SharePoint 2013 Check Permissions function not working properly

I have been working on an issue for several weeks now together with Microsoft Support to investigate a case where the Check Permissions function in SharePoint 2013 is not returning correct information for several users.

Let me first describe the exact situation.

We have  a site collection with a standard team site template. We have setup the default SharePoint groups for defining access, such as the Visitors, Members and Owners groups. In these groups we are adding Active Directory groups. Pretty straight forward so far. As is expected, Active Directory users that are members of the added Active Directory groups have access to the SharePoint team site. No problem there. Those same users can do all actions that have been defined by the permissions as well.

So in normal circumstances, when we want to check the permissions for a user in a specific document library, we would expect something like the image below


Well, in my case the permission levels returned was “None” even though the user was a member of the “Team Members” group.

To make a long story short, the issue turned out to be caused by SidHistory. The customer had previously migrated its Active Directory users and groups to a new domain and used SidHistory during the migration. After the migration, these sidhistory attributes were not cleaned up properly by the Active Directory team.

Now, SharePoint does not behave well if you still have groups that have SidHistory attributes specified on them because SharePoint tries to resolve these SID’s which may not be possible anymore because the domain the original SIDD belongs to is no longer available. In this case SharePoint gives up on the call. Unfortunately no error message is returned is generated so no error is returned. Instead SharePoint shows “None” as the permission level as it did not receive a correct answer to the group membership resolution

Now to be sure that you are not experiencing the same issue, you need to verify all groups that the user you are having the same issue with is a member of and make sure that the sidhistory attribute is cleared. Also check nested group membership.

Hope this helps anyone.

For my customer’s case the issue was classified as a bug in SharePoint 2013



My Technet Gallery Scripts

It is not because I am not blogging that I am not busy 🙂

In the last months I have published several scripts to the Microsoft Technet gallery, that I want to summarize in this post:

1. Find Broken Inheritance in a SharePoint 2010 web application

This powershell script allows for enumeration through a SharePoint 2010 web application to identify all sites, document libraries, lists, folders and items for which the permission inheritance has been broken.

This script should be executed using a SharePoint 2010 Management Shell on one of the SharePoint servers in the farm with an account allowed to access all content.

2. Reset Broken inheritance in SharePoint 2010 site collection

this PowerShell script allows for resetting broken inheritance within a site collection. It will run through all subsites, lists, document libraries, folders and individual items, check if permission inheritance is broken and reset the inheritance.

3. Populate PictureUrl with values from CSV file

This PowerShell script allows you to populate the PictureUrl property of the User Profiles in SharePoint 2010 based on a provided CSV file, containing the username and the picture URL.

4. SharePoint document versions report

This script will generate a tab delimited text file with all the documents present is in the given web application in SharePoint 2010. It will list the documents, the size of the document, the number of versions, the sie of the versions and the total size. This report will enable you to identify large files throughout an entire web application and identify those files that have many versions and are basically eating up all your storage.

5. Find Connected Web Parts in Web application

This script locates all pages in an entire web application that uses connected web parts. the script runs through all the aspx pages in all document libraries of all sites in every site collection and checks if there are web part connections defined. If this is the case it will list the page and the provider and consumer web part title.

The script can easily be adapted to find specific web parts in an entire web application

6. Sync SharePoint 2010 User Profile PictureUrl attribute with AD attribute

This Powershell script allows you to synchronize an Active Directory custom attribute with the SharePoint 2010 user profile service application PictureUrl property. Usefull for companies that store picture url information in a custom attribute and want to replicate that information into SharePoint 2010. Normally this should be feasible by customizing the ForeFront Identity Manager used by the SharePoint 2010 User Profile Synchronization service, but this is not supported. The script can be easily customized to use a different extension attribute in Active Directory

Use this script in combination with a scheduled task on one of the SharePoint servers in the farm.

7. Find Web parts in SharePoint farm

he following powershell script will allow you to identify site collections where a given webpart is used. Very usefull during migrations when you have identified the web parts that cannot be upgraded and need to know where they are used. The script allows you to specify a scope of webapp or site collection to go through and look into the web part gallery to check if the web part is present.
Prerequisites for this script is having Powershell 2.0 deployed on the SharePoint 2007 server.
This post describes the implementation of rule based Active Directory groups (RBAG’s), maintained by a custom PowerShell script. The need for such rule based groups can vary. For example maintaining an Active Directory group that holds all members of a specific department can be challenging when no identity management system is available in the company. Hence the creation of this PowerShell script. The script allows for updating Active Directory groups based on a LDAP filter configured on specific Active Directory Groups.

SharePoint 2013 Login as a different user

Exciting days with the release of SharePoint 2013 beta. First thing i noticed on a setup on one of my servers, is that you do no longer see the option to sign in as a different user. Apparently the link is either missing or has willingly been removed from the UI. A little comparison with a SP2010 environment shows that the actual link for signing in as a different user is /_layouts/closeConnection.aspx?loginasanotheruser=true.

Fortunately the link still works in SP2013, which might make me believe that the link has just been forgotten adn will probably be back in the RTM release. If not, I guess the very first customization a lot of customers will ask for is to have the button back in the User menu.

Beware of /bin/ is SP2010 Url’s

Came across troubleshooting an issue with a site collection with the name bin. This site collection had a url like http://portal/sites/bin, making the default homepage http://portal/sites/bin/default.aspx. For some reason the site did not render and I got a HTTP 404 error. After analysis of the ULS logs not showing any trace of the request and the analysis of the IIS logs, I wnet looking for an answer on the interwebz. Stumbled upon the following article from Russ Michaels :

As it appears IIS 7 blocks access to urls where /bin/ is present in the Url.

The solution to this problem is to rename the site collection or remove the exception in the web.config of your web application as suggested by Russ.

I prefer the web.config approach on the web application level by adding the following section:

<?xml version="1.0"?>  
      <remove segment="bin" />  

How to change the language of a site in SP2010

Notice: the information in this post is not supported by Microsoft. The use of the method described below will revoke your support status for your environment. Use at your own risk

This question came up today and I remembered being able to change this for MOSS by changing the content database so I wondered if it would still work in SP2010.

Well, actually it does ….

The article I used as a source for MOSS can be found at

the only change to the original article is that the Table name has changed in SP2010. Here is the updated information:

The language of the site is stored at SP Web level. It is stored in database in the AllWebs table. So you need to change the language in database whatever language you want. To change the language in database you need to fire following Query:

For changing the language of all sites in to ‘Dutch’ language:
UPDATE dbo.AllWebs SET Language = 1043

Changing the language of one site collection: (Dutch language)
UPDATE dbo.AllWebs SET Language = 1043 WHERE SiteId = [[SiteCollectionId]]

Changing the language of a single web or subsite: (Dutch language)
UPDATE dbo.AllWebs SET Language = 1043 WHERE Id = [[WebId]]

Before applying the new language, you need to verify that the language pack for the language that you want to apply is installed on your machine or not.

What Every SharePoint Admin Needs to Know About Host Named Site Collections by Kirk Evans

been a while, busy busy busy …. what else 🙂

just wanted to point out a very good article that sums up all you need to know about Host Named site collectiosn in SharePoint 2010.

Find the original article by Kirk Evans at

Cumulative updates packaging changed for SharePoint 2010

while browsing the updates page on Technet I found:

The packaging of cumulative updates changed as of August 31, 2011. The following packages are provided for cumulative updates:
• SharePoint Foundation 2010
• SharePoint Foundation 2010 + SharePoint Server 2010
• SharePoint Foundation 2010 + SharePoint Server 2010 + Project Server 2010
As a result of the new packaging, it is no longer necessary to install the SharePoint Foundation cumulative update and then install the SharePoint Server cumulative update.


Manage automatic propagation of variation pages

I was asked today to disable the automatic propagation of variation pages for one of our site collections. Immediately I checked the Technet article for this.

According to the Technet article I needed to execute the following Powershell scripts:

$site = Get-SPSite "<VariationURL>"
$folder = $site.RootWeb.Lists["Relationships List"].RootFolder
$folder.Properties.Add("DisableAutomaticPropagation", $true)

Unfortunately it didn’t work. for some reason the $folder variable was null
error message was:
You cannot call a method on a null-valued expression.
At line:1 char:23
+ $folder.Properties.Add <<<< ("DisableAutomaticPropagation", $true) + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull after a little bit of looking around in powershell I did come up with a workaround by loading the Relationships list in a separate variable, changing the script as follows: [sourcecode] $site = Get-SPSite "<VariationURL>" $list = $site.RootWeb.GetList("Relationships List") $folder = $list.RootFolder $folder.Properties.Add("DisableAutomaticPropagation", $true) $folder.Update() $site.Close() [/sourcecode] Hope this helps someone out 🙂

Remove HTTP Response Headers for internet facing SharePoint sites

if you are serious about to publish an internet facing SharePoint site you have to consider security. One of the first things a possible hacker will inspect are the HTTP Response Headers. I usually use the Firefox Developper toolbar to check the HTTP Response Headers of my SharePoint sites. (Information Menu -> View Response Headers)

Without cleaning the reponse headers you will see something like:

Connection: Keep-Alive
Expires: Mon, 23 May 2011 13:56:12 GMT
Date: Tue, 07 Jun 2011 13:56:13 GMT
Content-Type: text/html; charset=utf-8
<strong>Server: Microsoft-IIS/7.5</strong>
Cache-Control: private, max-age=0
Last-Modified: Tue, 07 Jun 2011 13:56:12 GMT
<strong>SPRequestGuid: 2ba6c04a-f3ca-40be-a543-7fb2448bd92e
X-SharePointHealthScore: 0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding

200 OK

Now, what I needed removing was all the SharePoint stuff, the ASP.NET stuff and the server information (marked in bold). Luckily I was not the first guy out there to do so and I used Stefan Goßner’s post ( as a lead to achieve what I wanted.

I ended up creating a custom HttpModule for removing the excess information in combination with adding a section to the web.config for the custom Headers added by SharePoint as they were not removed by the HttpModule after my initial testing.

Actions performed:
1. Create a folder named App_Code in the IIS folder of the SharePoint site where the headers need to be removed
2. Create a file with notepad named CustomHttpModule.cs
3. Edit with notepad:

using System;
using System.Text;
using System.Web; 

namespace Custom.ServerModules
  public class CustomHttpHeaderModule : IHttpModule
    public void Init(HttpApplication context)
      context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    public void Dispose()
    void OnPreSendRequestHeaders(object sender, EventArgs e)

4. Save the file
5. Edit the web.config file of the SharePoint web application
– Add the custom module to the section system.webserver
– have the custom headers removed

  <modules runAllManagedModulesForAllRequests="true">
    <add name="CustomHttpModule" type="Custom.ServerModules.CustomHttpHeaderModule" />
      <remove name="MicrosoftSharePointTeamServices" />
      <remove name="X-Powered-By" />

One remark though if you implement this. Removing the header MicrosoftSharePointTeamServices may break your search crawling. In my case I usually dedicate a web front end for crawling or have the Web application role activated on the crawler. Evidently this web front end does not get the custom httpmodule.

Update All Web Applications with Powershell

long time no post 🙂

just a quick post with a simple command. I needed to update all the Default Time zone settings for all the web applications in a SharePoint 2010 farm.

Here’s how to do it in a single command:
Get-SPWebApplication |Foreach-Object { $_.DefaultTimeZone = 3 ; $_.Update() }

The value 3 stands for the time zone (UTC +01:00) Brussels, Copenhagen, Madrid, Paris