Sharepoint 2013 setup group permissions

Similar Messages

• SharePoint 2013 Administrative Account Permissions

  I'm looking for documentation about the permissions needed to administrate SharePoint Server 2013. My administrative account needs to have access to Central Administration, web applications, PowerShell, and local server resources like the file system, event
  logs, services, etc.
  I have found several articles that I had hoped would have the information but do not:
  Plan for administrative and service accounts in SharePoint 2013 literally has the sentence:
  This article does not describe security roles and permissions required to administer in SharePoint 2013.
  This upsets me as I am looking for the documentation that does describe the roles and permissions required to administer in SharePoint 2013 and this line offers no help other than telling me what I need isn't here. For anyone from the documentation
  team that happens to read this I offer the feedback that following that sentence there should be a link to the documentation that I am asking about here (assuming it exists ;)
  Initial deployment administrative and service accounts in SharePoint 2013 details permissions for the setup user account which is like an administrative account except that in my
  case the farm has been set up and I need to have administrative accounts.
  Account permissions and security settings in SharePoint 2013 describes the permissions accounts and groups are granted on individual resources on the server. While this is informative,
  it doesn't describe what rights I need to grant an account so it can administer.
  Use Windows PowerShell to administer SharePoint 2013 describes the permissions needed to run Add-SPShellAdmin to grant others administrative access, but doesn't actually
  describe the permission needed to use PowerShell to administrate.
  Does this information exist publicly?
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

  Partner Support has confirmed there is no documentation that details specific rights needed for specific administration tasks. Given how the permissions depend on the task and how many tasks there are I don't see this ever appearing in official public documentation.
  I did some testing and I was able to use PowerShell as a non-admin, but I was limited to accessing objects that don't require the admin rights. For example I couldn't get the farm object (I get an exception) or the search service application (Get-SPEnterpriseSearchServiceApplication
  returns null), but I could list site collections and sites. Again, certain tasks require certain rights and this totally makes sense given the ability to delegate permissions built into the SharePoint platform.
  So where does this leave me? For now I suppose it needs to be tested on a case-by-case basis.
  For users who I want to administrate a farm with PowerShell, who have the ability to log into the servers to check local resources, services, logs, etc. practically they need to be local administrators and have SPShellAdmin. For anything else I would be
  looking at creating an account with no rights and gradually add permissions until I get to a level where it can perform the required tasks. If I want an account to manage site collections I may need Remote Desktop User machine group, SPShellAdmin against the
  content database, and site collection administrator (at the moment this is a guess).
  So in the end it seems there is no definitive answer or broad best practice for assigning permissions to administrators beyond testing it out to see what works and hiring administrators who you trust and are accountable for their actions.
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

• SharePoint 2013 Default Groups removal

  Hi Everyone
  I would like to know if any harm in breaking inheritance and removing SharePoint 2013 default groups.
  Groups like
  1) Approvers
  2) Designers
  3) Translation Managers
  4) Restricted Readers
  Any help will be greatly appreciated.
  Regards
  Prashanth
  SharePoint Administrator

  Hi Prashanth,
  If the default groups have been deleted, then the groups cannot be recovered unless you restore the site from a backup.
  The default groups have specific permission levels, so if you do not need that specific permision, then you can delete them.
  More references:
  http://office.microsoft.com/en-001/sharepoint-server-help/understanding-sharepoint-groups-HA102772363.aspx
  http://office.microsoft.com/en-001/sharepoint-server-help/understanding-permission-levels-HA102772313.aspx?CTT=5&origin=HA102772363
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Sharepoint 2013 setup with multi tenancy

  Hi,
  Anybody have a proper guidance on how to setup SP 2013 with multi tenancy ? And aslo it should be with hosting mode, because we are the big hoster.
  We need hosting SP 2013 with multi tenancy.
  Thanks in advance.

  Hi,
  I have made setup a SharePoint 2013 multi-tenancy.
  I have some issues regarding SharePoint 2013. I have created one SharePoint site collection. I've designated myself as a site administrator.  I'm able to login to the new site collection, however when I try to add people from my created SharePoint
  site collection. It shows me "No results found".
  But In central administration, I can add people as well as can give the permissions.
  Any suggestions, How can I troubleshoot ?
  Thanks in Advance.
  /Harish R.

• SharePoint 2013 document library, permissions to upload and view shared document only

  SharePoint 2013 document library I want to give access to client where they can upload and view their uploaded document and can see all documents shared with them.
  I have managed to show all document shared with them only by deactivating a feature but now they can't upload any document, If I create a permission set to allow them to upload documents, they will see all other documents as well which are not shared with them.
  Any suggestions?

  Hi Sharaqat, the best way to handle your situation is to have a separate library or site for the client. You could use item level permissions per Thilosh, but fine-grained permissions become a major headache. You could also use web parts and audience
  targeting, but that's not truly secure.
  cameron rautmann
  I am thinking to have a separate document library for client, where they can upload/view/edit etc, we will upload documents in a "secure" library with a column saying this is a private document or public document, if we mark a document public,
  a workflow will move that document to the client's document library. I don't think there would be a problem to move a document from 1 library to another in a workflow.
  That's the easiest solution I have found so far.

• Sharepoint 2013 setup for a test site

  In a sharepoint 2013 test site that I am using, I would like to be able to follow the section called 'deploy a workflow soltuion' that is located in the following url:
  http://msdn.microsoft.com/en-us/library/jj819316(v=office.15).aspx.
  When I look at the 'upload solution picture', I see the tabs for browse, solutions, and library. However when I look at my test sharepoint 2013 website, I see the tabs for browse and page. I do not see 'solutions' and 'library' tabs. Thus can you tell 
  me if my test sharepoint website is setup incorrectly or is this a permission is? Would you tell me what I can do to solve my issue?

  Hi Wendy,
  Do you have administrative rights on the site. Only site administrator can upload the solution to solution gallery and activate that solution.
  Best Regards,
  Brij K

• Accessing certain folders within a SharePoint library by groups

  Hello there!
  Please, guys, give me some clarification. Is it possible at all to allow or prohibit access to a certain folder within SharePoint 365 library. A folder contais some files that I want a certain group of users to have access to it.
  What I have now is to allow access to a certain file in the library which is quite laborious as long as I have more than 5000 documents in the library groupped into 50+ folders. Could I make some automatization in order to allow access to a folder for
  a certain group of users automatically accordingly to an event in the calendar?

  Hi,
  Based on your description, my understanding is that to you want to grant a certain group of users to have access to a certain folder within SharePoint 365 library.
  Navigate to the document library with the folders. Click on “…”then select “Shared With”, next click Advanced.
   there should be an option for Manage Permissions. From there you will have to break the permissions inheritance (there should be a link or option called Edit permissions). Once the inheritance is broken, you can add or remove people as needed.
  Here is a link about set unique permissions for Folders, you can use as a reference:
  http://www.learningsharepoint.com/2012/08/24/sharepoint-2013-set-unique-permissions-for-folders-and-documents/
  Best Regards,
  Lisa Chen
  Lisa Chen
  TechNet Community Support

• SharePoint 2013 SP1 on Windows 2012 R2

  Hello all,
  Excited as I was to finally get the slip-streamed version of SP 2013 with SP1 so I could install it on Windows 2012 R2 I'm having trouble installing the pre-requisites.
  I've found this article here -
  http://support.microsoft.com/kb/2765260/en-gb - but the resolution won't work. The update (KB2771431) won't install on 2012 R2 and the manual fix fails even though I am connected to the internet.
  Has anyone successfully installed SP 2013 SP1 on 2012 R2 ?
  Thanks

  Hi etala,
  Please intall Windows Server AppFabric manually.
  Here are some  links, please take a look at:
  http://blogs.technet.com/b/praveenh/archive/2013/02/22/sharepoint-2013-prerequisites-fails-with-msi-installer-error-code-1603-while-installing-appfabric-1-1.aspx
  http://social.technet.microsoft.com/wiki/contents/articles/14582.sharepoint-2013-install-prerequisites-offline-or-manually-on-windows-server-2012-a-comprehensive-guide.aspx
  http://www.spjeff.com/2012/07/19/fixed-sharepoint-2013-setup-error-appfabric-is-not-correctly-configured/
  I hope this helps.
  Thanks,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• "External Data Refresh Failed" in Excel Workbook in SharePoint 2013

    Hi Everyone,
  I hope someone can help me sort this out. I wasn't sure if this should be submitted to SQL Server 2012 or SharePoint 2013 but I think I have ruled out an actual SQL issue here.
  I have a test SharePoint 2013 Farm installed on one server.  On that server we have SQL Server 2012 Standard (Database Engine Only) installed as one instance for SharePoint 2013.  SharePoint 2013 is installed as Enterprise. 
  On another server I have SQL Server 2012 Enterprise installed I have both the Database Engine and Analysis Services installed on that server in one Instance.
  I have created a new Analysis Services Cube and stored in on that server using VS 2012 Data Tools.   I then use Office 2013 Excel and create a new Pivot Table and bring in that data into that workbook.  I save that workbook to my desktop and
  can click on the DATA tab and do a "Refresh All" and the data is refreshed with no problem. 
  I then Save that Workbook to SharePoint 2013 in my Business Center documents library. I then try to do a Data Refresh and get the following error: External Data Refresh Failed. We were unable to refresh one or more data connections in the workbook. The following
  connections failed to refresh: servername ConnectionName.
  Let me tell you a little bit about how I have my SharePoint 2013 setup.
  In Application Management ==> Secure Store Service - I have a Target Application Id setup with an AD account name and password.
  In Application Management ==> Excel Services Application Settings - I an using an Unattended Service Account that is pointing to the Target Application ID that I setup in Secure Store Service.
  Now in SQL Server 2012. I have made the AD account name and password a SYSADMIN account (because nothing seemed to work) and mapped that login to my Database that I created my cube from.
  I have went into the Properties of my Analysis Server on SQL Server 2012 and out that AD userid in the Security Page as a Server Administrator. 
  Now let me tell you the real kicker here. 
  I also have a Sharepoint 2010 farm that we have been testing for about a year.  This is something we wanted to go into production with but now have decided we will deploy our new production site on 2013. 
  This has the same setup only I am using SQL Server 2008 R2 as my database for SharePoint 2010, and am using SQL Server 2008 R2 on another server and instance for Database Engines and Analysis Server. 
  I have already created a cube on the SQL 2008 r2 Analysis Server using BIDS.
  I created a Excel Pivot Table based on that cube and save it to the SharePoint 2013 site.  
  I then put the SSS AD account name on the SQL Server 2008 Analysis Services Security as Administrator.
  I pull up that Excel Workbook and go into Data and do a Refresh All and it works. 
  I then bring up my copy of the Excel workbook I created for my SQL Server 2012 Cube (this does not work on SP 2013) and save it to my Business Center in SP 2010.  This will do a DATA Refresh on that workbook.
  Another thing that I have done, (we have Office Web Apps Server running on the SP 2013 side), is set SPWOPISuppressSetting -view -extension xlsx so that when I bring up the Excel spreadsheet in 2013 it has a url with the xlviewer instead of the WOPI 
  url.
  OK.  I have went through all of my setup.   I am must wondering if I missed something in my install for this.  HELP.   There can't be that much difference in the installation between 2010 and 2013. 
  Thanks in Advance everyone.

  After many hours of research and totally burning down my SQL Server 2012 server because of the many changes I made to it, I finally found the issue that caused this and specifically why SP would not work with SQL Server 2012 Analysis Services.  This
  time I reinstalled SQL Server 2012 from scratch again but only put SP1 on at this time.  I can't be completely sure this fixed the issue since I have not put any of the other CU  on the box.  But, after the reinstall, everything seemed to work
  perfectly from the Excel Services side.
  The issue I then ran into was that I could not get my PerformancePoint Services to work with my Cubes that were created on SQL Server 2012.  I received Error Message " The DataSource Provider for data sources of type 'ADOMD.NET' is not registered" on
  my SharePoint 2013 Server Event Viewer. 
  I finally found this post on the issue: 
  http://yossidahan.wordpress.com/2012/08/14/cant-get-ssas-databases-to-appear-in-performance-point-dashboard-designer-check-you-adomd-net-version/
  Seems that SP 2013 is built to use SQL Server 2008 R2 Analysis Services, so you need to install the ADOMD.net from SQL Server 2008 in order for it to work.   But make sure you install Version 10 since if you install any other it doesn't seem to
  work. 
  I feel like I wasted a whole month tracking these issues down, and I haven't been able to test PowerView, PowerPivot or SSRS yet.  I hope there is not any more. 

• 14 hive folder in SharePoint 2013 environment?

  Hi, I have two separate standalone SharePoint 2013 setup one is development and one is production.
  My problem is when I go to “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14” location in development server then I see below folders as per below screenshot:
  But if I go to Production server then having only below folders:
  Even if I go to “14\TEMPLATE\controltemplates” folder in Production then all the ASCX files are not there but in Development all default ASCX files are available.
  Why this mismatch in Production and development?
  How to match my Production and development?

  Hi,
  I would be concerned that you may be missing additional files as well, you should have the 7 top level Folders that you show in your first screen shot on all SharePoint 2013 Servers. You should repair the PRD installation.
  Also, why would you use the Stand Alone installation for production. A better approach would be to download the SQL 2012 SP1 Express Edition with Tools and install SharePoint using the Complete installation. However, this is not the reason you are missing
  the folders...
  -Ivan

• Windows Updates for SharePoint 2013 Environment

  Hi
  I created a visual machine for SharePoint 2013 development by following steps mentioned below.
  --Install Winows Server 2008 R2
  --SQL Server 2008 R2
  --SP2 for SQL Server 2008 R2
  --SP1 for Winows Server 2008 R2 
  --Sharepoint 2013 Pre-Requisites
  --Sharepoint 2013 Setup
  --Sharepoint 2013 Designer
  --Installed March and August 2013 Cumulative Updates for SharePoint 2013
  --Installed SP1 for SharePoint 2013
  I want to ask do i need to install Windows Updates after installing different updates as i mentioned above because everty now and then windows updates message keep pops up and i did'nt install windows updates yet.
  Why is it necessary or what impact window updates would have on my environment if i need to do it??

  Windows Updates cover security updates as well as stability improvements, and so on. You're simply patching SharePoint and SQL in the above case.
  It should be noted that any SharePoint patches that come down through Windows Update need to be manually handled as you'll need to run the Config Wizard (e.g. MS14-022 and MS14-050 which are SharePoint updates).
  When you're installing SharePoint 2013, you only need to install SP1 if that is your target. There is no requirement to install March 2013 or August 2013.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• SharePoint 2013 Active Directory Groups represented as c:0+.w| SID in UserInformation list instead of c:0+.w|Domain\Groupname

  Hi
  We are running on SharePoint Server 2013.When we add AD groups as permissions, we see that the group name is being displayed properly in the permissions. Whereas when I click on the groupname I see the SID with the Sharepoint specific claims characters,
  instead of domain\groupname. I understand that the claims characters are because of claims mode. But I expected domain\groupname instead of SID. Is this the right behaviour.
  When I call SiteData.GetContent web service, I get the SID of the group name instead of the domain\groupname.
  Can someone please clarify?
  Thanks
  Naga

  Hi,
  Yes, the identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections:
  c:0+.w|<SID>
  •"c" for a claim other than identity
  •"+" for a group SID
  •"." for a string
  •"w" for a Windows claim
  More information:
  http://www.sharepointfire.com/MyBlog/2013/11/get-ad-group-identity-claim-in-sharepoint-2013/
  Thanks,
  Dennis Guo
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Dennis Guo
  TechNet Community Support

• SharePoint 2013 permissions for each user

  I am working on my own SharePoint 2013 test site and I need to grant permission to the test accounts. I want to make certain the 3 test accounts can not see the lists, files, and workflows that the other users created.
  Do I need to grant permission at the site level, user level, custom list level, for each workflow, and/or for each custom form? Do I invite each user and/or 'share' with each user? Can you tell me and/or point me to a source that will tell me what level
  of permission I need and how to grant this type of permission?

  Wendy,
  In sharepoint, you can grant permission at any level you want. That permission will carry forward by default until someone break them and configure unique permission.
  In ideal case, we recommend to use share security group to grant permission and not grant to individual user. Also try to restrict 2 default site group (Owner/member/viewer) as much possible, but in reality ppl break these rule often and eventually end up
  with maintenance overhead.
  I will recommenced you and everyone to go through this nice ppt which clears sharepoint permission idea in our mind.
  Here you go - SharePoint
  Permissions Worst Practices
  Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

• SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

  Hi
  I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
  The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have  access to the library and list, except for
  a few additional folk who I have made individual members. 
  My PROBLEM:
  I  have created a SharePoint 2013 Workflow using SPD 2013 associated with the  Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
  the form and go to different Stages depending on that status.
  The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
  with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
  Here's a print of the info from the Workflow Status page (I don't have access to server logs):
  RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
  The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
  instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor 
  Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
  user who started the workflow, unlike 2010 which used System Account).
  All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
  I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
  and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
  Does anyone have any ideas why this is happening and what I can try to fix it?
  Mark

  Hi Lars,
  I'm afraid not so far but we are trying a few things today so I will post back with results.
  First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
  versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
  This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
  "If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
  the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
  intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
  You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
  I'll update when we try these ideas. If you have any luck please do the same.
  Mark
  (sorry about formatting - using my phone....)
  Mark

• AD security group issues in SharePoint 2013 Integrated Mode

  Hello,
  Sorry if this is the wrong forum, I'm not sure if this is a SharePoint issue or a Reporting Services configuration issue (or if it should be in a SharePoint forum regardless).
  I have SSRS2012 on SharePoint 2013 in integrated mode. We are doing item level permissions, which means we have an AD security group Reports-All with
  Read to the Reports document library, then each actual report has unique permissions. We have a report with the ProjectManagers AD
  security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group ProjectUsers with
  just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before, Reports-All,
  with Read.
  At a SharePoint level, things appear to work. When a user in ProjectManagers or ProjectUsers browses
  to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly as far as I can tell.
  The issue is when a user in ProjectManagers or ProjectUsers clicks
  on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
  Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
  If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups. 
  Has anyone seen this behavior with AD security groups? Any ideas on why my environment does not want to work properly with those even though AD security groups are working fine for other non-Reporting Services files?
  Thanks,
  Aaron

  Hi aaronzott,
  According to your description, you configured SSRS 2012 of SharePoint integrated mode. You added read permission to reports and data source to AD security group Reports-All, then added just read permission to ProjectManagers and ProjectUsers groups. When
  users in ProjectManagers or ProjectUsers groups click report, the error message occurred. After you added Read permissions to the report and the data source to the groups, they can preview the report without errors.
  Report definition permissions are defined through List permissions on the library that contains the report, but we can set permissions on individual reports if we want to restrict access. Set properties on a report including data source connection information,
  processing options, and parameter properties. Edit Items on the library that contains the report or on the individual report. We also need to have view permissions on a shared data source (.rsds) to select it for use with the report.
  For more information about Set Permissions for Report Server Operations in a SharePoint Web Application, please refer to the following document:
  http://msdn.microsoft.com/en-us/library/bb326286(v=sql.110).aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.