Tony Rockwell – Info

sharepoinTony@info – Cloud Computing adventures

Archive for the ‘Administration’ Category

O365: How to setup Group Licensing

Posted by sharepoinTony on October 22, 2019

Summary: Azure Active Directory (AAD) Security Groups may have Licenses applied to them as long as they are “Static” – they cannot be a Dynamic group (one where members are dynamically included via a query).  Static groups are defined as those with a Membership type of Assigned.  This cannot be done in the O365 Admin Portal, the group must be created in AAD.  All members of the group will have the assigned license applied to them. Using AAD Groups can simplify license management for your organization.


Login and go to the Azure Active Directory portal, in the <Company> Overview section select Groups and Click New group  

Create the group – critical items are highlighted in this example

Notice that I am naming the Group very literally. As you work through these steps you will see that I actually changed the name of my group to be more easily recognized within AAD. I now use “LIC-” as a prefix to all groups created for licensing. This helps with the management of groups as well as providing a simply way to use the license groups you create. Search for “LIC” and you will find all of your license groups to work with.

I am using the following for the Group description: Members of this group will be assigned the “<insert official license name here>” license. This is not only uniform and descriptive, but it also leaves no room for error when any Global or Account manager is adding members to groups.

You must Select Owners before completing the creation of the group, but you can leave Members empty for now.

Click the Create button at the bottom of the page.

Then from the Groups-All groups page select the created group to open the Group blade. Note the group has been renamed to LIC-POLPremium from the rather long name initially used (Project Online Premium License Holders).

Select Licenses from the Manage menu  

In the Licenses blade, select Assign from the top, then expand the Configure required settings item to open the Products blade.

Then select the license for this group (Products).

Products blade
Products blade

Click Select to return to the Assign License blade, then select Assignment options and select the desired options. 

NOTE that depending on the license, different Enabled Services may be required.  Attempting to save will generate an error if you don’t have correct items selected.  I discovered, for example, that for the Professional license you must select SharePoint in addition to one (or both) of the Project options.

Click OK in the License options blade.

Then click Assign in the Assign license blade. <don’t skip this step or no license will be assigned>

A small popup will appear in the top right displaying “Assigning licenses” and then will change to “Licenses assigned” briefly, then disappear.

If it errors you will see it in that small popup.  The error typically means the Enabled Services do not match the license requirement…at least that is to the best of my knowledge at this time.

Now you will see that the License is Active and has Enabled Services when you go to Groups and pull up the group you assigned the license

Now the AAD Security Group is ready to populate with users.

Click on the Groups-All groups bread crumb at the top and only this new group should display. That is the behavior I found when I wrote this, but things change so you may need to search for your group

Optionally, Search for “LIC” to see all license enabled groups.

Select this desired “LIC” group and then select Members

From the Members blade you can “Add members” 

Spot Check & Verification

If desired you can verify by going to Users in AAD and select one of those that you added as a member to the group, check their Licenses and it should now display the license.  You will see that they have the same licenses assigned “directly” and “inherited” from groups.  This one should display as inherited.

Also note that if you have previously assigned a license directly and then setup a group and and these same people as members you can ‘fix’ this to avoid duplicate licensing. Simply “Remove License” from the user, selecting the “Direct” license. The inherited license will remain and your user won’t even see a blip.


Active Directory (AD) Security groups can also have licenses assigned in AAD, thus you could create your license groups in your on-premise AD and still use the license assignment steps described above. This may work best for organizations who are continuing to manage their users within AD and may be more easily integrated into an IDM (Identity Management) system.

Also note that my screen shots and descriptions were done in the Government Community Cloud so your view may be different.


Posted in Administration, O365 | Tagged: | Leave a Comment »

SP Foundation, Search Server Express & iFilters

Posted by sharepoinTony on February 17, 2011

I found conflicting information regarding compatibility between Search Server Express (SSE) and SharePoint Foundation when I started looking online.  Some said SSE couldn’t be installed on a server that already had SharePoint Foundation (SPF) running.  It also was rumored that pdf iFilters couldn’t be installed on SSE or SPF.

I hope this post clarifies some of these misconceptions, rumors, and general confusion.

What I Found

Quick Facts

(I hope I get ’em right, I don’t want to continue spreading confusion)

  • Search Server Express CAN be installed on top of an existing SPF install
  • PDF iFilters CAN be installed on SSE
  • iFilters CANNOT be installed on SPF alone
  • Installing SSE on a clean server DOES include SPF

More Info

You can find steps to Install Search Server 2010 Express which can be followed to install on a SharePoint Foundation 2010 server.  The only critical changes are:

  1. You must select the Server Farm installation (otherwise the SSE will try installing SPF)
  2. Do not select “Create a new server farm” after the SharePoint Products Configuration Wizard completes, and do not use the wizard to setup/configure your farm – Cancel to manually configure the farm.

After you have completed the installation you will have to configure search manually by following the Post-installation steps for Search Server 2010.  That isn’t ideal, but those steps are close enough that you should be able to work your way through successfully.

Final Steps – PDF iFilter

In addition to setting up the iFilters as described in a previous post about SharePoint 2010 PDF iFilters, I had to make the following registry change before I could get Search Server Express to return results that included PDF files.

  1. Start, Run… regedit
  2. Navigate to the following location:
    • \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\14.0\Search\Setup\ContentIndexCommon\Filters\Extension

  3. Right-click Extension, a menu will appear.
  4. Click New–> Key to create a new key for .pdf (enter “.pdf” and Save, be sure to enter the dot)
  5. Click your new .pdf key, then right-click and Modify the Default (Name (Default) Type REG_SZ)
  6. Add {E8978DA6-047F-4E3D-9C78-CDBE46041603} as the Default Value, click OK
  7. You may also have to restart the SharePoint Server Search 14 service (I did)
  8. Start a Full Crawl to ensure your content is indexed now that the iFilter is configured

Posted in Administration, Install and Configure, Search, SharePoint 2010 | Tagged: , , | 5 Comments »

Security Advisory for ASP.NET updated for SharePoint 2007

Posted by sharepoinTony on September 28, 2010

The Microsoft SharePoint Team Blog ( lists WORKAROUND steps that should be taken for SharePoint Web Front Ends (WFE’s) to mitigate the vulnerability related to ASP.NET.
Follow the link above to find the steps for your version of SharePoint and implement this in your environment.  It only takes a few minutes!

Posted in Administration, Announcement | Tagged: , | Leave a Comment »

Odd Profile Import from AD

Posted by sharepoinTony on September 23, 2010

I am running a clean install of MOSS 2007 SP2 on Windows Server 2008 R2, all patches/updates etc. have been applied (this was not an upgraded SP2003 server).

I have the following User Filter in place for the import from our Active Directory:


This should be filtering such that I import only people with the account type of User, which are not disabled, and do not have a blank value listed in Company.

What I get: SOME disabled accounts are imported into the User Profiles and appear in the User Information list, while others are not.

This is happening AFTER 3 or more Full Imports have run since the time the user accounts were disabled in AD.  All of the accounts are ‘disabled’ the same way in AD, right-click and choose disable. Looknig at the menu via right-click on the account displays “enable” and looking at the properties shows that the accounts are disabled.

After searching and trying various things I did find one very interesting thing.  When the import is run using the domain administrator account rather than my SharePoint service account (which has read access to the AD) then all of the disabled accounts filter properly.  When I switch back and do a full import, then the rogue disabled accounts return to Active.  It is always the same accounts that do not filter and the same disabled accounts that do filter regardless of the user who runs the import.

There must be some kind of permission thing going on here, and I am still testing but this seems like an odd behavior that may have as its source Active Directory.  Updates to follow, if I ever find the final answer.

Posted in Administration, SharePoint 2007, User Profiles | Tagged: , | Leave a Comment »

Restricting Site Templates

Posted by sharepoinTony on September 3, 2010

I had a group come to me recently that wanted to set up a subsite to their site and allow a group of users create sites under that subsite.  Standard issue for SharePoint.  In this case they wanted those sites to all start out the same.  They had specific things such as two document libraries and a few other specific lists as the default when those sites get created.   Also standard issue for SharePoint…by simply creating a site template the users to select they would get what they wanted.

This request didn’t specifically ask for the restriction of site templates, however since we have had numerous other similar requests we now have a lot of site templates available.  So…

To make everyone’s life a little easier I decided to restrict the subsites so the users could only use the template created for them.  The group manager was very happy-this made it very simple for them to find and thus the creation of their sites was a snap.

The trick to it all is getting to the Page Layout and Site Template Settings page.  This isn’t available to you at the Site level, it is only on the Site Settings menu at the Site Collection level (top-level site).  That doesn’t mean you can’t use it to accomplish this task.

After creating the desired site template, go to the site above (parent to) the site where you want the users restricted to specific templates.  Replace the aspx page portion of the url with


Make your adjustments to the site templates available to subsites in the Page Layout and Site Template Settings screen, then click OK.

Posted in Administration, SharePoint 2007, Tips and Tricks | Tagged: , , | Leave a Comment »

SSO Tips

Posted by sharepoinTony on August 24, 2010

There are lots of blogs out there talking about the problems people have setting up SSO (Single Sign On) in SharePoint 2007 implementations.  There are also quite a few that run down the steps to do it and state that it is easy.  What is the disconnect between these two “camps” talking about SSO setup?

Well, one thing (IMHO) is that the ease of the process depends on YOUR environment and YOUR knowledge of what SSO is, how it works, and what you plan to do with it.  So my first (and most important) tip is take the time to learn about SSO and what you want to accomplish by using it before you attempt to configure it.

My other tips are:

Enterprise Application Definitions –

  • If you are planning to use Groups, create an Enterprise Application Definition for each group
  • Configuration steps often talk about creating a group for SSO Administrators and SSO Managers, these groups are NOT the groups you want to use here
  • The Account Type selection of Group is used when you want to connect to the data source using the same account for all users in the designated AD group.
    • For example, if you are going against an HR database and you have an AD group for HR managers who are allowed to see data from that source – SSO Enterprise Application Definitions let you map the group to an account with permissions to access that data, and that account will be used for everyone in the HR AD group
  • Things you cannot change it for the Enterprise Application Definition after initial definition:
    • Account Type
    • Authentication
  • Authentication is not clearly described in many places, here are the basics:
    • Select the Windows authentication check box if your clients use Windows authentication when connecting to the external data source (if it is required)
    • Leave the Windows authentication check box unchecked if your data source allows mixed authentication, such as SQL Server does by allowing either SQL or Windows authentication
  • Make sure you login to Central Admin with the “Enterprise Application Definition  Administrator” account when you create your definitions, otherwise you will have problems
  • After you create a definition using the Account Type of Group, don’t forget to update the ‘account information for enterprise application definitions’ – this is where you enter the AD group that you want to map to a specific account for accessing the data source

Configuration –

  • Make your life easier and just create an SSO Administrator account, don’t try to use an existing account.  It can be done, but it also can get confusing
  • If you are in a small environment you should still create the SSO Administrators and Managers AD groups as suggested by Robert Bogue ( – It allows flexibility for you in the future without reconfiguring SSO
  • Follow Roberts steps (link above) for the basic setup
  • Reference links:

Posted in Administration, Install and Configure, SSO, Tips and Tricks | Tagged: , , | 2 Comments »

Mapping Properties in SP2007 for Search

Posted by sharepoinTony on August 9, 2010

Search is really one of the most needed, if not most important, components of a corporate intranet based on SharePoint. Why?  Because if you can’t find what you are looking for on the intranet, then the intranet is of little value.  Regardless of whether or not you accept this concept as true, the fact is that improving the search capabilities of your SharePoint farm will increase usage and acceptance. One of the things you can do to improve the search capabilities of your SharePoint farm is to make some (or all) of your site columns searchable in an Advanced Search page.  I know, I know, you can already find content based on the data in your site columns when searching now.  But how many documents are in your result set?  And, can your users search for specific site column content? If you have created Content Types and Site Columns that your users understand, then they will likely want to search for specific content based on them.  Here are the steps to take to enable searching directly on your custom site columns from an Advanced Search.  I created a new Advanced Search page, you could modify your Search Center Advanced Search page if so desired. To search by a column in any list or document library, you need to create a managed property and modify an Advanced Search box…and you will need to crawl your content to make it available. So let’s get to it.  My example is using a Site Column named “Product Name”.

Create a Managed Property

  1. Navigate to your SSP and select Search Settings
  2. Click on Metadata Properties under the Queries and Results section in the QuickLaunch
  3. Click on the Crawled Properties link in the tool bar
  4. Find your Site Column by typing it in the search box and clicking on the green & white arrow
  5. Capture the exact property name – in my case it is “ows_Product_x0020_Name”
  6. Go back to the Metadata Properties page
  7. Click on the New Managed Property link in the tool bar
  8. In the new form, please enter a name for the managed property, e.g. “ProductName”
  9. Select the correct data type, e.g. “Text”
  10. Click on the Add Mapping button to open up a “Crawled Property selection” WebPage dialog
  11. Type the name of your column in the “Crawled property name” field and click the “Find” button, e.g. type “Product”
  12. You will see the column name showing in the “Select a crawled property” list
  13. Select the appropriate column, e.g. “ows_Product_x0020_Name”
  14. Select the checkbox for Use in scopes if you plan to add this property to a Scope, otherwise leave it blank
  15. Press OK to complete the form
  16. Start a full crawl. This crawl will map column data to the managed property

We are halfway there, we now have a managed property that can be accessed by the Advanced Search web part.

Modify Advanced Search

To enable users to search for the column from the UI, you have to add the new property to the property drop-down in the Advanced Search web part they use.  Again, this can be any advanced search web part, however this only enables the web part you modify.  If you want users to select this property from any Advanced Search, you will have to modify each of them.

  1. Go to the search page (or your Search Center  & click on “Advanced Search”)
  2. Click on Site Actions and select Edit Page
  3. Click on “edit” and “Modify Shared Web Part” of your Advanced Search box
  4. On the right pane, find the Properties text box under Properties section (XML text box)
    • Advanced Search web part XML Properties

      Click image for large view

  5. Copy and paste the XML text into Notepad to edit the XML (I just think it is easier this way)
  6. Find the <PropertyDefs> node and add a new entry for your new Managed Property:
    • e.g. <PropertyDef Name=”ProductName” DataType=”Text” DisplayName=”Product Name” />
    • The DisplayName attribute  shows in the property drop-down
    • The PropertyDefName is the Managed Property Name you created in Step 8 of Create a Managed Property, above
  7. Find the  <ResultType> nodes and add a new entry:
    • e.g. <PropertyRef Name=”ProductName” />
  8. Copy and paste the XML text from notepad back into the XML text box
  9. Click OK
  10. Test your handy-work:
    1. Check that the Properties drop-down menu has the property displayed
    2. Execute a search using the new property

Now your savvy users can search for content with laser accuracy and obtain search results that focus on what they want without having to sift through extraneous results.

Posted in Administration, Install and Configure | Tagged: , | Leave a Comment »

Summary of SANSPUG meeting on 8/3

Posted by sharepoinTony on August 5, 2010

The new SANSPUG (San Diego SharePoint Users Group) is growing fast, and it was apparent at the August meeting held this week.  There were only a couple of empty seats and those in attendance engaged in many discussions and gained valuable tips on SharePoint.

The first session presented by Galen Keene on “Being a SharePoint Site Collection Administrator” was well received.  Galen did a great job of running down all of the menu items available to a 2010 SCA by keeping it informative, interactive and NOT a boring lecture just listing the menu items.  Kudos to Galen, especially considering this was his first user group presentation!

Chris Givens followed with an interesting session on “Using SharePoint Content Types Properly“.  His session included some live demo’s hosted on the SharePoint site.  Having a SharePoint 2010 site available to the user group proved its value tonight.   This informative session sparked discussions that intrigued everyone.  Chris adjusted on the fly and displayed live on the SP 2010 site several things  people were asking about and seamlessly went right back on track with his presentation.  Excellent job Chris!

I think everyone learned something at this meeting, and seemed to enjoy both sessions.    We wrapped up with announcements about upcoming events that are in the planning stages, such as a SharePoint Exam Cram, a SharePoint Sprint, and a SharePoint Saturday in San Diego!

The San Diego SharePoint Users Group holds monthly meetings that are FREE to anyone interested in SharePoint.  The group has two levels of membership, a basic member just like any other user group and the other a paid member who desires access to additional (“Premium”) content and activities.  To learn more about upcoming meetings and events check out the site.  Registration on the site is free, which provides access to meeting presentations and more. 

Posted in Administration, Announcement | Tagged: , , | 1 Comment »