and libraries. Assign owners to reorganizing their sites and libraries.

Consider a 3rd party tool like ControlPoint from Axceler (why?) . Their solution makes moving entire lists and libraries a snap. There are other solutions out there, I’ve only used (and subsequently fallen in love with) ControlPoint.

As you clean up, it is now:

Time to govern.

SharePoint is a large application, it can do a whole lot, real easy. As a result, some SharePoint implementations suffer from having too many people mucking around with too many features (remember letting my kids run wild in my Mustang? A complete mess.). I have seen implementations where whenever a user felt like it, a new list was born, a new library created, sub sites abound, pages were rearranged with new web parts and views on a whim. It can become a collective junk drawer. This drove the end users, the consumers of the information, NUTS. Everything is everywhere and is hard to find and manage.

In your document, you began to define groups and their level of permission to sites, libraries and lists. Begin to apply those changes as you’re building it out. For starters, change permissions on the HR site so all users have read only access. That will immediately stop a bulk of your users from messing with your changes as you go. When you create or manage libraries, update permissions accordingly.

Make sure to review the previously mentioned Microsoft site for more on governance. Do it right, the first time, it’s worth every little bit of effort.

You can always have some fun (the only way us IT people know how).

Clean out the site owners group and site collection administrators list, leaving yourself of course. See who screams “I can’t create another list!”. That’ll help you identify who’s making the mess and give you a start to discuss and help guide them in doing it right (per your governance).

If you hit a library that you’re unsure about, I’d bet that has become the junk drawer. See who cares it’s missing by removing all permissions (except your own of course). I’ve done this a few times, and those libraries will site dormant for 6-9 months until the customer says, “fine, we don’t need it, trash it”.

Til next week, Happy SharePointing!

Read Only users cannot access SharePoint via Web DAV

SharePoint has an alternative method for accessing it’s files, and that is via a web standard called Web DAV. This connection type has been around a long time, and is supported by the web server. This connection type allows other applications, in my case GoodReader, to connect to SharePoint and access folders and files directly.

A user who only has Read permissions is not allow log in rights into the site over the Web DAV connection. Fortunately, this is an easy fix. You can either create a new permission level, like “Read – Web DAV”, or modify the existing Read permission level to include WebDAV.

To do so:

  • Go to Site Actions > Site Settings.
  • Click Site Permissions.
  • Click Permission Levels in the ribbon.
  • If you want to add a new permission level, click on Read, then press Copy Permission Level at the bottom.
  • If you want to modify the existing Read permission level, click on Read.
  • Scroll down, under Site Permissions is Browse Directories. Check that option.
  • Click Submit.

That should do it. Immediately, Read users, or users in this permission level, can access SharePoint via Web DAV.

Happy SharePointing!