April 25, 2014

PowerShell Cheat Sheet

Found a handy reference here for using PowerShell combined with commands for SharePoint.

Original post is:
The authors did a nice job illustrating the commands and use in a straight forward way!

PS sheet image

Happy PowerShelling!

April 16, 2014

User Profile JobTitle Property Returns Null


Using SharePoint Object Model, the JobTitle property will always return NULL value for all users, even when users have valid user profiles with available Job Title property and is accessible from CA.

Example: I highlighted the code where JobTitle returns Null:
bool UserExist = uprofileManager.UserExists(user.LoginName);
if (UserExist)
UserProfile userProfile = uprofileManager.GetUserProfile(user.LoginName);
returnValue = (String)userProfile[PropertyConstants.JobTitle].Value;

While the same user has a Job Title value in his user profile:

Digging for Answers:

- First, I made sure that Job Title property accessibility is set to 'Everyone' in Central Admin
- I elevated the code privileges by using SPSecurity.RunWithElevatedPrivilages code block
- Also while debugging the code, I made sure the user.LoginName variable is in format "Domain\Username"
- Also, found that code to read SPS-JobTitle property would return Null too:
returnValue = (String)userProfile["SPS-JobTitle"].Value; // returns null

- However, all other user profile PropertyConstant properties (like Office, HomePhone,..) are readable correctly for the same users:
PropertyCollection props = uprofileManager.Properties;
UserProfile userProfile = uprofileManager.GetUserProfile(user.LoginName);
foreach (Property prop in props)
    Console.WriteLine(prop.Name.ToString() + "=" + userProfile[prop.Name].Value);

I concluded that its not the code that has issues, so there must be something with 'Title' and 'SPS-JobTitle' properties preventing the code from reading them.

We know that Title and SPS-JobTitle are special properties linked to Metadata keywords when profile import takes place from Active Directory. The Metadata service is running on 2 servers: WFE & APP. From Central Administration, I can access the Metadata service normally, and see all the Enterprise keywords (System -> Keywords) in Metadata Term Store without an issue.

Okay, now let's have a look on ULS logs. I found errors & highlighted the important lines:

1) Error in Topology:
SharePoint Web Services Round Robin Service Load Balancer Event: EndpointFailure Process Name: UserProfileImport Process ID: 10560 AppDomain Name: UserProfileImport.exe AppDomain ID: 1 Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:02cb72f4a15149bd848db2ba8ab1f055#authority=urn:uuid:235674f601ec4ef1ae9cb964c49bf0d6&authority=https://usascsppro03-nt:32844/Topology/topology.svc Active Endpoints: 1 Failed Endpoints:1 Affected Endpoint: http://usascsppro04-nt:32843/02cb72f4a15149bd848db2ba8ab1f055/MetadataWebService.svc

2) Then error in Manages Metadata service:
Failed to get term store for proxy 'Managed Metadata Service'. Exception: System.ServiceModel.ServerTooBusyException: The HTTP service located
 at http://usascsppro04-nt:32843/02cb72f4a15149bd848db2ba8ab1f055/MetadataWebService.svc is too busy.  ---> System.Net.WebException: The remote server returned an error: (503) Server Unavailable.   
 at System.Net.HttpWebRequest.GetResponse()    
 at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)     -
 -- End of inner exception stack trace ---    Server stack trace:    
 at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)   
 at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)   
 at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)   
 at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)   
 at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)   
 at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)   
 at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)   
 at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown
 at [0]:    
 at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)   
 at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)   
 at Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication.GetServiceSettings(Guid rawPartitionId)   
 at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<ReadApplicationSettings>b__2e(IMetadataWebServiceApplication serviceApplication)   
 at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2c.<RunOnChannel>b__2b()   
 at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)   
 at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2c.<RunOnChannel>b__2a()   
 at Microsoft.Office.Server.Utilities.MonitoredScopeWrapper.RunWithMonitoredScope(Action code)   
 at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)   
 at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)   
 at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.GetTermStoreId(Guid rawPartitionId)   
 at Microsoft.SharePoint.Taxonomy.Internal.DataAccessManager.GetTermStoreData(MetadataWebServiceApplicationProxy sharedServiceProxy)

3) Then a warning:
The managed Metadata Service ‘Managed Metadata Service’ is inaccessible.

Interestingly, when browsing the Metadata service in IIS:
- MetadataWebService.svc is not available in WFE server (HTTP Error 503)
- MetadataWebService.svs is available in APP server

Root Cause:

It appeared that this all related to an issue Managed Metadata service leading to the issue in SharePoint topology (load balancer) service officially known as "Application Discovery and Load Balancer Service Application".

The Managed Metadata service was setup to work on both WFE and APP servers. on WFE, the Metadata was not working as we saw the HTTP error 503. But that was not a problem since the other Metadata service works fine on the APP server, hence the perfectly fine keywords & user profile accessibility. However, the topology (load balancer) service was having an issue, because it basically round-robin requests to services if we have more than one server to offer these services. Since the Metdata data service is not working in WFE then it's end-point will not be valid. But topology service still thinks it is a perfectly valid end-point and keep trying to connect to the Metdata service through that faulty endpoint, until a connection time-out occurs and a 'server unavailable' exception is thrown in log.


  1. Stop the faulty Managed Metadata service (in this case on WFE) from CA             
  2. In some cases, you need to stop/start Metadata service on other server too to refresh the endpoints
  3. Stop then restart the application pool of faulty Topology application from IIS (in this case on WFE)
  4. Make sure all application pools are started normally


After applying steps above, the Metadata term store & User profiles work normally. Code able to read the values for JobTitle property for all users.

Useful resources:

April 7, 2014

Quick & Useful Site Permissions Report

In SharePoint 2010/2013, when Site Admin wants to view all site contents of a particular site, then he/she would see all site contents (securable objects) with permission details, to provide quick and easy permission reporting.

Here is how it looks in SharePoint 2010:

When clicking the 'unique lists' link:

And in SharePoint 2013:

Similar Work:
I found a similar idea here. Its nice but it only shows a true/false value for permissions fields, and it missed the '!' (not) sign and will display opposite permissions results! So I decided to build another much more detailed version.

How To:
By adding custom code to the OTB View All Items (_layouts/viewlsts.aspx) page:
- Added a permissions field to show type of site perms in different colors
- The field also displays info about unique items/lists/webs (if available) inside each item
- Unique items and lists are clickable to show the contents in popup window

1. From layouts folder, backup the original Viewlsts.aspx page, then copy and rename it for example: ViewlstsEx.aspx

2. Add couple namespace references to the page:
<%@ Import Namespace="System.Collections.ObjectModel" %>
<%@ Import Namespace="System.Collections.Generic" %>

3. Add new column in SharePoint:UIVersionedContent UIVersion="4" section
<th scope="col" class="ms-vh2-nofilter" style="white-space:nowrap; width:25%;"><SharePoint:EncodedLiteral runat="server" text="Permissions" EncodeMethod='HtmlEncode'/>

4. Add column content in the list's section (table cells after code if (!bShowSites)):
<td class="ms-vb2" width="25%" >
string ListPermOutput = "";
if (!spList.HasUniqueRoleAssignments) 
ListPermOutput = "<span style='color: green'>Inherited</span>";
ListPermOutput = "<span style='color: red'>Unique</span>";
  if (spList.GetItemsWithUniquePermissions().Count > 0)
string str1 = spList.ParentWeb.Url + "/_layouts/uniqperm.aspx?obj=" + spList.ID.ToString("B").ToUpper() + ",List&List=" + spList.ID.ToString("B").ToUpper();
string str2 = SPHttpUtility.EcmaScriptStringLiteralEncode(SPHttpUtility.UrlPathEncode(str1, false));
ListPermOutput += " with " + "<a onclick='" + "javascript:ShowPopupDialog(\"" + str2 + "\");' href='javascript:'>unique items</a>";
SPHttpUtility.NoEncode(ListPermOutput, Response.Output);

5. Add column content in the web's section (table cells after code foreach (SPWeb webToDisplay in webs)):
<td class="ms-vb2" width="25%" >
StringBuilder WebPermOutput = new StringBuilder();
if (!webToDisplay.HasUniqueRoleAssignments) 
WebPermOutput.Append("<span style='color: green'>Inherited</span>");
WebPermOutput.Append("<span style='color: red'>Unique</span>");

Collection<SPWebListInfo> UniqueObjects = webToDisplay.GetWebsAndListsWithUniquePermissions();
if (UniqueObjects.Count > 0)
List<string> UniqueSubWebs = new List<string>();
int UniqueSubWebsCount = 0;
int UniqueSubListsCount = 0;
foreach (SPWebListInfo item in UniqueObjects)
if (item.Type == Microsoft.SharePoint.SPObjectType.Web && item.HasUniqueRoleAssignments)
else if (item.Type == Microsoft.SharePoint.SPObjectType.List  && item.HasUniqueRoleAssignments)

string SubWebsResult = "";
if (UniqueSubWebsCount > 0)
 SubWebsResult = " unique webs" ;

string SubListsResult = "";
if (UniqueSubListsCount > 0)
string str1 = webToDisplay.Url + "/_layouts/uniqperm.aspx";
string str2 = SPHttpUtility.EcmaScriptStringLiteralEncode(SPHttpUtility.UrlPathEncode(str1, false));
SubListsResult += "<a onclick='" + "javascript:ShowPopupDialog(\"" + str2 + "\");' href='javascript:'>unique items</a>";

if (SubListsResult != "" && SubWebsResult == "")
WebPermOutput.Append(" with "); WebPermOutput.Append(SubListsResult);

else if (SubListsResult == "" && SubWebsResult != "")
WebPermOutput.Append(" with "); WebPermOutput.Append(SubWebsResult);

else if (SubListsResult != "" && SubWebsResult != "")
WebPermOutput.Append(" with "); WebPermOutput.Append(SubListsResult);
WebPermOutput.Append(" and "); WebPermOutput.Append(SubWebsResult);

SPHttpUtility.NoEncode(WebPermOutput, Response.Output);

The page is tested for SharePoint 2010, and SharePoint 2013.
Click here to download an example page viewlstsEx.aspx.

Have a nice SharePoint Administration!