Browsed by
Category: SharePoint 2010

PowerShell Script: SharePoint Farm Creation

PowerShell Script: SharePoint Farm Creation

For a long time I have been meaning to rewrite the PowerShell script that I have been using to do my SharePoint farm creation and just haven’t gotten around to completing the necessary effort to make it all that I want it to be. I have leveraged the work of others, borrowing a piece here and a snippet there but to honest I haven’t been satisfied.

What I really wanted was a script that I can use in my consulting practice as a normalized practice of how a farm should be deployed as well as a script that I could use in the highly repetitive process of doing ITPro dev work. I wanted something that was flexible enough to use for client installs, but repeatable enough that I could use it in my dozens of farm builds that I do in my spare time for troubleshooting and fun.

Here are the key points of what I did differently with this script:

  1. use temporary variables that can be accepted or overridden at the PowerShell command-line when the script is called
  2. validate if the pieces have been implemented correctly & gives information about what piece failed, not just throwing the ugly PowerShell errors that we are used to seeing
  3. validate that you are using PowerShell running as Administrator to ensure that you won’t fail for that silly reason
  4. pulls the system & domain variables rather than having to set those parameters manually

I am happy to report that I was able to accomplish all of these things in my script and am happy to offer it up for others to use if you see fit. I highly recommend that you consider using the PowerShell profile that I laid out in my previous article “How to: Automatically log your PowerShell session everytime” so that you can, among other things, capture the output of building your farm.

There are very few people who can honestly say that they created their PowerShell scripts completely from scratch, and I am certainly not among them. Credit is due for snippets & reference to Shannon Bray, Gary LaPointe, Brian Lalancette, Todd Klindt, & I’m sure others. Special appreciation to Evan Riser for helping me QA this script. 

One last thing to note about this script… it does just what it says it does. It creates a SharePoint farm.  This is not an all inclusive build your farm & configure every setting script. If you are looking for the all inclusive, über build & configure script please go visit Brian’s codeplex project: AutoSPInstaller. There is no need for anyone to recreate the amazing work that he has done. 

The reason I create this scripts like this is that I prefer to break my scripts down into pieces and keep them highly modular. This is partly because I consult on such a wide variety of projects that it makes my life easier to be able to deploy pieces at a time using different scripts. It also could be that I am a neurotic, lunatic control freak who is a bit over obsessed with developing in PowerShell for fun.  Hopefully it’s more the first thing than the second thing… 🙂

I will continue to publish the scripts that I find useful here in the hopes that it helps someone else along the way. You can find my SharePoint Farm Creation PowerShell script here on my SkyDrive.

How to: Create Active Directory Users using PowerShell

How to: Create Active Directory Users using PowerShell

Not unlike several posts in recent weeks, tonight’s adventures in PowerShelling started with from a conversation at SharePoint Saturday New Hampshire with the Iowan treasure Todd Klindt. The conversation was around the script that he used to create Active Directory users. I had my own bit of jumbled together code for this purpose, but his has some snazzy ifelse-ness to it and the ability to set Managers and add Pictures that made it especially appealing.

At the same time there were things in his script that I felt were a bit lacking and it lead to the whole “I can write that code in 2 hours” game not unlike a name that tune style geek-out.

Rather than reiterating all of the goodness that Todd built into his version of the script I will refer you to his post: to read all of his fun comments.

Instead I will regale you with the updates that I have made:

  1. Specify an OU – I am an old school AD guy at heart and I HATE a mess Users directory where I can’t find anything. I always end up moving my SQL & SharePoint Service accounts to their own OU, as well as my dummy test accounts. This tweak to the script asks you what OU you want the accounts created in and then will create the OU if it doesn’t already exist (given you have those rights). If you hit enter it will default to attempting to place the accounts in an OU called “SharePoint Service Accounts”.
  2. Prompt for the CSV input file – I have multiple files that I use in different dev environments for different purposes: a.) SQL service accounts b.) SharePoint service accounts c.) Dummy user accounts d.) Smart user accounts e.) etc, etc, etc. The script now prompts for which CSV file you want to import the users from. Hitting enter when prompted will look for a file called Users.csv in the local running directory.


  3. Change the default passwordOn Todd’s Netcast tonight he mentioned this little bit of code, however I hadn’t actually written it yet. Nothing like throwing down the gauntlet there, Mr. Klindt! In response I whipped up version 3.1 of the script which now allows you to change the default password as a variable when run. If you choose nothing it will default to the pass@word1 standard.

Here is a copy of the code:

# Script to create Active Directory accounts
# v3.1 11/26/2012
# Updated by Jason Himmelstein
# Based upon the script by Todd Klindt

# Add the Active Directory bits and not complain if they're already there
Import-Module ActiveDirectory -ErrorAction SilentlyContinue

$OU= Read-Host -Prompt "Enter OU name you want. Press Enter for SharePoint Service Accounts"
If ($OU -eq "") {$OU = 'SharePoint Service Accounts'}
$FQDN = (Get-ADDomain).DistinguishedName

If ([adsi]::Exists("LDAP://OU=$OU, $FQDN") -eq $True){
write-host "The OU already exist" -ForegroundColor DarkGreen -BackgroundColor Gray}
else{dsadd ou "ou=$OU,$FQDN"}

$OU_specified = "ou=$OU,$FQDN"

# specify the file location
$csvfile = 'users.csv'
$userfile = Read-Host -Prompt "
Enter the location of the CSV file containing the users you want to import. Press Enter for $csvfile"
If ($userfile -eq "") {$userfile = $csvfile}

# set default password
# change pass@word1 to whatever you want the account passwords to be
$userpassword = Read-Host -Prompt "Enter default password you wish to set for all of these accounts. Press Enter for pass@word1"
If ($userpassword -eq "") {$userpassword = 'pass@word1'}
$password = (ConvertTo-SecureString $userpassword -AsPlainText -Force)

# Get domain DNS suffix
$dnsroot = '@' + (Get-ADDomain).DistinguishedName

# Import the file with the users. You can change the filename to reflect your file
$users = Import-Csv $userfile

foreach ($user in $users) {
if ($user.manager -eq "") # In case it's a service account or a boss
try {
New-ADUser -SamAccountName $user.SamAccountName -path $OU_specified -Name ($user.FirstName + " " + $user.LastName) `
-DisplayName ($user.FirstName + " " + $user.LastName) -GivenName $user.FirstName -Surname $user.LastName `
-EmailAddress ($user.SamAccountName + $dnsroot) -UserPrincipalName ($user.SamAccountName + $dnsroot) `
-Title $user.title -Enabled $true -ChangePasswordAtLogon $false -PasswordNeverExpires  $true `
-AccountPassword $password -PassThru `
catch [System.Object]
Write-Output "Could not create user $($user.SamAccountName), $_"
try {
New-ADUser -SamAccountName $user.SamAccountName -path $OU_specified -Name ($user.FirstName + " " + $user.LastName) `
-DisplayName ($user.FirstName + " " + $user.LastName) -GivenName $user.FirstName -Surname $user.LastName `
-EmailAddress ($user.SamAccountName + $dnsroot) -UserPrincipalName ($user.SamAccountName + $dnsroot) `
-Title $user.title -manager $user.manager `
-Enabled $true -ChangePasswordAtLogon $false -PasswordNeverExpires  $true `
-AccountPassword $password -PassThru `
catch [System.Object]
Write-Output "Could not create user $($user.SamAccountName), $_"
 # Put picture part here.
 $filename = "$($user.SamAccountName).jpg"
 Write-Output $filename

 if (test-path -path $filename)
Write-Output "Found picture for $($user.SamAccountName)"

 $photo = [byte[]](Get-Content $filename -Encoding byte)
Set-ADUser $($user.SamAccountName) -Replace @{thumbnailPhoto=$photo} 

If you are looking for the downloadable PowerShell or text file version, please find them linked below. Happy PowerShelling!

powershell notepad

When in doubt, check ALL the permissions…

When in doubt, check ALL the permissions…

Having just completed my last speaking engagement of 2012 it was time to get back into the swing of things and start playing with troubleshooting a bit. 

The dilemma

In a continuing effort to evolve my PowerShell build script for SharePoint I spent a few hours with my team playing with different settings.  One of my team members was driving to get better hands on experience with using PowerShell to configure SharePoint.

We started with the very standard PSConfig script that I have used hundreds of times in the past:
(I left out the variables to save some space)


The following error popped its ugly head up in PowerShell’s angriest color when attempting to run this initial farm configuration:

New-SPConfigurationDatabase : Requested registry access is not allowed.

The troubleshooting

Check permissions

Hackles went up immediately when the error was read out loud.  Prior to running the script we had just walked through several Security Best Practice checks, following Microsoft’s guidance in TechNet, partly to see if anything had changed recently (it hadn’t) and partly as a good refresher:

Account permissions and security settings (SharePoint Server 2010)

Plan administrative tasks in a least-privilege environment (SharePoint Foundation 2010)

Plan for administrative and service accounts (SharePoint Foundation 2010)

We went back and doubled checked all of our settings and found that things were configured as prescribed.  The SharePoint install account had local administrator permissions on the SharePoint server and SecurityAdmin and DBCreator rights on the SQL server.

Examine the logs

We visited our Server Event Log and 14 Hive Logs folder but found no evidence that anything was in error.  In fact, no logs entries were created at all…

Check the firewall rules

We validated that for this configuration, in a sandbox without external connections to the world, that the Windows Firewalls were turned off.

Check the connection between servers

Using the trusty Data Sources (ODBC) validation method we were able to make connection from the SharePoint server to the SQL server, and browse the available databases.

Get thyself to Google!

Completely perplexed at this point by an error that doesn’t make any sense due to the fact that the SharePoint install account was a local admin we went to our good friend Google and found, well to be honest a bunch of crap that didn’t help us in any way.  Lots of stuff for people who have lost access to Central Admin due to GPO changes, or had a driver go corrupt, or are trying to write to the registry using C# in, & even a forum about people having problem registering their car in Nebraska.

Review of Local Security Policies

One last ditch effort to check the local security policy to see if a new GPO pushed down changes to turned out fruitless, however one of the AD admins mentioned they had seen an issue similar to this once before they changed the User Account Control Settings (UAC). 

The Root Cause

Not even thinking about it my response to the UAC question was “There is no need to do that, you just right-click and launch as Administrator or use my PowerShell script to run as a different user

Upon examination of my team member’s screen it was revealed that: 2

PowerShell ISE have in fact been opened without being run as Administrator.  A costly lesson from a time perspective, but a good learning experience for a newbie at PowerShell for SharePoint.

The most troubling of all however was upon reexamination of the PowerShell error message we needed to only go 2 lines above the big red error message that we were troubleshooting on, to the plain black texted TRUE error: (highlighted here in yellow)


Unassuming and unnoticed as we troubleshot the obvious error, the line was thrown by the PSConfig.exe and not a bad PowerShell parameter which explains why PowerShell did not recognize it as an error.

The moral of the story…

Even after following every documented Best Practice out there, we still were able to find a way to cause an error.  While the UI was bad for the error that would have been useful to us, it was at least thrown in our faces.

The easy answer is to always make sure that you open PowerShell or PowerShell ISE as Administrator.  My personal preference is always going to be login in to servers using a non-SharePoint privileged account and then elevate permissions to run in the context of a SharePoint Farm admin or service account as demonstrated in my previous post which sets the run as Administrator for you.

Be sure when you are ready to do any SharePoint Admin work that you see the “Administrator:” in front of your PowerShell ISE path, like this:


At the end of a fun troubleshooting session we walked away with a new notch in our troubleshooter tool belt, a fun article to write, and team member who will never forget to fire the RunAs flag ever again.

Review of the new storage “guidance” for SharePoint 2010 SP1

Review of the new storage “guidance” for SharePoint 2010 SP1

Rob D’Oria, father of StoragePoint, has written a very comprehensive review of the new storage “guidance” from Microsoft with regard to the limits on ContentDB size when using RBSEBS.  It is a very long post, but completely worth reading from start to finish. 

For a peak at what you can expect, here is a direct excerpt from one of my favorite sections:

Everyone hold on, here’s the super-hard backup/restore process you have to follow in this brave new world:


  1. Backup content database
  2. Backup BLOB store(s) referenced by content database


  1. Restore BLOB store(s) referenced by content database
  2. Restore content database

Did anyone pass out?  Anyone hyper-ventilating?  Anyone soil themselves?  I didn’t think so.  That’s the process in all of its complicated ugliness.  In this scenario the worst thing you end up with is some orphaned BLOBs…you have some extra BLOBs in the BLOB store back-up that are not reflected in the content DB backup because it was taken first.  Upon restoring these datasets the extra BLOBs are orphaned, but they will be garbage-collected if the EBS/RBS solution supports it.

And, oh by the way, this is your worst case scenario.

Please take some time and read Rob’s full post, which can be found here:

Connect with Rob on Twitter at @robdoria or on LinkedIn at

Rob’s opinions in his post of ISVs are his own.  I may or may not agree with everything he says, so be sure to rub a couple of brain cells together and form your own opinions.

The big news: Data Storage Changes for SharePoint 2010

The big news: Data Storage Changes for SharePoint 2010

I go on vacation for one week and they try to change the entire strategy on us, eh?  When I first started hearing rumbles about the changes announced by the Microsoft SharePoint Product Group via their blog it sounded like the world was completely changed and that all previously known storage strategies can be thrown out the window in favor of using RBS and storing whatever you want in the Content DB!

Happily that is not at all what was being said.  While the recommended limits have been revised by Microsoft to suggest that significantly more can be stored, the key word in the statement is CAN, not should.

Let’s examine a few telling things from the Product Group’s blog article:

For a SharePoint content database up to 4 TB you need to additionally plan for the following two requirements:

  • Requires disk sub-system performance of 0.25 IOPS per GB, 2 IOPS per GB is recommended for optimal performance.

  • Requires the customer to have plans for high availability, disaster recovery, future capacity, and performance testing.

  • And you need to review additional considerations in the TechNet Boundaries and Limits article.

What this part is suggesting to us is we can us a single mirrored set (RAID1) for a large content database and get what Microsoft is defining as “optimal performance” using a 15k RPM drive scenario (approximately 180 IOPS per drive).  Great if you are looking to get some separation and you are doing sequential I/O, however when you separate the BLOBs out of the ContentDB you aren’t doing sequential I/O anymore.

Office Web Apps Service Pack 1 is here!

Office Web Apps Service Pack 1 is here!

It has almost gone overlooked, but Office 2010 and SharePoint 2010 are not the only products to get a Service Pack 1 release today.  I know that the Office Web Apps are a bolt on to SharePoint 2010 and so they don’t get a whole lot of attention, but from an end user feature enhancement perspective, I am almost more excited about the Office Web Apps SP1 than anything else released today (Office 365 not withstanding).

Sourced directly from Microsoft’s KB2460073:

Overview of Office Web Apps SP1 improvements

These are the key areas of improvement in SP1.

All Office Web Apps

  • OpenDocument Format (ODF) support:
    Lets you view and edit ODF documents in Office Web Apps.
  • Lets you use Office Web Apps with the Google Chrome browser.
  • Outlook Web App document attachment viewing (for Exchange Online only):
    Lets you view Office document attachments in the browser directly from Outlook Web App.
  • Lets you use Office Web Apps with Internet Explorer 9 in Native mode.

Word Web App

Lets you print Word documents from Edit mode (in addition to View mode).

Excel Web App

  • Added a Close button.
  • Lets you insert charts in Excel Web App.
  • Lets you copy and paste values and formulas by dragging the fill handle.

PowerPoint Web App

  • Lets you print presentations from PowerPoint Web App.
  • Lets you edit text in more shapes, not just placeholder shapes.
  • Lets you insert clip art in PowerPoint Web App. (By default clip art support is disabled. An administrator can decide to enable it.)

 It is important to keep in mind that Microsoft has already released the June 2011 Cumulative Updates that contain security patches important enough to be released simultaneously with these Service Packs, so be sure to install that as well.

Also, Microsoft has already released a list of known issues when installing Service Pack 1.  The Office Web Apps specific item,sourced directly from Microsoft’s KB2532126, is:

  • If Office Web Apps will be used in a mixed version environment, where Office Web Apps has SP1-or-later applied while SharePoint Server 2010 remains on the RTM version, you must install the following two updates before you install SP1 for Office Web Apps:
    • 2510639 Description of the SharePoint Server 2010 update: April 12, 2011

    • 2510648 Description of the Office Web Apps update: April 12, 2011

Here are the download links:

Service Pack 1 for Microsoft Office Web Apps 2010 (KB2460073)

Downloadable list of issues that the service pack fixes

SharePoint Foundation 2010 June 2011 CU (UPDATED)

SharePoint 2010 Service Pack 1 is here!

SharePoint 2010 Service Pack 1 is here!

Today Microsoft released Service Pack 1 for SharePoint 2010 which is a rollup of all previous Cumulative Updates through April 2011, which means that deploying directly on top of RTM bits supported, as well as number of stability, performance, and security enhancements based upon customer feedback.  There is a detailed white paper that about the Service Pack that can be found at this location.​

CAVEAT: Microsoft strongly recommends installing the June 2011 Cumulative Update immediately after the installation of Service Pack 1. The June Cumulative Update includes several important security and bug fixes that are not included SP1.

Here is the list of of the new features in SP1:

· Support for SQL Server Code Name “Denali”

anyone who has read any of my tweets or articles has probably noticed that I am a fan of Denali, so this is a huge feature for me

· Shallow copy functionality

this new feature allows sites with externalized blobs to be moved from one contentdb to another without having to reinternalize the blobs using the Move-SPSite powershell cmdlet. 

The white paper states​:

In order to use shallow copy, you must have installed the Microsoft® SQL Server® 2008 R2 Remote Blob Store. The Remote Blob Store is included in the Microsoft® SQL Server® 2008 R2 SP1 Community Technology Preview Feature Pack (

There are a couple of things that jump out at me here that are concerning:

  1. The link doesn’t work
  2. SP1 supports functionality that is only available in SP1 CTP?  RBS is supported in SQL 2008 R2, does it work with that? (I fully intend to test this and post back, but it is a concern that I felt was worthy of raising)

I’m not getting all nervous about this just yet since this all just released today.  It will be interesting to see what comes of this over the next couple of days/weeks, but it is a VERY exciting feature if it works as advertised.

· Site recycle bin

Great feature to allow self recovery of Site Collections and Sites without having to revert to backups or third party tools.

· Improvements to storage management (StorMan.aspx)

Storage Space Allocation is huge when dealing with quota enforced sites.  This page, which was available in versions prior to 2010, allows end users to view their large files and determine what fat to trim to keep within their quotas.

· Cascading filters for Performance Point services

Quoted from the white paper: “New cascading filter support enables you to pass the value of one filter to another.”

· Additional browser support

Better support for Chrome

One more piece of really useful information to come out of the white paper:

Updated Windows PowerShell Commandlets

· NEW: Get-SPDeletedSite (SharePoint Server 2010)

· NEW: Remove-SPDeletedSite (SharePoint Server 2010)

· NEW: Restore-SPDeletedSite (SharePoint Server 2010)

· Move-SPSite (RBSProviderMapping parameter added) (SharePoint Server 2010)

Here are the download links:

Service Pack 1 for SharePoint Foundation 2010 (KB2460058)

Service Pack 1 for Microsoft SharePoint Server 2010 (KB2460045)

Downloadable list of issues that the service pack fixes

SharePoint Foundation 2010 June 2011 CU (UPDATED)

SharePoint Server 2010 June 2011 CU (UPDATED)

Now powered by SharePoint Foundation 2010

Now powered by SharePoint Foundation 2010

Since my world is already mostly SharePoint 2010, I figured it was time to move my blog from Blogger, which has been a great starter experience, to something I am more familiar with, SharePoint Foundation 2010.  I am blessed with many friends who had offered me space on their servers rather than needing to stand up another on at my house to worry about, and I finally took one of them up on the offer.

In the coming days you can expect some new content, but for tonight I am just excited to put the finishing touches on my conversion from Blogger to SharePoint.

SharePoint 2010 & Site Directory revisited: bug fix request rejected by Microsoft

SharePoint 2010 & Site Directory revisited: bug fix request rejected by Microsoft

We received the official, and well thought out, answer back from Microsoft regarding the Site Directory bug that I reported on with my post “SharePoint 2010 and the Site Directory” back in December 2010.
Here is the official answer from Microsoft:

Issue Summary
Site collection creation fails with access denied error when the master site directory site collection is located on a web application which is using the new claims aware authentication method.

Cause for Rejection and Technical Explanation
The Microsoft Office team has reevaluated this bug and unfortunately our initial decision still holds.  We realize that this causes a lot of inconvenience but the code change required is extremely large and introducing a change can leave behind a huge and unexpected bug trail.

The site directory feature has been deprecated in SharePoint 2010.

Site Directory provided site collection admins a central location where they can pin bunch of URLs with categories. Users could then browse through categories, view and access all URLs/sites associated with the site collection. In SharePoint 2010, social tagging provided a much richer way to categorize URLs, and we provided tag cloud web part for navigation. To avoid having two similar solutions, site directory was deprecated.

Please know we carefully review all Hotfix request because each code change that we implement must maintain or improve the quality and stability of the product.  We strive for this to ensure the continuing integrity of the code base and to maintain a supportable product. While we recognize the impact that this issue is having on you, we cannot compromise the stability of the product’s code base using the Hotfix process.

Alternative solution

1. Ensure that the master site directory site collection is located on a web application which is using classic windows authentication.

2. Disable master site directory setting and explore the capabilities of the new social tagging feature to categorize sites. Learn more about this new feature at ”Social tagging overview (SharePoint Server 2010)”

SharePoint 2010’s Visio Graphics Services: EventIDs 8061 & 8046 unmasked

SharePoint 2010’s Visio Graphics Services: EventIDs 8061 & 8046 unmasked

Getting EventIDs 8061 & 8046 in your ULS Logs and Event Logs on your application server?  Having trouble figuring out exactly what they are trying to tell you?  Finding inconsistent results between site collections?  Let’s dive in…

Here are the offending errors:




TechNet tells us: quoting directly from the article linked here

Symptoms:   One or more of the following symptoms might appear:

  • A file or files might not load.
  • This event appears in the event log: Event ID: 8061 Description: File not found at this location: <file location>.
  • This event appears in the event log: Event ID: 8051 Description: Unable to parse file at location: <file location>.

Cause:   One or more of the following might be the cause:

  • A user might try to load a page that contains a Web Part that references a file that no longer exists or is invalid.
  • A user might try to view a Visio diagram that is corrupted.
  • A user might try to view an invalid Visio diagram.

Unfortunately this really doesn’t help you identify what the problem is or how to resolve it.

Here is what I discovered:

The common thread is the app pool.  Validate that the app pool that is being reported in the error is the same app pool that is hosting the Visio Graphics Services service. 


Next using the visit using the PowerShell script provided in my previous blog article, How to: Get your Managed Account passwords when they are changed automatically by SharePoint 2010, get the password for the account running your Visio Graphic Services and head over to your Manage Service Applications and manage the Secure Store Service.  Find your Visio SSS entry and reset the credentials.



Once you have set the credentials you need to recycle the Application Pool on the application server.  In a standard OOB install look in SharePoint Web Services for the site that contains VisioGraphicsService.svc and view the basic settings to determine which app pool is being used by the site and recycle it.

After this is complete you should see all of your Visio Graphics Services rendering correctly.

Why the inconsistent behavior mentioned at the beginning of this article?  If you create a site after the SSS credential is invalid and you have a site that is still holding a valid SSS token then you will see one site (the new) be broken and one site (the old) working perfectly.  Just one of the fun anomalies we get to experience in the field.  

Once again, another issue finds it’s root cause in credentials management.  While SharePoint 2010 has brought us leaps and bounds further than any product previously released, we still must remain vigilant in our credentials management as Admins and Architects.  IMHO, Planning for proper credentials management is almost as critical as DR planning, and often time more far more complex.