SharePoint 2013 Check Permissions function not working properly

I have been working on an issue for several weeks now together with Microsoft Support to investigate a case where the Check Permissions function in SharePoint 2013 is not returning correct information for several users.

Let me first describe the exact situation.

We have  a site collection with a standard team site template. We have setup the default SharePoint groups for defining access, such as the Visitors, Members and Owners groups. In these groups we are adding Active Directory groups. Pretty straight forward so far. As is expected, Active Directory users that are members of the added Active Directory groups have access to the SharePoint team site. No problem there. Those same users can do all actions that have been defined by the permissions as well.

So in normal circumstances, when we want to check the permissions for a user in a specific document library, we would expect something like the image below


Well, in my case the permission levels returned was “None” even though the user was a member of the “Team Members” group.

To make a long story short, the issue turned out to be caused by SidHistory. The customer had previously migrated its Active Directory users and groups to a new domain and used SidHistory during the migration. After the migration, these sidhistory attributes were not cleaned up properly by the Active Directory team.

Now, SharePoint does not behave well if you still have groups that have SidHistory attributes specified on them because SharePoint tries to resolve these SID’s which may not be possible anymore because the domain the original SIDD belongs to is no longer available. In this case SharePoint gives up on the call. Unfortunately no error message is returned is generated so no error is returned. Instead SharePoint shows “None” as the permission level as it did not receive a correct answer to the group membership resolution

Now to be sure that you are not experiencing the same issue, you need to verify all groups that the user you are having the same issue with is a member of and make sure that the sidhistory attribute is cleared. Also check nested group membership.

Hope this helps anyone.

For my customer’s case the issue was classified as a bug in SharePoint 2013



My Technet Gallery Scripts

It is not because I am not blogging that I am not busy 🙂

In the last months I have published several scripts to the Microsoft Technet gallery, that I want to summarize in this post:

1. Find Broken Inheritance in a SharePoint 2010 web application

This powershell script allows for enumeration through a SharePoint 2010 web application to identify all sites, document libraries, lists, folders and items for which the permission inheritance has been broken.

This script should be executed using a SharePoint 2010 Management Shell on one of the SharePoint servers in the farm with an account allowed to access all content.

2. Reset Broken inheritance in SharePoint 2010 site collection

this PowerShell script allows for resetting broken inheritance within a site collection. It will run through all subsites, lists, document libraries, folders and individual items, check if permission inheritance is broken and reset the inheritance.

3. Populate PictureUrl with values from CSV file

This PowerShell script allows you to populate the PictureUrl property of the User Profiles in SharePoint 2010 based on a provided CSV file, containing the username and the picture URL.

4. SharePoint document versions report

This script will generate a tab delimited text file with all the documents present is in the given web application in SharePoint 2010. It will list the documents, the size of the document, the number of versions, the sie of the versions and the total size. This report will enable you to identify large files throughout an entire web application and identify those files that have many versions and are basically eating up all your storage.

5. Find Connected Web Parts in Web application

This script locates all pages in an entire web application that uses connected web parts. the script runs through all the aspx pages in all document libraries of all sites in every site collection and checks if there are web part connections defined. If this is the case it will list the page and the provider and consumer web part title.

The script can easily be adapted to find specific web parts in an entire web application

6. Sync SharePoint 2010 User Profile PictureUrl attribute with AD attribute

This Powershell script allows you to synchronize an Active Directory custom attribute with the SharePoint 2010 user profile service application PictureUrl property. Usefull for companies that store picture url information in a custom attribute and want to replicate that information into SharePoint 2010. Normally this should be feasible by customizing the ForeFront Identity Manager used by the SharePoint 2010 User Profile Synchronization service, but this is not supported. The script can be easily customized to use a different extension attribute in Active Directory

Use this script in combination with a scheduled task on one of the SharePoint servers in the farm.

7. Find Web parts in SharePoint farm

he following powershell script will allow you to identify site collections where a given webpart is used. Very usefull during migrations when you have identified the web parts that cannot be upgraded and need to know where they are used. The script allows you to specify a scope of webapp or site collection to go through and look into the web part gallery to check if the web part is present.
Prerequisites for this script is having Powershell 2.0 deployed on the SharePoint 2007 server.
This post describes the implementation of rule based Active Directory groups (RBAG’s), maintained by a custom PowerShell script. The need for such rule based groups can vary. For example maintaining an Active Directory group that holds all members of a specific department can be challenging when no identity management system is available in the company. Hence the creation of this PowerShell script. The script allows for updating Active Directory groups based on a LDAP filter configured on specific Active Directory Groups.

Beware of /bin/ is SP2010 Url’s

Came across troubleshooting an issue with a site collection with the name bin. This site collection had a url like http://portal/sites/bin, making the default homepage http://portal/sites/bin/default.aspx. For some reason the site did not render and I got a HTTP 404 error. After analysis of the ULS logs not showing any trace of the request and the analysis of the IIS logs, I wnet looking for an answer on the interwebz. Stumbled upon the following article from Russ Michaels :

As it appears IIS 7 blocks access to urls where /bin/ is present in the Url.

The solution to this problem is to rename the site collection or remove the exception in the web.config of your web application as suggested by Russ.

I prefer the web.config approach on the web application level by adding the following section:

<?xml version="1.0"?>  
      <remove segment="bin" />  

How to change the language of a site in SP2010

Notice: the information in this post is not supported by Microsoft. The use of the method described below will revoke your support status for your environment. Use at your own risk

This question came up today and I remembered being able to change this for MOSS by changing the content database so I wondered if it would still work in SP2010.

Well, actually it does ….

The article I used as a source for MOSS can be found at

the only change to the original article is that the Table name has changed in SP2010. Here is the updated information:

The language of the site is stored at SP Web level. It is stored in database in the AllWebs table. So you need to change the language in database whatever language you want. To change the language in database you need to fire following Query:

For changing the language of all sites in to ‘Dutch’ language:
UPDATE dbo.AllWebs SET Language = 1043

Changing the language of one site collection: (Dutch language)
UPDATE dbo.AllWebs SET Language = 1043 WHERE SiteId = [[SiteCollectionId]]

Changing the language of a single web or subsite: (Dutch language)
UPDATE dbo.AllWebs SET Language = 1043 WHERE Id = [[WebId]]

Before applying the new language, you need to verify that the language pack for the language that you want to apply is installed on your machine or not.

Manage automatic propagation of variation pages

I was asked today to disable the automatic propagation of variation pages for one of our site collections. Immediately I checked the Technet article for this.

According to the Technet article I needed to execute the following Powershell scripts:

$site = Get-SPSite "<VariationURL>"
$folder = $site.RootWeb.Lists["Relationships List"].RootFolder
$folder.Properties.Add("DisableAutomaticPropagation", $true)

Unfortunately it didn’t work. for some reason the $folder variable was null
error message was:
You cannot call a method on a null-valued expression.
At line:1 char:23
+ $folder.Properties.Add <<<< ("DisableAutomaticPropagation", $true) + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull after a little bit of looking around in powershell I did come up with a workaround by loading the Relationships list in a separate variable, changing the script as follows: [sourcecode] $site = Get-SPSite "<VariationURL>" $list = $site.RootWeb.GetList("Relationships List") $folder = $list.RootFolder $folder.Properties.Add("DisableAutomaticPropagation", $true) $folder.Update() $site.Close() [/sourcecode] Hope this helps someone out 🙂

Update All Web Applications with Powershell

long time no post 🙂

just a quick post with a simple command. I needed to update all the Default Time zone settings for all the web applications in a SharePoint 2010 farm.

Here’s how to do it in a single command:
Get-SPWebApplication |Foreach-Object { $_.DefaultTimeZone = 3 ; $_.Update() }

The value 3 stands for the time zone (UTC +01:00) Brussels, Copenhagen, Madrid, Paris

Fix: Unable to activate worker process proxy object within the worker process (by Sven Häfker)

Encountered the same issue as described by Sven Häfker and for sure his fix did the trick

Sven Häfker’s post:
Fix: Unable to activate worker process proxy object within the worker process
We have encountered an issue that the Sandbox Worker Process (SPUCHostService.exe) of SharePoint 2010 wasn’t able to initialize itself on several servers. As a result Sandboxed Solutions couldn’t be used. We’ve found the following entries in the SharePoint ULS:

– Unable to activate worker process proxy object within the worker process: ipc://1787a8e0-45c3-48dc-9b3c-a60e8b4d6199:7000

– Error activating the worker process manager instance within the worker process.- Inner Exception: System.InvalidOperationException: Unable to activate worker processproxy object within the worker process: ipc://1787a8e0-45c3-48dc-9b3c-a60e8b4d6199:7000 at Microsoft.SharePoint.UserCode.SPUserCodeWorkerProcess.CreateWorkerProcessProxies() – Process creation/initialization threw an exception. Stopping this process.
“ipc://aec755bf-3ac8-4c2e-b5a4-9198b1bf027e:7000” – Stopping shim process. Shim process name: “SPUCWorkerProcess” Shim PID: “0x1868”
Shim service url: “ipc://aec755bf-3ac8-4c2e-b5a4-9198b1bf027e:7000” – Stopping proxy process. Proxy process name: “SPUCWorkerProcessProxy” Proxy PID:
“0x0AB0” Proxy service url: “ipc://1787a8e0-45c3-48dc-9b3c-a60e8b4d6199:7000” – Error activating the worker process manager instance within the worker process.

– Starting worker process threw – Inner Exception: System.InvalidOperationException: Unable to activate worker process proxy object within the worker process: ipc://1787a8e0-45c3-48dc-9b3c-a60e8b4d6199:7000 at Microsoft.SharePoint.UserCode.SPUserCodeWorkerProcess.CreateWorkerProcessProxies() – CreateSandBoxedProcessWorker() is called
– Created desktop: Service-0x0-2bea3589$\Microsoft Office Isolated Environment

After trying to fix the issue for several hours, we tried to disable the “Check for publisher’s certificate revocation”-setting for the Service Account of the Sandbox and this solved the issue. You can do this by changing the following key in the registry:

HKEY_USERS\[SID OF THE SERVICE ACCOUNT]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
The value of “State” needs to be set to “0x00023e00”.

You can get the SID of the Service Account with PowerShell:

$(Get-SPManagedAccount -Identity “THE SERVICE ACCOUNT”).Sid.Value

Getting rid of “Missing server side dependencies” MissingWebPart error in Health Analyzer for Central Admin – Update

Now that I am finalizing some of my farm installation I am starting to pay attention to those small issues reported by the Health Analyzer.

One of those errors in there is the following:

Title Missing server side dependencies.
Severity 1 – Error
Category Configuration
Explanation [MissingWebPart] WebPart class [8d6034c4-a416-e535-281a-6b714894e1aa] is referenced [2] times in the database [SP2010_ContentDB_CentralAdmin], but is not installed on the current farm. Please install any feature/solution which contains this web part. One or more web parts are referenced in the database [SP2010_ContentDB_CentralAdmin], but are not installed on the current farm. Please install any feature or solution which contains these web parts.

To get rid of this error you simply need to configure the SharePoint Foundation Search service though the Central Admin – Services on Server page on one of the servers in the farm.

Once this is configured, the error will go away.

UPDATE: on one of my other farms I noticed this error and configured the SharePoint Foundation Search service (which oddly enough once configured, changes its name to SharePoint Foundation Help Search)

a little more research and some Google results later I found an answer to this problem posted on the technet forums by John D Palm stating:
“This error will appear on a cleanly installed system in the Health Analyzer Reports until you visit the following pages:

These are: Central Administration, General Application Settings, Farm Search Administration and then Search Service Application.

Browse to them and the error will no longer appear in the Health Analyzer Report.”

I followed John’s advise and indeed the error went away just after having visited both these pages and hitting the Reanalyze now button on the alert.

So there you go

Change Locale of Site Variation Label in MOSS

Since some time, my customer had a nasty issue for which I did not see a solution at first. My customer is running its Intranet for years now on MOSS and uses a customized Publishing Portal with Site Variations in 3 languages, English, Dutch and French. The only problem with these Site variations is that the source Variation Label was created with the wrong Locale setting. The variation label was created with a name EN, language English (United States) , but with locale Dutch (Belgium) instead of English (United states).

Now when the hierachy was created, the subsite EN was created with the wrong locale. No problem there because you can change the locale of that particular subsite in the Site Settings – Regional Settings.

The problem my customer was facing is that clients targeting the root site collection and thus the Variation root site, where redirected to the wrong subsite if their browser had the locale Dutch (Belgium) defined. These client all ended up on the EN subsite instead of the Variation NL that was created with locale Dutch (Belgium).

The solution for this problem is to change the Locale in the Variation Labels in the root site. Unfortunately you cannot modify this value once the Variation Label is created (the field is greyed out). A possible solution would be to delete the Variation Label and recreate it. Because of the fact that this was the corporate intranet with lots of content on it, I did not feel very comfortable deleting the Variation Label, because this means you would have to delete the subsite as well before being able to recreate the Variation Label after which yould have to restore the subsite’s contents, etc. Furthermore the Variations system in MOSS is already very fragile and this would certainly break some other things.

Now after searching for a while and snooping around in the content database, I found out that these labels are stored in a hidden list in the Root site called, you’ll never guess, … “Variation Labels”. Now my trick for accessing this a hidden list by just typing the URL like Labels/AllItems.aspx did not work.

Powershell to the rescue!

I was able to access the list and change the locale value for the specific Variation Label with the following set of powershell commands:

#First Load SharePoint

#Connect to SPSite object
$site = New-Object Microsoft.SharePoint.SPSite("")

#Connect to root SPWeb
$web = $site.AllWebs |where -FilterScript { $_.Url -eq ""}

#Connect to Variation Labels list
$list = $web.Lists |where -FilterScript { $_.Title -eq "Variation Labels"}

#Get the List item for the Variation Label
$listitem = $list.Items |where -FilterScript { $_.Title -eq "EN"}

#Check the Value

#Modify the value to English (United States)
$listitem["Locale"] = 1033

#Dispose of objects

Now if you ever need to chaneg the locale value, then this script will help you out. The only thing you need to find out is the value for your specific language. What I did to find out the specific value was to create a new Variation Label on my test environment with teh locale I wanted and fetched that value with the exact same commands.

Out goes Community Server, in comes WordPress!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging! (in my case continue blogging )

This is the first post you get to see once you get WordPress going. I thought I’d leave it up here. I got more than enough of the spam mails getting in through my blog and not finding any way to implement a captcha thingy into the instance of Community Server I was running that I decided to give it a go to another blogging tool. Now for me the most important thing was how would I keep my original posts. Luckily I still found an export module to BlogML for Community Server 2008.5, which did the trick. Armed with that knowledge I gave a go at WordPress.

Hope you can live with it as much as I can 😉

I am still trying to figure out how to implement the exported permalinks, so if you got here through a Google/Bing or whatever search and didn’t find the original post you were looking for, just use the search function on this site and you will probably find that article you were looking for after all

For those of you wondering: I am running WordPress on an Apache webserver. Now how cool is that for a SharePoint consultant!