Microsoft SharePoint 2010 Administration: Farm Governance

Exclusive offer: get 50% off this eBook here
Microsoft SharePoint 2010 Administration Cookbook

Microsoft SharePoint 2010 Administration Cookbook — Save 50%

Over 90 simple but incredibly effective recipes to administer your Microsoft SharePoint 2010 applications with this book and eBook

£16.99    £8.50
by Peter Serzo | January 2011 | Cookbooks Enterprise Articles Microsoft

This article by Peter Serzo, author of Microsoft SharePoint 2010 Administration Cookbook, covers different items that relate to managing SharePoint 2010. These recipes will be implemented based on guidance from your organization. The recipes support the rules that govern your organization, such as how to restrict web parts or setting up a managed account. Governance is a large topic on its own. There are books dedicated solely to this topic. What is being covered in relation to governance are ten items that, when used, makes your life as administrator a bit easier.

In this article we will cover:

  • Administering SharePoint Designer
  • Configuring a Managed account
  • Creating a new policy for web application
  • Confi guring Resource Throttling (large lists)
  • Installing a feature and activating it
  • Restricting web parts access in the farm

 

Microsoft SharePoint 2010 Administration Cookbook

Microsoft SharePoint 2010 Administration Cookbook

Over 90 simple but incredibly effective recipes to administer your SharePoint applications

  • Solutions to the most common problems encountered while administering SharePoint in book and eBook formats
  • Upgrade, configure, secure, and back up your SharePoint applications with ease
  • Packed with many recipes for improving collaboration and content management with SharePoint
  • Part of Packt's Cookbook series: Each recipe is a carefully organized sequence of instructions to complete the task as efficiently as possible
        Read more about this book      

(For more resources on MicroSoft SharePoint, see here.)

An administrator's job is akin to being the Marines. They are the first ones to be called when there is an issue with SharePoint. Nothing gets done without their knowledge. Typically, the administrator has to decide who to bring in when an issue needs to be addressed. Additionally, administrators deal with management, end users, developers, and the power users.

The recipes in this article teach and expose useful and common functionality found in SharePoint 2010. The intent of the recipes is to create a SharePoint Farm environment that is efficient and monitored. For example, large lists have always been an issue in SharePoint in the past, with little or no support to address it out of the box. This is directly related to the performance of your SharePoint installation. This article has a recipe on a new functionality, throttling large lists.

PowerShell is a critical tool for the SharePoint Administrator. While the recipes may only show how to use the commands at a granular level, they may be combined to create powerful administrator scripts. As a result, many of the tasks that are performed today can be automated and collected at a macro level. After reading this chapter, think about how these techniques can be combined.

Administering SharePoint Designer

SharePoint Designer 2010 is a powerful tool that helps create rapid solutions using SharePoint. As the tool is free, any user can download and access its functionality. By connecting to a SharePoint site, users can freely make significant changes to the site. This includes the look and feel of the site, workflow, and connecting to external sources.

The issue with this amount of power is the havoc that can be done by creating customizations that inadvertently tax the SharePoint Server(s). The end result may be a degradation of the responsiveness of the SharePoint farm, adversely affecting the performance of the site.

Let's look at the preceding paragraph in terms of a real workflow as an example. Workflows are very popular and can be done out of the box with SharePoint Designer. Zach's trucking company hauls product all over the country. They get their work responding to a Request for Quotation. They can get up to ten RFQs per day.

The requirement is that when an RFQ document gets uploaded, several tasks are created in a separate list for multiple people. Using the task list, they can determine when the document is ready to be sent out.

The workflow can be created in SharePoint Designer (SPD) out of the box. If the person using SharePoint Designer is not well-versed in creating workflows, it is possible that he/she might create long running tasks and infinite loops. Over time, the farm performance will degrade. This is because at the heart of SharePoint, every call made goes back to the SQL database. An infinite loop could cause a list to become quite large.

A different issue has to do with usability and standards. As users with proper permissions can modify look and feel of individual sites, they can deviate from corporate standards. Multiply this capability with the number of users in your organization, and you will realize there is a very real issue with governance of sites in general.

SharePoint 2010 has a solution for these problems that can either limit a user's capability in their site or take it away completely. This recipe shows you how and where to do this within SharePoint.

Getting ready

You must have farm level administrative permissions to the Central Administration site.

How to do it...

  1. Open up the SharePoint 2010 Central Administration website.
  2. Click Application Management. Under the Web Applications section, click Manage Web Applications.
  3. The available web applications will be listed. Click to the right of the web application you wish to manage. The entire line will turn blue and the ribbon will light up. If you have installed SharePoint into the default instance, it may look like the following screenshot:

    Microsoft SharePoint 2010 Administration: Farm Governance

  4. On the ribbon, there is a button called General Settings. Click on that button and select the SharePoint Designer option from the drop-down list that appears.
  5. The following screenshot appears:

    Microsoft SharePoint 2010 Administration: Farm Governance

    Fill in the required information:

    • Allow SharePoint Designer to be used in this Web Application: Unchecking this box will disable SPD for the entire web application.
    • Allow Site Collection Administrators to Detach Pages from the Site Template: Once this option is unchecked, Site Administrators will not be able to detach pages and modify them via SPD.
    • Allow Site Collection Administrators to Customize Master Pages and Layout Pages: If it is unchecked, Site Administrators will not be able to customize pages via SPD.
    • Allow Site Collection Administrators to see the URL Structure of their Web Site: If unchecked, it will not allow Site Collection Administrators to manage the URL structure via SPD.

How it works...

SharePoint Designer is a client application that is installed on the user's desktop. This recipe shows how to disable SPD from working at a web application level.

There's more...

The Site Collection Administrator can also modify the way SharePoint Designer works. To accomplish this:

  1. Open up the Site Collection screen and click Site Settings.
  2. In the section under Site Collection Administration, there is an entry call SharePoint Designer Settings; select that.
  3. The following form appears:

    The sections are self-explanatory.

If the Farm Administrator limits SPD access at the Central Administration level (as shown earlier in the recipe), the changes are reflected in red color on the form, with a message as seen in the following screenshot:

Microsoft SharePoint 2010 Administration Cookbook Over 90 simple but incredibly effective recipes to administer your Microsoft SharePoint 2010 applications with this book and eBook
Published: January 2011
eBook Price: £16.99
Book Price: £27.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources on MicroSoft SharePoint, see here.)

Configuring a Managed account

A Managed account in SharePoint is an account that is completely managed by Active Directory. Service accounts are a prime example. These accounts are typically domain-level accounts that are managed in Active Directory (AD) . Being an active directory account means it is subject to the policies implemented across the organization. For example, a user may have to change their password every six months. The policy may dictate that the password meet certain criteria such as containing upper case and lower case characters.

The problem with this scenario in SharePoint terms occurs when the password needs to be changed. The service stops working when the password expires. If the account is the identity for multiple services, they stop working too, which potentially brings a working SharePoint installation to a stop.

In many organizations, there is a division of responsibilities that can prohibit the SharePoint Farm Administrator from changing the password of an AD account. The Managed account resolves this issue. SharePoint manages this account and, through central administration, you can register these accounts.

In this recipe, we see how to create and manage an account.

Getting ready

You must have farm-level administrative permissions to the Central Administration site. The account that you are confi guring must be set up in Active Directory. It must be an existing AD account.

How to do it...

  1. Open up the SharePoint 2010 Central Administration website.
  2. Click Security.
  3. Under the section titled General Security, select the Configure managed accounts option.
  4. Click Register Managed Account. The following form appears:

    Microsoft SharePoint 2010 Administration: Farm Governance

    Fill in the required information:

    • User name: Supply the AD account. It does not have to be prefaced with domain.
    • Password: This must match the account password in AD.
    • Enable automatic password change: Checking this will allow you to set the time and notifications by e-mail.

    When finished filling the required data, click OK. The account is now added.

How it works...

When the account is added as shown in the recipe, its credentials are now managed and stored within SharePoint. SharePoint 2010 can leverage the AD policies to automatically reset passwords.

Once the account is in SharePoint, it is encrypted using the farm encryption key that was specified when the farm was created based on the passphrase. A key benefit of using managed accounts is the ability conferred upon the Farm Administrator to join machines to the farm without specifying the credentials.

There's more...

PowerShell can be used to do anything you can do through the Central Administration user interface.

Powershell: Get a listing of managed accounts

Get-SPManagedAccount

Powershell: Create a new account

New-SPManagedAccount

Powershell: Set

Set-SPManagedAccount -identity

Powershell: Delete a managed account

Remove-SPManagedAccount

More info

You cannot use the Central Administration UI to assign local accounts to be managed accounts. This is achievable, but only through PowerShell.

Creating a new policy for a web application

There are times when it is critical for the Farm Administrator to designate security policies for a web application. An administrator can do this from Central Administration and it overrides security implemented at the site collection and at sub-site level.

The following are some useful scenarios where this may be implemented:

  • Enterprise organizations need to designate at least one person as the Site Administrator. Once assigned, they are now the administrator of the web application. This is not to be confused with the Farm Administrator or a Site Collection Administration.
  • When bringing sites online, it is advantageous to set up security to deny access to all users. Allow access to only those users who are your beta users. After the site is live, you can remove these restrictions.

In this recipe, we will show how to create a new policy and then add users to it.

Getting ready

You must have farm-level administrative permissions to the Central Administration site. There must be a web application set up.

How to do it...

  1. Open up the SharePoint 2010 Central Administration website.
  2. Click Application Managemen.
  3. Under the first section named Web Applications, click Manage web applications.
  4. Click the web application and see the ribbon light up. The rightmost button is Permission Policy; click on it. Refer to the next screenshot:

  5. A pop-up form appears, click Add Permission Policy Level.
  6. The following screen appears:

    Microsoft SharePoint 2010 Administration: Farm Governance

    The list is comprised of five components:

    • Name: Create a name for the permission level with a description.
    • Site Collection Permissions: Selecting the Administrator option automatically grants read and write access to everything. Selecting Auditor for the site collection gives read access to everything.
    • List Permissions: Granular control to deny or grant rights over objects at a list level.
    • Site Permissions: Granular control to deny or grant rights over objects at a site level.
    • Personal Permissions: Gives the users in this policy control over personal views and web parts.

    For the purposes of this recipe, do not select site collection administration or auditor. Check Grant All. Click Save.

    BetaFinanceTesters now appears in the listing of permissions policy. Click OK.

  7. On the web application page, click User Policy on the ribbon.
  8. A screen is displayed, showing users who have a policy for the web application. Click the Add Users link.
  9. A wizard pop-up is presented. Choose the All zones option from the drop–down list. Click Next.
  10. On the ensuing form:
    • Select a user (or group).
    • Under Choose Permissions, check BetaFinanceTesters.
    • Choose System Settings. Do not check the box Account operates as System box.
  11. Click Finish.

How it works...

This recipe is broken into two parts:

  • Setting the permissions policy: In steps 4 to 8, we defined a custom policy that was consequently saved in SharePoint. This policy defines the rights of the users that will belong to it. It is associated with the web application chosen.

    In our recipe, we showed how to add a policy. By clicking on an existing policy, it can be edited. There is also an option to delete the policy.

  • Designating users to that policy: In steps 9 to 11, we are selecting users or group accounts and then assigning the custom permission level to them.

    Users can also be deleted or their permissions edited via step 9.

There's more...

You cannot utilize SharePoint groups with Policy for web applications. However, you can use groups from Active Directory.

Microsoft SharePoint 2010 Administration Cookbook Over 90 simple but incredibly effective recipes to administer your Microsoft SharePoint 2010 applications with this book and eBook
Published: January 2011
eBook Price: £16.99
Book Price: £27.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources on MicroSoft SharePoint, see here.)

Configuring Resource Throttling (large lists)

At the very heart of SharePoint are lists. Just about everything in SharePoint is a list. It can be stated that SharePoint content is list driven.

One of the shortcomings of the previous version of SharePoint was that performance began to degrade if a list had more than 2000 items. This doesn't mean if a list had 2001 items, the performance degradation was noticeable. A SharePoint list could have millions of records. Let's break down exactly what happens when a user requests information from a list.

A user clicks on a link to see the items in a list. It invokes a query back to SQL to pull those items and present them. The query looks at how many columns are on that list and does a "select all" operation. The more columns in a list, the more data that is returned, and the longer it takes to select all of that data because it is number of rows multiplied by number of columns.

Resource throttling is a set of configuration items built into the software to address the issue of performance of large lists and resource contention. The goal is to prevent servers from running out of resources. Setting these parameters will offer better fidelity to your SharePoint installation.

In this recipe we will cover the different parameters and how to configure them.

Getting ready

You must have farm-level administrative permissions to the Central Administration site.

How to do it...

  1. Open up the SharePoint 2010 Central Administration website.
  2. Click Application Management.
  3. Under the Web Applications section, click Manage web applications.
  4. Select a web application (the ribbon will light up).
  5. Click the General Settings dropdown on the ribbon:

    Microsoft SharePoint 2010 Administration: Farm Governance

  6. Click the Resource Throttling option from the drop-down list. The resulting form has the following components to be configured:
    • List View Threshold: Defaults to 5000.
    • Object Model Override – Yes/No radio buttons. The default value is Yes.
    • List View Threshold for Auditors and Administrators: Defaults to 20000.
    • List View Lookup threshold: Defaults to 6.
    • Daily Time Window for Large Queries: Check this option which, when enabled, allows setting of a start time and a maximum duration.
    • List Unique Permissions Threshold: Defaults to 50000.
    • Backward-Compatible Event Handlers: On/Off radio buttons. Defaults to Off.
    • HTTP Request Monitoring and Throttling: On/Off radio buttons. Defaults to On.
    • Change Log: Defaults to 60 days after which log entries are deleted. Can be set to Never.

    After making changes to any component(s), click OK.

How it works...

Resource throttling is performed at the web application level. The configuration applies to all site collections and sites under the web application. Throttling can be completely disabled in Central Administration for a web application, as seen in the parameter HTTP Request Monitoring and Throttling.

By default, resource throttling checking is on, which enables a timer job that runs every five seconds. This job checks the state of server resources against the performance counters. If that check comes back with a failure three times in a row, a throttling state will be enabled. The server will stay in this state until a successful check is performed.

While in a throttled state, users may see a 503 Server is busy screen. Users will need to refresh their screen to see if their request has completed.

The resources that are checked by default are Server CPU, Memory, Request in Queue, and Request Wait Time.

The List View Threshold is the number of items that can be returned to a user. By default, this is 5000 items.

The List View threshold for Auditors and Administrators is the number of items that can be returned to an administrator or power user. The default is 20000 items.

List View Loopup Threshold is the maximum amount of fields with the type called Lookup in a list. Lookups are database intensive. The default is 8.

List Unique Permissions Threshold is when inheritance is broken on a list and granular permissions are involved. Item-level permissions have potentially severe consequences on database performance and must be considered and planned carefully.

There's more...

PowerShell can be used to view, set, and enable/disable resource throttling.

PowerShell: View list of Performance Counters

Get-SPWebApplicationHttpThrottlingMonitor-identity <identity>

PowerShell: Set Performance Counters

Set-SPWebApplicationHttpThrottlingMonitor-identity <identity> -Category
<category> -Counter <counter> -Instance <instance> -MaxThreshold
<maxthreshold> -MinThreshold <minthreshold>

PowerShell: Disable Resource Throttling

Disable- SPWebApplicationHttpThrottlingMonitor-identity <identity>

PowerShell: Enable Resource Throttling

Enable- SPWebApplicationHttpThrottlingMonitor-identity <identity>

More info

Server CPU, Memory, Request in Queue, and Request Wait Time are monitored by default. A new performance counter has to be added via the object model. The counters that are used can be obtained via the Performance Monitor application on the server.

Here is an example of how to configure the Processor Time:

$uri = new-object System.Uri(http://"yourwebsite")
$webApp =
[Microsoft.SharePoint.Administration.SPWebApplication]::Lookup($uri)
$httpthrottlesettings = $webApp.HttpThrottleSettings
$httpthrottlesettings.AddPerformanceMonitor("Processor",
"% Processor Time", "_Total", 70,0)
$httpthrottlesettings.Update()

Installing a feature and activating it

One of the tasks that inevitably fall upon a SharePoint Administrator is the process of installing features and solutions. Features are solutions typically written by developers. They perform a business function such as workflow or a web part.

With the advent of the SharePoint 2010 Sandbox, Site Collection Administrators can upload and maintain features. However, there are many situations in which a Farm Administrator needs to install a farm-wide feature.

Deploying a feature can be done through Visual Studio, but when implementing on production servers, this is not the way to install a feature. A feature in production should be installed by an administrator and this implies the use of PowerShell.

This recipe shows how to install a farm-wide feature and activate it.

Getting ready

  1. Click on the Start button on the web front-end.
  2. Under All Programs, navigate to the folder named Microsoft SharePoint 2010 Products.
  3. Right-click on SharePoint 2010 Management Shell and click select Run as Administrator. The PowerShell console will appear.
  4. Install the feature by typing the following into the console window:

    Install-SPFeature -path "helloworld"

    Press the Enter key.

  5. Activate the feature by typing in the following command:

    Enable-SPFeature -identity "helloworld" -URL http://sharepoint2010

    Press the Enter key.

How it works...

The feature is installed on a web front-end server in the \14\template\features\<features path> folder. If the file is not there when doing the install, an error message will be displayed.

Features are best wrapped in a solution file. Solution files can be installed across a farm, which is efficient when dealing with a multi-server topology. It also can be installed to the Sandbox. In the recipe that was just presented, the feature was already deployed.

The following is how to install and deploy a solution file called helloworld.wsp:

  1. Install the solution by typing the following command in the console window:

    Add-SPSolution c:\temp\helloworld.wsp

    Press Enter.

  2. Deploy the solution by typing in:

    Install-SPSolution -Identity helloworld.wsp -WebApplication
    http://sharepoint2010 -GACDeployment

    Press the Enter key. Features that can be scoped at the following levels are seen in the next screenshot:

    Microsoft SharePoint 2010 Administration: Farm Governance

    A solution file, .wsp, is a cab file that contains the following components:

    • Manifest.xml: This file defines the features (there can be more than one), site definitions, resource files, web part files, and assemblies.
    • Feature.xml: This file defi nes the location of the assemblies and defines the scope of the feature(s), and any dependencies.
    • Elements.xml: This file contains information about the components being installed.
    • The Assembly (DLL) being installed.

There's more...

To see all the installed features on your organizations' farm, use the PowerShell command, Get-SPFeature, with no scope.

Restricting web part access in the farm

Web parts are the components of an organization's site that provide modularity and flexibility. Web parts are ASP.NET server-side modules that are available to be put into a page via a web part zone. The modules perform all different kinds of functions based on an organization's needs.

SharePoint 2010 Enterprise comes with 60+ web parts. In addition, an organization can create their own web parts based on business requirements.

There are two considerations to think about with regards to governance of web parts in the context of this recipe.

  • What a web part can be allowed to do
  • What web parts are available to be put onto a page

Getting ready

You must have farm-level administrative permissions to the Central Administration site.

How to do it...

  1. Open up SharePoint 2010 Central Administration website.
  2. Click Application Management. Under the section Web Applications, click Manage Web Applications.
  3. The available web applications will be listed. Click to the right of the web application you wish to manage. The entire line will turn blue and the ribbon will light up.
  4. On the ribbon, there is a button called Web Part Security; click that. The following screenshot appears:

    Microsoft SharePoint 2010 Administration: Farm Governance

    • Web Part Connections: The strength of web part connections is that information from one web part can be passed to another web part.
    • Online Web Part Gallery: This is a web part gallery that is either available from Microsoft or one that has been created.
    • Scriptable Web Parts: This will either allow or prevent contributors from adding scripts in a web part. An example of this is JavaScript in a Content Editor web part. Retain the default value.

    Click OK.

How it works...

This recipe shows web part security at a web application level. Everything shown applies to all site collections under the web application. It works as a blanket policy. It is not web part security at a granular level.

There's more...

There are times when an organization needs to expose certain web parts to targeted users. Another way of saying this is managing which web parts appear in the Web Part Gallery based on a user's role.

The best way to do this is at a site collection level. You must be a Site Collection Administrator to do this.

  1. Create the necessary SharePoint groups and add the appropriate users. Creating a matrix of groups and web parts will facilitate the actual assigning of permissions.
  2. Select Site Actions | Site Settings.
  3. Under the section named Galleries, select Web Parts.
  4. Choose the web part that you wish to change permissions on by clicking the edit icon.
  5. The form that appears has a ribbon with a button called Manage Permissions.
  6. Adjust the permissions to represent the organization's needs.

Summary

In this article we have covered:

  • Administering SharePoint Designer
  • Configuring a Managed account
  • Creating a new policy for web application
  • Confi guring Resource Throttling (large lists)
  • Installing a feature and activating it
  • Restricting web parts access in the farm

Further resources on this subject:


About the Author :


Peter Serzo

Peter Serzo is an English major from Kent State who started his technical career with EDS out of college. 20 years later, all as a consultant, he is a national speaker regarding to SharePoint having worked at organizations of all sizes. His next challenge is to bring SharePoint to children and teach them. He has been working with SharePoint since 2003 in companies such as Microsoft, Ford, ADP, and many others throughout the United States. He is a Senior SharePoint Architect for High Monkey Consulting. The name refers to an old Jamaican proverb that means the higher up you go, the more responsible you must be; High Monkey takes pride in its accountability and excellence of work in regards to its clients' needs.

Books From Packt


Microsoft SharePoint 2010 Business Performance Enhancement
Microsoft SharePoint 2010 Business Performance Enhancement

Microsoft Silverlight 4 and SharePoint 2010 Integration
Microsoft Silverlight 4 and SharePoint 2010 Integration

Microsoft Windows Workflow Foundation 4.0 Cookbook
Microsoft Windows Workflow Foundation 4.0 Cookbook

Software Testing using Visual Studio 2010
Software Testing using Visual Studio 2010

Getting Started with Microsoft Application Virtualization 4.6
Getting Started with Microsoft Application Virtualization 4.6

Microsoft SQL Server 2008 High Availability
Microsoft SQL Server 2008 High Availability

Microsoft SQL Azure Enterprise Application Development
Microsoft SQL Azure Enterprise Application Development

Microsoft Windows Communication Foundation 4.0 Cookbook for Developing SOA Applications
Microsoft Windows Communication Foundation 4.0 Cookbook for Developing SOA Applications


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software