SharePoint 2010

Group Policy not applying to security filtered user or group


Came across an issue this week where a newly imaged computer would not apply group policies that were filtered to an Active Directory group. GPResult showed no reference of the group policy, but it did show that the user was in the correct AD group.


After much research, I found that Microsoft released a Security Update for Group Policy on June 14, 2016 ( This security update changes the way a client workstation reads the group policy. Prior to this update being installed, if a GP was a user policy, the policy would have been read by the current user’s credentials. Once the security update is applied to the client’s workstation, all group policies are read by the computer account.


To fix the issue, go to the group policy in which has security filtering and click on the Delegation tab. Click Add and add Authenticated Users with Read permission. Or, you can add Domain Computers with Read permission. Adding the permission under the Delegation tab with either method, only allows the computer accounts to read the policy to apply it based on the security filter. It will not apply to all authenticated users or domain computers.

SharePoint–Profile Pictures no longer show after MySite URL change

I was recently installed SharePoint 2013 and had it staged under a different hostname so that I could just migrate IP’s and create CNAME DNS records for minimal downtime. However I found that once I had everything swapped to the new server the profile photos wouldn’t work anymore and I kept getting error messages when running the User Profile Sync. The errors that showed up in the event log were from SharePoint Foundation and FIMSynchonizationService

Error: 8311 “An operating failed because the following certificate has validation errors. SSL policy error have been encountered. Error code ‘0x2’ ” – I found this issue to be related to the sync using the old URL but the web site in IIS had a different (correct) SSL certificate. Once I realized what was happening I deleted a CNAME DNS record I had “mysite2” and started getting the next error”

Error 6801: “The remote name could not be resolved: ‘’ – This is because I removed the CNAME DNS record.


To Fix

You need to use the trust tool Update-SPProfilePhotoStore and tell it of the change in Uri’s.

Update-SPProfilePhotoStore –MySiteHostLocation “” -OldBaseUri " Photos/Profile Pictures/" -NewBaseUri " Photos/Profile Pictures/"

An error occurred while processing the incoming e-mail The error was: Value cannot be null. Parameter name: stream.


Happen to have a calendar that is email enabled on SharePoint but calendar items aren’t being created from an email?

Check your ULS logs on your SharePoint server that and see if you have something similar to this error below:

An error occurred while processing the incoming e-mail file C:\Inetpub\mailroot\Drop\86d3c93401cab0ba0000002b.eml. The error was: Value cannot be null.  Parameter name: stream.    

This is most likely related to using an Exchange contact that forwards to your SharePoint calendars email address. Change Use MAPI rich text format to Never.



SharePoint 2010 Alerts – Daylight Savings Time (DST)


Are your alerts behind or ahead by an hour? Microsoft has created a PowerShell script to automatically update your alerts for daylight savings time.

You’ll want to make sure you’re running the script as a SharePoint administration from within the SharePoint Management Shell.

  1. Add the PowerShell script to the scope
    • . ./Invoke-AlertFixup.ps1 (make sure there is a period, space, period)
  2. Type Invoke-AlertFixup –site <URL> –oldurl <URL> (if using this script for DST, make sure the site URL and oldurl are the same.

SharePoint 2010: Unable to Display This Web Part. Error while executing web part: System.StackOverflowException: Operation caused a stack overflow.


This was caused by the XsltTransformTimeout when using an Xslt list view. This is corrected by installing the February 2012 Cumulative Update and by making the following change via PowerShell.

Check Current Setting

$farm = Get-SPFarm $farm.XsltTransformTimeOut

The default setting is 1 second. The PowerShell code below changes it to 5 seconds which should be sufficient.

Change Setting to 5 Seconds

$farm = Get-SPFarm $farm.XsltTransformTimeOut = 5 $farm.Update()

Schedule Update-SPProfilePhotoStore


Create a PowerShell script with the following. Make sure your MySite host location is correct.

Add-PSSnapin Microsoft.SharePoint.PowerShell Update-SPProfilePhotoStore -CreateThumbnailsForImportedPhotos 1 -MySiteHostLocation http://mysitehostlocation/MySite/

  1. Save the file as a .ps1 file on your SharePoint 2010 server – C:\Scripts\UpdateSPPhotos.ps1
  2. Create a daily scheduled task on the SharePoint 2010 server that runs at the SharePoint Farm Administrator account.
  3. Configure the action as follows
    • Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • Arguments: -NonInteractive -NoProfile -File “C:\Scripts\UpdateSPPhotos.ps1”


Find mail enabled lists in SharePoint

Open SQL Query Analyzer and run the following query against your WSS_Content database. This works in SharePoint 2007 and 2010.

SELECT Webs.FullUrl, AllLists.tp_Title, AllLists.tp_EmailAlias
FROM AllLists
Inner join webs on AllLists.tp_WebID = Webs.Id
where AllLists.tp_EmailAlias is not null

SharePoint 2010 Upgrade – Database Attach Method

There are several ways of upgrading to SharePoint 2010. I decided to go with the database attach method to ensure a clean install and make sure all my end users could still "view" the SharePoint 2007 web site.

My scenario was as follows..

SharePoint 2007 (Windows 2008 R2 64bit) was configured as a farm with a SQL 2005 64bit (Windows 2008 64bit) server. As you probably already know the SQL 2005 is not supported for SharePoint 2010. This was just another reason I decided to go with the database attach method.


Server Build

  1. Install Windows 2008 R2 64bit
    • Server Name: SHAREPOINT2010 – This name doesn’t matter as you’ll be using alternate access mapping later.
    • Install SharePoint 2010 Prerequisites via installation media – Must be connected to the internet
    • Add SMTP server via Server Roles – Used for relaying email. I’ll explain why I relay off of the SharePoint server later
    • Create domain account “SharepointProfSync” and give it administrative rights on the SharePoint 2010 server. This will late be removed.
  2. Install Windows 2008 R2 64bit
    • Server Name: SQL
    • Install SQL 2008 R2 64bit
  3. Install SharePoint 2010
    • This is just a default installation. There are many guides on how to do this on the internet.
  4. Install SharePoint 2010 Service Pack 1
    • Run SharePoint Configuration Wizard when finished to upgrade the databases
  5. Install SharePoint 2010 June 2011 Cumulative Update
    • Run SharePoint Configuration Wizard when finished to upgrade the databases
    • Restart SharePoint server
  6. Generate your certificate request from IIS and either send it to your third party certificate provider or generated your own from your certificate authority. This isn’t covered in this article.

Configure User Profiles

  1. System Settings > Manage Services > Server > Start User Profile Sync Service
    • Wait until it says the service is started
    • Once it’s been started, remove SharepointProfSync from the local administrators group.
  2. Central Administrator / Application Management / Manage Service Applications / User Profile Service Application
    • Configure Synchronization Connectors
      • Create New Connection
      • Name: "Company Name AD
      • Forrest: type fully qualified domain name and choose auto discover DC
      • Account Name: Create a domain account to use during replication. This account must have “Replicate Directory Changes” permission on the top level of the domain.
      • Select all or some OU’s
    • If you want to map additional properties you can do that now. I mapped Picture to AD attribute thumbnailphoto to import photos from active directory.
    • Start a Full Sync – This will take some time.

Configure Web Applications

I wanted my web application running on a different port than port 80 so that I could redirect port 80 HTTP traffic to port 443 SSL.

  1. Record content database name by going to Central Administrator > Application Management > Manage Content Databases
    • Make sure the web application in the top right hand corner shows the web application for port 80.
    • This content database name will be used when creating the new web application with the new port.
  2. Central Administrator / Application Management / Manage web applications
    • Click on the web application assigned to port 80 and click delete in the ribbon bar. Do not delete your central admin database.
      • Delete Content Databases – No
      • Delete IIS web sites – Yes
      • Click Delete
    • Delete the web application with port 80. Do not delete your central admin web app.
  3. At Manage web applications click New to create a new web app.
    • Create a new IIS web site – Label this whatever you would like I used SharePoint – 800
    • Port: 800
    • Host Header – Blank since we won’t be running more than one web app on this port
    • Path – Leave as default
    • Security Configuration – Choose your authentication provider. I chose NTLM.
    • Public URL – Leave default
    • Application Pool – Name this accordingly and choose which domain account you want to be running the app pool. This should be a domain account used only for the app pool without any permissions.
    • Database Server – Your SQL Server
    • Database Name – Type the database name that you recorded in step 1. Case Sensitive
    • Service Application Connections – default
    • Click OK
  4. At Manage web applications click on your new web application and click Extend.
    • Create a new IIS web site – Label this whatever you would like I used SharePoint – 443
    • Port: 443
    • Host Header – Blank since we won’t be running more than one web app on this port. – If you are going to have use SAN certificate, put in your FQDN host header here. I’ll explain this later as well.
    • Path – Leave as default
    • Security Configuration – Choose your authentication provider. I chose NTLM. Make sure you use select SSL.
    • Public URL – Make sure type the full qualified domain name here… and Zone: Internet
    • Click OK
  5. You should now be able to access your SharePoint 2010 system from both URL’s.

Configure Email

If you were to relay directly off your Microsoft Exchange server, one you would need to allow anonymous relay, and two you wouldn’t actually see the Active Directory Display Name when the email was received. Instead you would see the email address defined. Relaying the email off the SharePoint 2010 server which will then forward the email to your Exchange Server in an authenticated method providing the Display Name and not needed anonymous relay.

  1. Start > Run > services.msc
    • Set Simple Mail Transfer Protocol to Auto Start, and start the service.
  2. Open Internet Information Services 6.0
    • Right click SMTP Virtual Server and go to Properties
    • Access tab
      • Authentication
        • Check Integrated Windows Authentication
        • Check Anonymous Access
      • Relay Restrictions
        • Either select all except the list below, or add the IP address of the SharePoint 2010 server.
    • Delivery Tab
      • Outbound Security
        • Choose Integrated Windows Authentication
        • Browse and select a domain user for which you will use to send emails from SharePoint. You can use something like “SharePointNotification”
      • Advanced
        • Smart Host: Type the hub transport FQDN server name
        • Uncheck Attempt direct delivery before sending to smart host
    • Click OK
  3. Go back to SharePoint Central Administration > System Settings > Configure Outgoing E-Mail Settings
    • Outbound SMTP server: FQDN of SharePoint 2010 server
    • From address: Email address of domain user used for sending the email in Step 2
    • Reply-to address:Email address of domain user used for sending the email in Step 2
    • Character set: default
    • Click OK

Install Templates

Install any templates that you had installed on SharePoint 2007 on to SharePoint 2010. This isn’t covered in this article, but make sure your stsadm –o pre-upgradecheck is clean.


Content Transfer

Now it’s time to actually transfer the content from 2007 to 2010!

  1. Backup SharePoint 2007 databases.
    • Take a full SQL backup of the WSS_Content databases for your web application.
    • Put your SharePoint 2007 WSS_Content database in read-only mode so that end users can still view SharePoint 2007 but not make any changes during the content transfer.
    • Copy the backup to your new SQL 2008 server.
  2. Remove the existing content database from SharePoint 2010
    • Central Administration > Application Management > Manage Content Databases
      • Select the web application that we just created. (Port 800)
      • Click the WSS_Content database listed
      • Put a checkbox in remove content database and click OK
  3. Restore the backup of SharePoint 2010 on your SQL 2008 server.
    • Restore it as something meaningful: WSS_Content_Company_1
  4. Open SharePoint Management Shell
    • Run the following stsadm command to add the database to the web application
  5. Run an IIS Reset
  6. Your content has now been transfer to SharePoint 2010!

My Sites

Microsoft recommends (and is also good practice) that you host your MySite on a different web application as well as database. Some users just starting out with 2007 had them all together in their WSS_Content database. Here are instructions on how to move them to their own.

  1. Create a CNAME DNS record for your SharePoint 2010 server that uses a mysite name.
  2. Central Administrator / Application Management / Manage web applications
    • Create a new web application called SharePoint – MySite
    • Port: Whatever port you want to use. Use 443 if you are using a SAN certificate that includes the MySite URL.
    • Header: If you are using 443 then put the FQDN that you want to use. Example: If you aren’t using 443 then this can be left blank.
    • Database Name: WSS_Content_MySite_Temp (this is only temporary)
    • The rest of the options choose similar to the “Configure Web Application” of this article.
  3. Define two new managed paths for this web application
    • explicit inclusion – mysite
    • wildcard inclusion – personal
  4. Central Administrator / Application Management / Create site collections
    • Choose your mysite web application
    • Label it My Site Host
    • for the URL make sure it says /mysite leave the field after it blank
    • Select the Enterprise Template My Site Host
    • Visit the site and make sure you can view it. You will need to view it from a computer which is not the server unless you disable loop back check in the registry.
  5. Remove the content database from the mysite web application
  6. Add a new content database to your main SharePoint 2010 web application (port 800)
    • Name it WSS_Content_MySite
  7. Open SharePoint Management Shell
    • Run the following stsadm command to find all the personal sites in the current database
    • Open the MySites.xml file in Notepad and remove any sites that are not a personal site including the /mysite entry. Save the xml file when finished.
    • Move the personal sites to the new database
      • stsadm –o mergecontentdbs –url http://servername:800 –sourcedatabasename WSS_Content_Company_1 –destinationdatabasename WSS_Content_MySite –filename C:\MySites.xml –operation 3
    • When prompted run iisreset –noforce from the command prompt
    • Remove the WSS_Content_MySite content database from the http://servername:800 web application via Central Administration
    • Add the database to the MySite web application
      • stsadm –o addcontentdb –url –databasename WSS_Content_MySite  – Make sure you type your URL correctly. This depends on what you created in step 2.
  8. Duplicate step 4
  9. Create a site collection for the root of mysite web application. (This is for self-service site creation)
    • Choose Team Site
    • Path should just be /
  10. Central Administrator / Application Management / Manage Service Applications / User Profile Service Application > Setup My Sites
  11. Run full sync on user profiles
  12. Now you can update the profile photo store with the thumbnails that were imported from active directory

Keep an eye out for further SharePoint 2010 blogs