BM-Bloggers

The blogs of Black Marble staff

Find out what went down in Vegas …

… at the SharePoint Conference 2009. 

Black Marble can bring you the latest news on SharePoint 2010 … want to know what SharePoint Foundation Server is? We can tell you … what did Microsoft announce that will effect your business … come along and find out!  Register for our preview of SharePoint 2010 and find out why there is a such a buzz around SharePoint 2010.

Plus don’t forget to register here for our preview of Office 2010 and here for Richard Costall’s SilverLight 3 presentation.

Find out what Black Marble is up to on Twitter.

Adding domain users to a local machine group using GPO

To add domain users to a local machine group using Group Policy, we need to use the Restricted Groups feature.  For the example shown below, I’ll be using a Windows Server 2003 domain functional level.

  1. Create a new global/universal security group in Active Directory to contain the users which you wish to add to the local group on the target machines.
  2. Make the domain users you wish to add to the local group on the target machines members of this new group.
  3. Open Group Policy Editor and navigate to the OU where the target machines reside.  For example, if we have a ‘Desktops’ OU which contains the machines to which we wish to add the domain users, that is the location of the group policy we need to edit or create.
  4. If a Group Policy already exists for the OU selected, edit the Group Policy.  If there is no Group Policy for the OU selected, create a new group policy and then edit it.
  5. Within the Group Policy, navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Restricted Groups
  6. Right-click on either Restricted Groups in the left pane of the Group Policy Management Editor, or in the right pane, and select Add Group.
  7. The ‘Add Group’ window appears:
    RestrictedGroupsAddGroup
  8. Click the ‘Browse’ button to open the ‘Select Groups’ window and select the group created in step 1, above, then click OK.  Click OK on the Add group window.
  9. The Properties window for the Restricted Group appears:
    RestrictedGroupsProperties
  10. The Properties Window has two membership areas; ‘Members of this group’ and ‘This group is a member of’.  Adding users to the ‘Members of this group’ option would add domain users to the Active Directory group created in step 1, and would remove any members of that group already there. As we added the required users to the group created in step 2, we shouldn’t need to use this option. Adding group names to the ‘This group is a member of’ option adds the security group and its members to the group(s) specified.
  11. Click Add next to the ‘This group is a member of’ option and enter the names of the local groups you wish to have the domain users added to (e.g. Administrators, Users, Performance Monitor Users etc.) and click OK.
  12. To test that the above steps have worked, log onto one of the target machines, run ‘gpupdate’ from a command prompt and check the local groups specified above for the new members.

Microsoft SharePoint Conference 2009: Day 4

Today’s highlights from the sessions I attended:

  • One of the new features of SharePoint 2010 is Access Services – we at Black Marble have been doing some work using Access Services (see Richard’s blog post for more details, along with the Access 2010 demo on Channel9), which Robert and I presented during the first session of the day.  The talk was received well, with a number of people wandering over to me during the rest of the day to let me know they liked it.
  • The number of management packs for System Center Operations Manager required to monitor SharePoint 2010 has been reduced to precisely one!

Microsoft SharePoint Conference 2009: Day 3

A few more highlights from the sessions I saw:

  • The new taxonomy services in SharePoint 2010 look superb. The ability to be able to centrally define terms for use by the end users, along with allowing both open (i.e. read-write to the end user) and closed (i.e. read-only to the end user) term stores looks very promising indeed.
  • Some more of the new features of SharePoint Designer 2010 were demonstrated, including the ability to highlight those sections of a masterpage which when edited would cause the page to become unghosted.  The more I see of the new version of SharePoint Designer, the more I like it!
  • The ability to extract data from Excel workbooks using Excel Services, Web Services, JavaScript OM and REST looks very interesting.
  • Some really interesting things can be done within SharePoint 2010 using jQuery – Dustin Miller showed some simple but extremely useful ideas, some of which I’m now longing to have a play with.

All in all, a very useful 3rd day!

SDL lifecycle tools

have been built in compliance with requirements and recommendations

Microsoft has a link to a set of Microsoft’s Security Development Lifecycle (SDL) Tools, get them here. The tool set includes great products such as FxCop. A SDL Thread Modelling Tool allows non-security specialists to enter already known information, including business requirements and application architecture , the tool then produces a threat model, A SDL process template for integrating SDL into VSTS. The tool set also includes an Anti-XSS .NET library. 

Other Highlights include :

MiniFuzz File Fuzzer

MiniFuzz creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors to expose security vulnerabilities.

BinScope Binary Analyzer

The BinScope Binary Analyzer is a tool that analyzes binaries to ensure that they BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL.

Code Analysis Tool .NET

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack’s such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

b.

Microsoft SharePoint Conference 2009: Day 2

A few highlights from today’s talks:

  • With SharePoint 2010, we no longer have a Shared Service Provider (SSP), instead we now have service application instead. All of the applications benefit from an internal load balancing scheme (fault tolerant round robin load balancing), meaning that as long as you start a service application on more than one server, you’re better protected from failure.  Oh, and yes, that goes for indexing as well!
  • The Service Application framework is extensible; this means you can write your own services to be hosted by SharePoint. These will, in turn, benefit from the internal load balancing scheme mentioned above.  Yes, you can also use a hardware load balancer and from what I gathered, even write your own load balancer!
  • All of your Service Application management can be done from PowerShell – if you don’t know PowerShell, now is going to be a very good time to learn…  If you want to have a look at the available applets, try the following in PowerShell:
    get-SPServiceApplication
    this will return the list of available commandlets.
  • You will be able to add delegated administrators for specific Service Applications. These delegated administrators will have their view of the Central Administration site trimmed to only those items they should see.
  • Claims based auth looks very interesting, and can be extended to allow 3rd party applications to provide additional claims.
  • SharePoint Designer 2010 rocks!

TF53010 error and no TFS Warehouse updates after a SQL migrate

We recently moved our central SQL server to new SAN hardware and at the same time upgraded from SQL2005 to SQL2008. Once this was done we noticed that our TFS Reports were running against old Warehouse data.

Checking the TFS Application Tier event log we saw:

TF53010: The following error has occurred in a Team Foundation component or extension:
Date (UTC): 21/10/2009 10:27:25
Machine: TFSAT
Application Domain: /LM/W3SVC/287244640/Root/Warehouse-2-129005451884971104
Assembly: Microsoft.TeamFoundation.Warehouse, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727
Process Details:
Process Name: w3wp
Process Id: 2716
Thread Id: 2848
Account name: MYDOMAIN\TFSSERVICE

Detailed Message: Cube processing runtime error: \r\nMicrosoft.TeamFoundation.Warehouse.WarehouseException: The following database is not accessible in the Analysis Server: TfsWarehouse at Microsoft.TeamFoundation.Warehouse.OlapCreator.ProcessOlapNoTransaction(Boolean  schemaUpdated, UpdateStatusStore updateStatus, Server server, SqlTransaction transaction)
   at Microsoft.TeamFoundation.Warehouse.OlapCreator.ProcessOlap(Boolean schemaUpdated, UpdateStatusStore updateStatus)
   at Microsoft.TeamFoundation.Warehouse.AdapterScheduler.RunCubeProcess()

The problem was missing rights on the new 2008 Analysis Service instance. The quick fix was to give the MYDOMAIN\TFSSERVICE account administrator rights on the instance (SQL Management Studio, Connect to Analysis Service Instance, right click on instance, properties, security, add the user). Once this was done I could force a reprocess and all was OK

Microsoft SharePoint conference 2009: Day 1

I’m attending the Microsoft SharePoint Conference in Las Vegas – it’s been an interesting first day with some notable announcements:

  • A public beta of SharePoint 2010 will be available in November, with RTM in H1 2010.
  • The new version of SharePoint Designer for SharePoint 2010 will be a free download.
  • Microsoft SharePoint Foundation 2010 is the next version of what was called Windows SharePoint Services in version 3.0.
  • SQL Server PowerPivot for SharePoint (with a version for Excel as well) has been announced.  This was called project Gemini in previous demonstration I’ve seen and allows the manipulation of hundreds of millions of rows of data in real time. No, that number of rows is not a typo.