preload
Jun 03

I was recently asked what apps I’d recommend for a home iPad.  I’ve looked at work apps, and how to use tablets, but what would I recommend for home use?  Well, I thought I’d look at some best of breed solutions for a range of things!  I won’t cover games, as thats largely down to taste.

DropBox

You need DropBox (http://www.dropbox) to use an iPad.  Its the best way to get files to and from your desktop, particularly if you want to send files back to your computers.  Oddly, you don’t necessarily need the dropbox application itself on the iPad- most applications that you’d use with it have those hooks built in.  Doesn’t hurt though!

Music

Just use itunes and the built in player!  You probably don’t need a lot more than that!  If you want access to massive amounts of music, then for £10 a month with Napster (http://www.napster.com) you can get access to 15 million tracks and can either stream them or download them for offline playback.   Of course, if you finish your subscription …. all that music goes.  It depends if you want to own tracks or get music as a service.  Theres a free seven day trial for you to make up your mind if its worthwhile.

Video

The built in video player is superb if you just have mp4 files (or a converter and a lot of time and patience).  Of course, in the real world, we don’t all have that luxury, so a video player that has API hooks to allow downloads to be grabbed, and allows itunes uploads is pretty important.

Of the few available, I’d recommend Azul. (http://itunes.apple.com/us/app/azul-media-player-video-player/id404452499?mt=8)  It handles a very wide range of file types, does a reasonable job, and is reasonably priced.

Comics

The standard for comics (or any collection of graphical pages) has become the CBR or CBZ formats, created by simply renaming a RAR or ZIP file full of images.  The best viewer for the iPad, by a considerable margin, seems to be ComicZeal. (http://www.comiczealapp.com/).  It allows great control, zooming, and the files can be dropped straight in through the itunes interface.

Magazines

There are a lot of magazines available for the iPad, often through separate applications.  I check ScifiNow using one of these apps, for example, but the best big magazine app has to be Zinio.  (http://zino.com).  With most of the major magazines available here for reasonable subscription prices, its extremely practical.

Books

There are two very useful ebook readers for the iPad, and neither of them is iBooks!  If you have a kindle and buy books from Amazon, their kindle for iPad(http://www.amazon.com) is brilliant.  If you have a range of ebooks, and use calibre for your library, then Stanza (http://www.lexcycle.com/) is invaluable, plugging straight into your library over the local network.

Remote Access to PCs

Although dear, the king of remote PC access has to be LogMeIn Ignition (http://www.logmein.com).  Allowing both effective remote control of the screen can be very useful, though touch screens aren’t always the best interface for a long remote session.  More importantly from my perspective, it allows complete remote file access to your desktop, letting you grab that vital PDF without messing around with iTunes!

PDF Reading and Highlighting

I use Highlighter (http://itunes.apple.com/us/app/pdf-highlighter/id400191310?mt=8) pretty exclusively for PDF viewing – its simple, hooks into drop box and other apps, and just works well.  You can annotate a PDF, with sketching, highlighting and note adding, but its also a really effective viewer.

Dictation

Nuance’s Dragon Dictation for the Ipad  (http://itunes.apple.com/us/app/dragon-dictation/id341446764?mt=8) is brilliant – simply speak into the iPad, let the service convert your speech to text via the cloud, and copy and paste it into anything … such as a blog like this!  Its a great app.

 

Mar 12

I recently came across a need to publish a SharePoint site without authentication – effectively using anonymous access to the site.  Its surprisingly complex to set up correctly, especially if you are working with a secure ISA front end.

Share Point Configuration

First, you need to enable anonymous access for the entire web application, for every SharePoint zone.  Open the Central Administration site, and select “Application Management”.  Now select “Authentication Providers”.

When the Authentication Providers page appears, make sure you are looking at the right web application, then click on each zone, enable anonymous authentication, and click OK.  Once all the zones have been configured, the web application will allow anonymous access.

Just because anonymous access is available on the web application, it doesn’t mean its available on the sites!  You have to then set up permission on the individual sites.

In order to set the permissions on your site, you either need to go straight to the address:

http://yoursite/_layouts/setanon.aspx

Or go to Site Settings on the Site Actions menu, select “Advanced Permissions” from the “Users and Permissions” column, and then select Anonymous Access from the “Settings” option list.

Once there, simple tick to enable anonymous access!

If SharePoint is directly accessible, then you are done!  If, however, you are using ISA server to guard SharePoint, there are a couple more things left to do.

ISA Server

If you are using forms based authentication with ISA, then you need to bypass it for anonymous access!  Its not particularly surprising, but there are a few quirks when you set up your new rule and web listener.

First, it needs to be on a different IP address or port, otherwise you can’t create a new web listener.

Second, if you are restricting access to a limited IP address range without authentication … DO NOT SET UP AN EXTERNAL NETWORK.  Set up an address range, or all the configuration will fail.

Finally, if you set up a web listener, using the No Authentication option, and set the system to pass authentication through to the client,you must ensure that the option “allow client authentication over HTTP” is also ticked in the “Advanced” options within the Authentication tab on the web listener, otherwise all pages will show a 401 UNAUTHORIZED message if you access them without a username and password!

Tagged with:
Mar 02

After some of the recent comments on various SharePoint posts, I thought it was worth going through the most important part of using SharePoint … planning!  SharePoint is a very powerful system, but it is really, really difficult to change the architecture once it’s already installed.  You NEED (and my apologies for shouting, but the emphasis is really deserved) to make sure that you install your directory services, security, SharePoint and prepare your site collections and templates correctly before you even think of using it.

This isn’t a step by step guide – SharePoint is simply too broad a platform for that sort of approach.  Instead, it lists some of the more common gotchas, or concepts to think about.  For more technical installation details, see my earlier posts:

Installing SharePoint 1 – Preinstallation

Installation SharePoint 2 – Installation

Installing SharePoint 3 – Configuration

I’m going to have lots of clients using my SharePoint system, but they can’t know about the others

Security within SharePoint is generally scoped at a Site Collection level.  If clients shouldn’t be able to see each other on the system, you need to plan for that before you deploy anything.  Every group of external users should be hosted on a separate site collection, or you will hit issues with the PeoplePicker.  If you intend to keep access control factors away from clients, thats not necessarily a show stopper, but as a general rule, use a site collection as a security scope.  You’ll also need to tell the PeoplePicker to be restrictive, using

stsadm -o setproperty –url http://<server> –pn peoplepicker-onlysearchwithinsitecollection –pv yes

If you find out that you have multiple clients using subsites on a site collection, its too late.  You’ll have to go back to the design phase, or start introducing technical kludges like replacing the PeoplePicker functionality yourself.

My network grew organically, and I currently have a fairly complex domain structure.

OK – stop right there!  If you have a complex domain structure, you need to think long and hard about which domains will access SharePoint, work out trusts and user rights, and manually configure SharePoint to be able to see all of the applicable Forests and Domains.  You’ll also need to work out any potential security headaches with firewalls, ports and domain authentication from your SharePoint installation.  Don’t install SharePoint, then think about this.  It’ll have all sorts of issues with the People Picker, the search services and user profiles, and with security and authentication too, especially if you hide SharePoint behind a security provider like ISA 2006!

I don’t want to add external users to my live Active Directory

Fair enough!  There are two possible solutions – either set up up a new Active Directory domain for external users in the DMZ, and then set up a one way trust (for internal users), or simply install another directory service.  ADAM is a light directory service, perfect for this sort of environment.  Either solution needs to be in place before you deploy SharePoint – again, preparation will stand you in great stead.

I’ve been running SharePoint for a while, and my security architecture is out of control.

This will happen, unless you have really done a good job in terms of planning ahead.  Wherever possible, try to ensure access rights are maintained as smoothly as possible.  If you set up roles based on directory service groups, then maintain those groups, your security takes care of itself, particularly for internal users, where your system administrators should maintain AD groups as a matter of course.  The more granular your application of security within SharePoint, the harder you’ll find maintenance.  Keep to groups, and maintain the groups wherever there isn’t a clear business need.

Final thoughts

Like any complex system, the key to Microsoft SharePoint is proper planning.  If you understand:

  1. Your business problem (client restricted extranets are different to open forums, which differ from intranets!)
  2. Your business environment (especially your technical deployment, such as DMZ requirements and domain structure, but a grasp of the basic business factors can be invaluable)
  3. the architecture of Mcirosoft SharePoint

then you can deploy a system that will acheive your goal efficiently and securely.  If you install SharePoint without planning, because “SharePoint is the way to go”, with no understanding or foresight, then you’ll be problem solving until the project fails.

Tagged with:
Mar 01

With the announced release of the iPad, and everyone rushing to say whether or not the product will work for them (even though they generally haven’t tried it), I thought it would be worth taking a step back, and looking at what I’d actually really like from tablet technology in terms of working professionally.  Lets face it, the iPad is designed for home users first and foremost, as a convenient mechanism for consuming content.  That might be good or bad, depending on what you were hoping for … but what should we be hoping for?

Well, for one thing, I don’t want to replace my laptop.  I’m not looking for something to do everything my computer currently does.  Much like Apple targeted the home user, I want a device that will let me work closely with my office computer to consume corporate content, no (in general) for producing content.

Wouldn’t it be brilliant to have a tablet on the desktop, paired with your computer?  If you want to read a document, just select a “send to tablet” option, and read it in comfort, rather than struggling with a fixed screen, or printing hundreds of pages.  Wouldn’t it be great to make basic corrections, and then send it back to the PC for any in depth formatting or major revisions?  I don’t think I want to write many, if any, serious documents from scratch on a tablet … its easier to type a large amount of text onto a fixed computer, with a large screen.  I might scribble basic notes in a meeting, so decent handwriting recongition might be nice, but thats still a way off, I feel.

With the larger screen, and touchscreen, wouldn’t it be great as a input device?  Have it hooked up to the PC, and you’ve potentially got a decent graphics tablet for marketing teams or more complex document editing, in conjunction with the main monitors and keyboards.

One complaint I keep reading about the iPad is the lack of multi-tasking.  Like the iPhone, it only runs a single application at a time.  You don’t have twitter running in the background, with an IM session running with potential popups jumping on the screen, and links between applications, like integration between email and a custom DMS, or a word processor and a DMS.  To be honest, the way I see a tablet device functioning most effectively in the office isn’t to do that – thats the PC or laptop’s job.  If I pick up my tablet to review a document, or view a podcast, I don’t want to be interrupted.  I don’t want the constant alerts, or skype calls, or email and IM notifications.  My main computer has all of that.

If I’m travelling, and just bringing a tablet device with me, its a different equation.  I’ve two conflicting needs at that point – I need the device to be damn reliable!  I need it to work if I’m around the world in Tokyo without IT support to hand.  I also need to be able to do everything I can do in the office – write full documents, record digital dictations, file my documents and emails into the document management system.  I see the way round these conflicting needs being a simple, dedicated platform for basic corporate tasks like email, combined with a virtual desktop client, allowing me the full resources of an office PC without needing the complexity on my tablet.  If I have issues with applications crashing, and I can’t get hold of IT, I can still handle basic tasks like email reliably – I’m never totally of touch, and unable to work.

Nothing can handle all that at the moment.  Windows Tablet PCs are hugely over complex, trying to be a full desktop replacement.  Its not needed, and leaves you with a heavy, expensive device that doesn’t get used.  The Apple iPad (I say, speculatively) seems too consumer based and PC independent – its great for reading a magazine at home, but I can’t send a word document to it for annotation easily, and I can’t use it for more monitor space or as a graphics tablet.

What we need is something in the middle, designed as a peripheral on the desktop, rather than a desktop replacement.  Something I can use on the go, with enough connectivity to let me hook into virtual services in the office easily and reliably.  Something without hundreds of irritating consumer applications to distract staff, or at least something locked down at a corporate level.  At the moment, no one wants to fill that gap, and I think its where we need to go to start actually reducing paper consumption.

Just my thought for the day!

Tagged with:
Feb 09

Someone asked me what actually was cloud computing, and I found it rather difficult to answer concisely and coherently.  Much arm waving was involved, and comments like “you know, like Amazon”, and “you get billed for your usage”.  I thought it was worth looking at a clear, simple definition!

What is cloud computing?

Cloud computing is

“a computing capability that provides an abstraction between the computing resource and its underlying technical architecture (e.g., servers, storage, networks), enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

according to the National Institute of Standards and technology.  Thats fine, and the more technical among us could probably leave it at that.  How would you try describing cloud computing to your CEO, though?

Cloud computing can be thought of as a way of pooling the resources of a number of computers together, and then pouring those resources into whatever applications you decide to run on the top of them in a very simple way, allowing you to set up new applications very quickly and easily.  Instead of having to build a new server for a new application, you can pour some more resource from the cloud for it.  If the resources in the cloud are running low, just add some more servers to the pool.

In the past, there have been a variety of mechanisms that do parts of this, but haven’t applied it all together. 

Older, similar technologies

Clustering computers has been done for some time.  This allows computers running a application to work together, providing redundancy for the application, and generally some performance improvement.  How does this differ from a cloud?  Well, a cluster was generally quite complex to set up, and only really focussed on a single application.  You couldn’t pour resources from all the machines into a new application quickly at all.

Web farms can support many web applications, running over lots of web servers.  How does this differ from a cloud?  Well, web farms again tended to be hard to configure, and it was very difficult to apply specific levels of resources to specific web sites – if one web application used lots of processing power, the others could start to run more slowly.  Administration and maintenance to balance these problems, and to roll out new applications were often complex.

Virtual server providers are almost like mini clouds, where running virtual machines are provisioned simply and easily across the available hardware.  How do they differ from cloud computing?  Well, cloud computing separates off storage and processing power, allowing you to apply more storage or more processing power as needed to any application running on the infrastructure.  It adds another level of abstraction, which allows much more effective (and quick and easy) application of the necessary storage space and processing power from all the resources pooled in the cloud, rather than limiting it to a single virtual server, which can then be quiite complex to change.

All of these technologies really combine to provide a simple infrastructure on top of a pool of servers – you have the performance and resilence of a cluster, without the headaches of setting it up, and without the limitations of the focus on a single application.  You have the distibution of a web farm, allowing multiple applications to share resources, but with much easier tools to support rolling out new applications or providing additional resources to underperforming ones.  You have the benefits of virtual servers, but with better applications of storage space and processing power to your actual applications.

Confusing technologies and terms

There are two points that many people don’t quite understand about cloud computing, even if they grasp how it can be applied.  These are:

Does a cloud have to be on the Internet?

No!  A cloud can be run inside a private corporation, or even at home if you have the resources.   Ubuntu provide cloud deployment and management tools as part of their open source enterprise servers.   The reason cloud computing is synonomous with the internet in people’s minds is that the real benefits of cloud computing require massive, massive deployments of hardware to see the real benefits and cost savings.  Having said that, even a small cloud might be better for supporting a slew of internal web applications than 15 individual servers.

Because of the costs of a large cloud, only companies like Amazon have successfully deployed them as yet.  They use clouds to sell processing power and storage space to any one who wants to buy them.

Will I be charged by processing use or storage space?

This is actually a separate concept, called Utility computing, where you are charged for your system use like you are charged for gas, or electricity, hence the name.  This is by no means integral to the concept of cloud computing – though Amazon EC2, the biggest cloud deployment, does use this model to charge for access.  It doesn’t mean every has to charge this way, and an internal corporate cloud would just cost electrical consumption, hardware and licensing.

Don’t confuse the two – utility computing is a model of charging for computer use and storage space, while cloud computing is an infrastructure for pooling computer resources to be poured simply into applications on demand.  They may both be used at the same time, but aren’t the same thing.

Tagged with:
Feb 08

Just a quick sneaky trick – if you’re used to being able to run terminals as root, or you need to run a lot of commands as root, and are sick of having to type sudo every time, there is a sneaky way of increasing your privileges for the terminal sessions. 

Open a terminal, and run:

sudo su

and you have a terminal running as root!  running su by itself doesn’t work with Ubuntu … but if you sudo the command, it does.  Generally, this isn’t great practise – its too easy to make a mistake and damage the system, so use with caution!

Tagged with:
Feb 08

Setting the hostname on an Ubuntu linux installation is pretty easy during the installation.  However, for a standard image to be dropped onto a wide range of machines, it really needs to be unique and set via a script.

We like to use the serial number of the PC in question, though this is more or less practical depending on the brand of PC.  Acer, for example, tend to have VERY long serial numbers – it may be unique, but its going to be harder to type than just an IP address.  IBM tend to use reasonable 7 digit strings, which is is much more usable.  Other brands can be longer or shorter.

Setting hostname itself seems easy – just run

hostname <newname>

(where sudo is used to run the command as root) in a terminal, and the hostname of the machine will change.  You’d think we were done, but unfortunately not!  This will only change the hostname until the next reboot.  On startup, the contents of the file

/etc/hostname

is used to set the  hostname.  To update this, I like to set the hostname for the current sessions, then run

hostname > /etc/hostname

(as root) which willoverwrite the file with the current hostname.  If running as part of a script on startup, this will set the hostname now, then update the file for future restarts.  However, we still aren’t done.  We need to update another file

/etc/hosts

with the details of the name for networking purposes.  We need to add the hostname, and any domain name aliases too.  The hosts file will probably look something like:

127.0.0.1                        localhost                 localhost.domain.local

127.0.1.1                        <hostname>

Update the hostname line, and add new aliases for the hostname for any domains that may be relevant.  At this point, the system is renamed!  However, this is all still pretty manual – ideally we need to script the process.

Now, to get the serial number, we can query the bios using the dmidecode command, and then process it usign the myriad of linux text handling commands.

dmidecode | grep “Serial Number” | head -n1 | sed -e ‘s/\tSerial Number: //g’

(as root, again) should return the serial number from the bios!  We can combine this with the hostname command, as follows:

hostname $(dmidecode | grep “Serial Number” | head -n1 | sed -e ‘s/\tSerial Number: //g’)

(once again, as root.) This will set the hostname to the serial number.

I actually combine all of the commands discussed to form a single script -

hostname $(dmidecode | grep “Serial Number” | head -n1 | sed -e ‘s/\tSerial Number: //g’)

hostname > /etc/hostname

echo “127.0.0.1       localhost     localhost.domain.local” > /etc/hosts.new

echo “127.0.1.1     ”$hostname”     “$hostname”.domain.local” >> /etc/hosts.new

mv /etc/hosts.new .etc/hosts

This sets the hostname, then updates the hostname file.  It then generates a complete hosts file line by line, and overwrites the old version.  There are probably better ways of updating the text file directly, but this works effectively enough.

Finally, I set this script file (which I named hostname.sh) to run on system startup.  Simply copy the file to

/etc/init.d

and run (as root)

update-rc.d hostname.sh defaults

where hostname.sh is the chosen name for your script.  This will add the script to the startup scripts on the machine, where it will automatically be run as root.

Tagged with:
Feb 08

Recently, I’ve been playing with Linux, specifically Ubuntu, in an attempt to set up a simple, maintainable client for virtual desktops.  Its been a fair while since I’ve used linux in a serious sense, so I thought I’d post up what I’ve done, as I progress (largely for my own reference, but hopefully others might find it of use!)

Key requirements are:

A virtual client!  In this instance, the vmware open client will need to be installed and configured on the desktop.  There are still limitations with the open client that may break the plan – limitations with remote media playback, and usb redirection are two areas in particular that may cause issues.

A working web browser!  Of course, Firefox is an obvious standard, installed with Ubuntu, so thats not much of a challenge, at least on the surface.  Beyond a working web browser, we need to possibly extend our server architecture to support browsers beyond Internet Explorer for our key wep applications, allowing a level of work to be carried out in the event of virtual desktop failures.  This is where things get a lot harder!

A standard environment across different hardware, locked down for the default user.   This is actually quite tricky.  By default, linux is designed to be easy to customise and configure, so locking it down to a single user, while allowing network proxy changes and wireless connections, is actually quite a challenge.  In addition, desktop launchers will need to be variable, depending on local printer installations for users on laptops with home printer (vmware-view allows you to redirect a printer, but you need to specifically do it by name).

An architecture to allow remote reconfiguration, support and updates across a company wide platform.  This is one of the worst areas – linux still lags quite badly behind the sort of architecture taken for granted on a Windows network when it comes to administration through global policies.  It’s still fundamentally a server operating system,and admin tools generally focus on supporting machines runnign in that capacity, not as clients.  This is the hardest area of all, looking forward to a possible roll out of well over a thousand machines world wide, with a technical team with no linux experience!  Keeping the client simple and cheap, allowing machines to be swapped instead of supported is a very high priority where possible.

Hopefully the next series of posts on this topic will be useful, although its quite a change of tack from SharePoint!  Don’t worry, as new SharePoint issues come up, I’ll still be posting on that topic too.

Tagged with:
Oct 26

Tom commented on a post with the following problem, and I thought it merited a post.

“We have a MOSS 2007 FARM AND 3 DOMAINS all have a two way trust.  We have over 78 sites all of which stopped with no known reason from being able to find users that are in one of the domains we can find the users in the view profiles yet we can no longer find users using peoplepicker for any users from the one domain.

We have tried this command you have provided and they come back with commandline error
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:full domain name,-userlogin domain\username password –url http://webapp url”

It sounds like an interesting problem, but its difficult to answer without more information.  Incidentally, the profiles comment, about being able to view user profiles, is rather a red herring.  This is handled by an import process specified elsewhere in the SSP, and has nothing to do with the People Picker displaying users.

Lets discuss the stsadm command first.   Without knowing the specific error message, I can’t say why the command is failing, but there are two probable outcomes.   stsadm is not generally included in the default path for a windows installation, so if the error message is:

‘stsadm’ is not recognized as an internal or external command, operable program or batch file.

The problem is simply that you need to find the appropriate location first.  The location is generally:

C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN>

so simple change directory to that path, and run the STSADM again.  It sounds obvious, but I must admit, I had a bit of a nightmare trying to find the stsadm path when I first started looking at SharePoint!

The other possibility is that the command has been run, but that the parameters haven’t been entered correctly.  If so, you get the terribly helpful response of :

Command line error.

Followed by a complete syntax reference for the command, and it sounds much more likely that this is the cause of the problem, from the notes in the question.  Unfortunately, this is quite a lot harder to discuss, as unsuprisingly people aren’t going to give the specific command line with all of their configuration details and passwords to be put onto a website, and the generic, censored versions are probably going to be correct, at least as far as it goes.

The best help I can give here is to put together a full hypothetical example, rather than just repeating the command syntax yet again.

Essentially, you first need to set an internal SharePoint encryption key, then tell the server what domains to add to the list, and what valid username and password to use to connect to the domain in order to pull back the list.  Don’t use administrator, btw!!!

To set the initial encryption key, use:

stsadm.exe -o setapppassword -password <yourencryptionkey>

To set the actual domain link, use:

stsadm.exe -o setproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests” -pv “domain:domain1.example.com,domain1\LoginName, P@ssword; domain:domain2.example.com,domain2\LoginName, P@ssword; domain:domain3.example.com,domain3\LoginName, P@ssword

Of course, with two way trusts a single user name and password could be used if you granted the appropriate rights. 

What normally goes wrong putting this together?  Normally it is either the encryption key hasn’t been set first, or that construction of the domain list has a syntax issue (or that the surrounding quotes have been missed off).

As a rule, though, if you get a command line error when running stsadm, you have got the format wrong.  If the format is right, it won’t necessarily solve the problem (if your username or password is wrong, for example, it still can’t access the other domain information), but you’ll see the changes applied.  A good way of checking is to run:

stsadm.exe -o getproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests”

And it will show the details you’ve set (with passwords asterisked out).

What makes the problem Tom is experiencing interesting is that apparently the People Picker has been working, and now isn’t.  This, to me, implies that something has changed with the installation, or the Active Directory configuration.

Key things to check would be:

Has the system user context still got access rights to the domain that appears to be no longer accessible?  A two way trust means that user rights can be assigned … by default they arent.

Have the active directory servers changed?  If so, you may need to force DNS updates, otherwise resolution against the AD may be looking for defunct servers.

Has the stsadm command been run succesfully in the past, and the usernames and passwords have since changed (or expired)?  This will obviouslly drop off the people pickers ability to query the domain.

Has a security patch been applied against the domain, or has permissions to the Active Directory been changed?  By default, older systems allowed anyone to do a basic LDAP query against the Active Directory, but this was locked down.  If this loophole was previously being used instead of setting correct access rights for the security context of the wep application, it’ll obviously start causing this issue.

I hope this helps – Tom, if you’ve solved the problem, please let me know the solution :)

Tagged with:
Jul 24

Someone asked in the comments on another post how to filter the responses to the People Picker to only show active users.  Its an unusual question, in that “Active Users” is so difficult to define.  The People Picker’s default behaviour includes a check to make sure that the account is enabled in Active Directory, so disabled accounts are hidden.  Perhaps it means just users, not groups, or just those users granted access to the Site Collection.

I actually favor the option in the people picker to only return users which have been granted permissions on the Site collection.  This instantly means users in one site collection don’t know about the existence of others by default, and is easy to implement.  Just run:

stsadm -o setproperty –url http://<server> –pn peoplepicker-onlysearchwithinsitecollection –pv yes

You can add specific users to the site collection by searching for the fully qualified logon name, but the people picker will only return users on the site.

If you need slightly more unusual options though, you’ll need to alter the query itself.  It’ll also potentially affect the ability to add any users to the site, so be very, very careful - I’d really recommend not trying this unless you are pretty confident with LDAP queries.

There are several ways of doing this – first, you can set the People Picker to use a custom LDAP query, and select exactly what you need from the AD.  The alternative is that you can allow the People Picker to use standard querys, and then filter the result set.  You can also restrict queries to a particular OU, which would obviously limit the response.

The first is best if you need to limit the query to a specific OU or search for a custom field flagging people as a SharePoint Site user, but be wanred – performanced on a non indexed field will be appalling.  I’d avoid it if possible.   The second is better if you need to hide certain user accounts (like service accounts) from the returned queries.  The last option is quite neat, but its rare that you structure AD for your SharePoint web applications.  Synergy online covers all these options in detail here.

Incidentally, I believe the LDAP query to filter for only active users is:

(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

So to only return active users, not groups, you could use the following filter:

stsadm -o setproperty -url http://server/sites/vp-site -pn peoplepicker-searchadcustomfilter -pv “(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))”

One final note – the AD filter and limiting the queries to an OU are only available from SharePoint SP1 onwards – make sure you’re patched!

Tagged with: