Archive

Archive for February, 2014

Fixed: SharePoint 2010 Calendars linked in Outlook 2010 Prompting for Credentials.

February 25, 2014 Leave a comment

I recently ran into an issue with users continuously getting prompted for credentials when linking SharePoint 2010 Calendars with Office 2010 Outlook.  Every time a user would click on a linked SharePoint 2010 calender within Outlook they were prompted to authenticate to a specific web front end server of the SharePoint Farm.  After troubleshooting I learned that the way SharePoint handles calls to the Outlook client is it handles the URL requests to Outlook in this sequence:

Intranet zone URL
Default zone URL
Extranet zone URL
Internet zone URL
Custom zone URL

So by default the SharePoint 2010 linked calendars look at the URL in the Intranet Zone AAM first, and will try to authenticate to that zone.  If there is a URL in the intranet zone where users are unable to authenticate they will be continuously prompted for credentials when accessing the linked calendar in outlook.

For my case I had a Intranet Zone URL AAM pointing to a specific web front end server http://servername:port so Outlook was trying to authenticate to that URL and couldn’t.

After removing the URL AAM for the Intranet Zone and leaving it blank SharePoint looks into the Intranet Zone, determines its blank,  and moves down the list to the Default zone.

After removing the Intranet Zone AAM users were no longer getting prompted for credentials.

If you experience this issue, make sure your Intranet Zone AAM is accessible by your users.

PowerShell Script to Send Email Notifications and Automatically Move and Disable SharePoint Users in Active Directory

February 3, 2014 4 comments

While I’m very aware of Microsoft® Forefront® Identity Managers (FIM) powers to handle SharePoint User Provisioning, FIM is not yet setup in my environment to utilize, so for the time being I needed to create a PS script to identity “Stale” accounts in Active Directory for external users who have not authenticated to the portal in a given time.  The policy is to notify users who have not authenticated to the portal in (50, 60, 80, 90) days and then move these identified users to a “disabled” OU in AD and disable their accounts.  Below is the script I used to accomplish this.
You would replace the values highlighted in RED with your own.

——————————————————————————————————————

$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.PageSize = 1000
$ADSearch.SearchScope = “subtree”
#AD Path to the Portal Users OU in Active Directory
$ADSearch.SearchRoot = “LDAP://OU=OU,OU=OU,OU=OU,DC=DC,DC=DC
$daysOld = 1

$today = Get-Date
$daywarning = Get-Date
$oldestValidLogon = $today.AddDays(-$daysOld)
$EmailSentDate = $today.tostring(“MM-dd-yyyy”)

#Create .csv file to hold PortalUsers in AD.
$logFile
= “d:\Portal\PortalUsers_” + $EmailSentDate + “.csv”

“DisplayName `t” + “SamAccountName `t” + “Phone `t” + “Mail `t” + “Days InActive `t” + “LastLogon `t” + “Directorate `t” + “DN `t” + “Description” >> $logFile

#Create txt file of Disabled Portal Users.
$DisabledEmailSent
= “d:\Portal\Portal-DisabledUsers_” + $EmailSentDate + “.txt”
#Create txt file of Deleted Portal Users.
$DeletedEmailSent = “d:\Portal\Portal-DeletedUsers_” + $EmailSentDate + “.txt”

——————————————————————————————————————

$ADSearch.Filter = “(objectClass=user)”
$ADSearch.PropertiesToLoad.Add(“distinguishedName”)
$ADSearch.PropertiesToLoad.Add(“sAMAccountName”)
$ADSearch.PropertiesToLoad.Add(“lastLogonTimeStamp”)
$ADSearch.PropertiesToLoad.Add(“displayName”)
$ADSearch.PropertiesToLoad.Add(“mail”)
$ADSearch.PropertiesToLoad.Add(“telephoneNumber”)
$ADSearch.PropertiesToLoad.Add(“description”)

$userObjects = $ADSearch.FindAll()

foreach ($user in $userObjects)
{
$dn = $user.Properties.Item(“distinguishedName”)
$displayName = $user.Properties.Item(“displayName”)
$mail = $user.Properties.Item(“mail”)
$phone = $user.Properties.Item(“telephoneNumber”)
$sam = $user.Properties.Item(“sAMAccountName”)
$logon = $user.Properties.Item(“lastLogonTimeStamp”)
$description = $user.Properties.Item(“description”)

#Get Last Logon Time Stamp
if($logon.Count -eq 0)
{
$lastLogon = “Never”
}
else
{
$lastLogon = [DateTime]$logon[0]
$lastLogon = $lastLogon.AddYears(1600)

}

#Get InActive Dates
if($lastLogon -lt $oldestValidLogon)
{
$inActive = $oldestValidLogon$lastLogon

$inActive = $inActive.Days

[string]$Dir = $dn

#Formating $dn to be “readable” in .csv file
if ($Dir -like “*OU=CAC_Accounts*”)
{
$Dir = “CAC_Accounts”

}
if ($Dir -like “*Disabled External Accounts*”)
{
$Dir = “Disabled External Accounts”

}
if ($Dir -like “*Non_CAC_Accounts*”)
{
$Dir = “Non_CAC_Accounts”
}

#Get Warning Dates 10 days out before Disable/Delete
$warning
= $daywarning.AddDays(10)
$warning = $warning.tostring(“MM/dd/yyyy”)

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 50 DAYS

if ($inActive -eq 50)
{

$emailFrom = “EMAIL FROM ACCOUNT
$emailTo = “$mail
$subject = “Portal Account Inactivity Reminder – Day 50”
$body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 50 days. You must login to the portal in the next 10 days or your account will be disabled on $warning.`r`n`r`nThank You.”
$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$smtp.Send($emailFrom, $emailTo, $subject, $body)

}

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 60 DAYS, MOVE AND DISABLE USER ACCOUNT

if ($inActive -eq 61)
{

$email = New-Object System.Net.Mail.MailMessage
$email.From = “EMAIL FROM ACCOUNT
$email.To.Add(“$mail“)
$email.Subject = “Portal Account Inactivity – Account Disabled”
$email.Body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 60 days. Your account has been temporarily disabled.`r`n`r`nPlease go to URL OF REGISTER SITE for instructions on how to recover your CAC or username/password account. You can also contact the help desk via email at HELP DESK EMAIL if you have questions or need assistance.`r`n`r`nThank You.”

$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$smtp.Send($email)

#MOVE USERS TO DISABLED OU IN ACTIVE DIRECTORY AND DISABLE ACCOUNT

$ADSPath = $user.Properties.adspath

“UsersToMove: ” + $ADSPath >> “d:\Portal\UsersToMove.txt”

#LDAP path to disabled OU in Active Directory
$MoveToOU
= [ADSI](“LDAP://OU=OU,OU=OU,OU=OU,OU=OU,DC=DC,DC=DC“)

$AUser = [ADSI](“$ADSPath“)

# Command to Do the actual move
$AUser.PSBase.moveto($MoveToOU)

# Command to Disable Account
$AUser.PSBase.InvokeSet(“AccountDisabled”, $true)
$AUser.SetInfo()

“DisplayName ” + $displayname + ” – ” + “Directorate ” + $Dir >> $DisabledEmailSent
}

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 80 DAYS

if ($inActive -eq 80)
{

$emailFrom = “EMAIL FROM ACCOUNT
$emailTo = “$mail
$subject = “Portal Account Inactivity Reminder – Day 80”
$body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 80 days. You must recover and login with your account in the next 10 days or your account will be deleted on $warning.`r`n`r`nPlease go to URL OF REGISTER SITE for instructions on how to recover your CAC or username/password account. You can also contact the help desk via email at EMAIL OF HELP DESK if you have questions or need assistance.`r`n`r`nThank You.”
$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
}

——————————————————————————————————————

#EMAIL USERS WHO HAVE NOT AUTHENTICATED TO THE PORTAL IN 90 DAYS
if ($inActive -eq 91)
{

$email = New-Object System.Net.Mail.MailMessage
$email.From = “EMAIL FROM ACCOUNT
$email.To.Add(“$mail“)
$email.Subject = “Portal Account Inactivity – Account Deleted”
$email.Body = “Hello $displayName,`r`n`r`nYou are receiving this email because you have not logged into the Portal in the last 90 days. Your account has been deleted.`r`n`r`nIf you still require a portal account please go to URL OF REGISTER SITE to request a CAC or username/password account. You can also contact the help desk via email at URL OF HELP DESK if you have questions or need assistance.`r`n`r`nThank You.”

$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$smtp.Send($email)

“DisplayName ” + $displayname + ” – ” + “Directorate ” + $Dir >> $DeletedEmailSent
}
$displayName” + “`t” + “$sam” + “`t” + “$phone” + “`t” + “$mail” + “`t” + “$inActive” + “`t” + “$lastLogon” + “`t” + “$Dir” + “`t” + “$dn” + “`t” + “$description” >> $logFile
}
}

——————————————————————————————————————

#EMAIL ACCOUNT PROVISIONING ADMINS ON WHO WAS DISABLED OR DELETED, WITH ATTACHMENTS OF USERS AFFECTED.

$att1 = New-Object Net.Mail.Attachment($DisabledEmailSent)
$att2 = New-Object Net.Mail.Attachment($DeletedEmailSent)
$email = New-Object System.Net.Mail.MailMessage
$email.From = “EMAIL FROM ACCOUNT
$email.To.Add(“EMAIL OF ACCOUNT OWNERS“)
$email.Subject = “Portal Accounts Report – Disabled and Deleted Accounts”
$email.Body = “The following Portal accounts have been Disabled or Deleted. These users have been notified. Please see attached files, for accounts affected.”
$email.Attachments.Add($att1)
$email.Attachments.Add($att2)
$smtpServer = “SMTP IP ADDRESS
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($email)

——————————————————————————————————————