Alexander’s Blog

When it comes to looking for SharePoint information, my first stop is Sharee’s Blog. Sharee is a SharePoint guru who’s blog is loaded with real-world scenarios. Unlike some of TechNet articles and Microsoft’s blogs that post filtered information based on how the product is “supposed” to work, rather than how it actually works in the real-world, Sharee blogs about some really cool SharePoint stuff that’s based on her own experiences.

Today she posted this information about SharePoint Service Accounts. There is so much scattered information on this topic all over the Web. It is great to see this information in one place. If you work with SharePoint, you will appreciate this blog post.

Here’s a portion of her article.

“SharePoint uses service accounts to run specific services behind the scenes. SharePoint does not function under the practice of “running everything as administrator”. There are several documents regarding all of the different service accounts that are recommended for SharePoint, but for some organizations the sheer number of accounts is simply not manageable. So I’ve put together a list of what I would consider the minimum accounts (and rights) for a typical SharePoint installation. The account you use to run setup on any server where MOSS needs to be installed must belong to the local administrators group. In addition, this account must be a Domain User and be a member of the following SQL server security roles: Logins, Securityadmin & Dbcreator. This account is responsible for creating new databases and creating new IIS sites so it is important to make sure the right permissions are set.

Typically, an account such as the domain administrator is used to run the installation; however it is strongly recommended that you use a dedicated account to log in and install Windows SharePoint Services and Office SharePoint 2007 servers. This account can also be used as the identity of the Central Administration site application pool, or it can be unique. You should always use the service account that you create to run all the WSS 3.0 services instead of a regular user account.”

Check out the entire article for more details: Necessary SharePoint Service Accounts.

Interested in becoming a Microsoft Certified Master? Well, spend $20K and you will be able to use the MCM logo on your business card. According to Microsoft “Master certification enables senior-level IT professionals to demonstrate and validate their technical expertise on Microsoft server products and authoritatively differentiate themselves to prospective employers and customers. Master certification is a prerequisite for all Microsoft Certified Architect (MCA) certifications.”

Pricing structure

Nonrefundable program application fee: US$125
Program fee: US$18,500
Non-lab exam retakes: US$250
Lab exam retakes: US$1,500

Note The program fee includes the price of first attempts at passing all required tests, including the final lab exam.

Click here for more information.

The Access Checker Web Part is a Windows SharePoint Services Web part from Codeplex, for use within Windows SharePoint Services v3 and Microsoft Office SharePoint Server 2007. The Web Part displays a tree view showing permissions on objects for a user scoped to a Site hierarchy. There is a second mode that is useful to see the permission inheritance of objects in a Site hierarchy.

You can download the Web part from Codeplex and extract the zip files in a folder. Run the setup.exe as a farm administrator account. When I ran the setup.exe file I got the following Timer job error:

The Windows SharePoint Services Timer service is NOT started!

Check out my blog post Error: The Windows SharePoint Services Timer service is NOT started! for more details and a possible solution.

Once you’ve install the Access Checker Web Part on your server, you can enable it in the following locations.

1. To use the Site Settings feature go to SharePoint Central Administration site and navigate to
Application Management, Manage Web Application Features. There you can activate the Access Checker Feature to enable the Site Settings Pages.

2. To use the Web part simply navigate to the Site Settings page of a Site Collection, and activate the
Access Checker Web Part feature under Site Collection Features.

At this point you should be able to go to a Web part page and add this new Web part. The Web part is located in the Site Administration area.

Once you’ve added the Web part to your site, you can view a user’s permission on each List and Site. It will also show you the permission inheritance hierarchy so you know how your permissions are setup. Here’s how you can check a user’s access.

1. Type a user’s login name either by using the People Picker or the Browse functionality.

2. From the Access drop-down button, select the type of permissions you would like to view. The options are:

-Full Control

-Design

-Manage Hierarchy

-Approve

-Contribute

-Read

-Restricted Read

-Limited Access

3. Select a filter option to either show all items, show item where user does not have access, or show items where user have access. These options are great for troubleshooting access issues.

4. Click on the Check Access button to see the results. The results are color coded. Green means the user has Read or greater access. Red means the user does not have Read or greater access.

There are two new menu items that are available under Site Actions, Site Settings after you install the Web part.

The Check User Access page contains the Access Checker Web part that is pre-configured for user access mode, while the View Permission Inheritance page contains the Access Checker Web part that is pre-configured for Permission Inheritance Mode. The color coded report makes it very easy to glance at the results and get a good idea of how the inheritance is configured, as shown in the graphic below.

The green items show you which items are inheriting permissions from the parent, while the red items are items that have unique permissions.

Conclusion

According to Codeplex there are a couple of limitations even with this latest version 1.3.0 of Access Checker Web Part. You cannot display list items in the report and the Web part currently does not work with Forms-Based Authentication. I am hoping that the next version will allow the administrators to view the permissions at the item level.

In the current version, SharePoint groups are not supported. You can only use Active Directory users (not Active Directory groups). However, even with these limitations it is great to have the ability to check access on all the sites as well as all the sites and lists within the sites. You really see the beauty of this Web part when you are working with hundreds of sites. I am currently working on a very large SharePoint site collection and this Web part is exactly what I needed to view permissions.

I was trying to install the Web part from Codeplex called SharePoint Access Checker Web Part on my Windows Server 2008 running MOSS 2007. I kept getting the following error when I would run setup.exe:

The Windows SharePoint Services Timer service is NOT started!

The service had actually started and was running just fine….thank you very much. I tried various solutions but nothing worked. The account that I was logged in was a domain account and was a member of the Site Collection Administrators. In addition,  this domain account was also a member of the farm administrators group and local administrators group. It was also the account under which the Timer service was running.

Just to test, I changed the account used by the Timer service to the local Administrator account but that didn’t help so I switched it back to the domain account. Finally, I decided to run the setup.exe file as administrator (right-click, Run as administrator) and it did the trick.

TechRepublic recently posted this list of top 10 IT certifications. Microsoft’s MCITP, MCTS, and MCPD are among the top 4, while MCSE/MCSA is #8 on the list. Here’s the complete list.

1. MCITP

2. MCTS

3. Security+

4. MCPD

5. CCNA

6. A+

7. PMP

8. MCSE/MCSA

9. CISSP

10. Linux+

You can all the details here.