User permissions and permission levels in SharePoint 2013


User permissions and permission levels in SharePoint 2013


https://technet.microsoft.com/en-us/library/cc721640.aspx


 

Advertisements

Use Windows PowerShell to control how external sharing invitations can be accepted


Use Windows PowerShell to control how external sharing invitations can be accepted

You can use Windows PowerShell to turn external sharing on or off. Using the SharePoint Online Management Shell, administrators can now enforce new controls over how external users accept invitations. When enabled, the RequireAcceptingAccountMatchInvitedAccount parameter requires external users to accept invitations with the email account with which they originally received the invitation.

  • If this parameter is not set or is set to null:   

    When a user shares with an external user, they enter an e-mail like stephen@contoso.com, and an email is sent to Stephen at stephen@contoso.com. When he attempts to accept the invitation (by clicking the link in the email), he can log in with any account he wants to use. For example, he could use stephen@contoso.com, stephen@live.com, or even dwight@contoso.com. The sharing email can be forwarded and accepted by anyone. This system ensures that external users who use email aliases or who do not have a Microsoft account or organization account are able to accept the invitation.

  • If this parameter is set to true:   

    The RequireAcceptingAccountMatchInvitedAccount parameter ensures that the user who receives the invitation is also the user who accepts it. If an invitation is sent to stephen@contoso.com, only a user who can log into stephen@contoso.com is able to accept the invitation. Any other email account displays an error page that directs to user to use the appropriate account.

https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85

https://technet.microsoft.com/library/fp161390

 

Using the SharePoint Online Management Shell, IT administrators can now require that all external sharing invitations be accepted only by the e-mail address that was originally shared with.

 

To enable this feature, simply run the Set-SPOTenant
cmdlet and set the “RequireAcceptingAccountMatchInvitedAccount” parameter to true.

 

The parameter accepts two values: True or False.

 

True-User must accept this invitation with bob@contoso.com.

 

False– When a document is shared with an external user, bob@contoso.com, it can be accepted by any user with access to the invitation link in the original e-mail.

Administrators who desire increased control over external collaborators should consider enabling this feature.

You have first to download the online management shell

Then connect use the following command

Connect-sposervice

Then add the URL of the office 365 administration website

Which will be

EX: https://Domain-admin.sharepoint.com

Then you will be asked for the SharePoint credential to connect

username@domain.com

 

Then run the following command

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $Null

 

Set-spotenant

https://technet.microsoft.com/library/fp161390

Provision the Shared with Everyone folder in OneDrive for Business


Provision the Shared with Everyone folder in OneDrive for Business

 

Starting August 1st, 2015, the Shared with Everyone folder will no longer be provisioned for new users to accommodate some of the confusion and unintentional sharing that has resulted from this feature. Only new users will be affected by this change; existing users are not affected and can continue using the folder for organization-wide sharing.

If you want to restore the provisioned Shared with everyone folder when new users are created, perform one of the following procedures.

Recreate the “Shared with everyone” folder after a user is created

If you have only a handful of users and you want to recreate the Shared with Everyone folder, follow these steps.

  1. Instruct your users to navigate to OneDrive for Business.
  2. Create a folder called Shared with Everyone (or a similar name), following the same steps you would do to create a document from OneDrive for Business.
  3. Share the folder with everyone in the organization as explained in Share documents or folders in OneDrive for Business.

Repeat these steps for each new user you create.

Use Windows PowerShell cmdlet to restore “Shared with Everyone” provisioning

If you or your users don’t want to manually create the Shared with Everyone folder each time a new user is created and you want to restore the current functionality in Office 365, you can run the following Windows PowerShell cmdlet in SharePoint Online.

Set-SPOTenant –SharingCapability Disabled –ProvisionSharedWithEveryoneFolder $true


Ref: https://support.office.com/en-us/article/Provision-the-Shared-with-Everyone-folder-in-OneDrive-for-Business-6bb02c91-fd0b-42ba-9457-3921cb6dc5b2?ui=en-US&rs=en-US&ad=US

Use Windows PowerShell to control how external sharing invitations can be accepted


Use Windows PowerShell to control how external sharing invitations can be accepted

You can use Windows PowerShell to turn external sharing on or off. Using the SharePoint Online Management Shell, administrators can now enforce new controls over how external users accept invitations. When enabled, the RequireAcceptingAccountMatchInvitedAccount parameter requires external users to accept invitations with the email account with which they originally received the invitation.

  • If this parameter is not set or is set to null:   

    When a user shares with an external user, they enter an e-mail like stephen@contoso.com, and an email is sent to Stephen at stephen@contoso.com. When he attempts to accept the invitation (by clicking the link in the email), he can log in with any account he wants to use. For example, he could use stephen@contoso.com, stephen@live.com, or even dwight@contoso.com. The sharing email can be forwarded and accepted by anyone. This system ensures that external users who use email aliases or who do not have a Microsoft account or organization account are able to accept the invitation.

  • If this parameter is set to true:   

    The RequireAcceptingAccountMatchInvitedAccount parameter ensures that the user who receives the invitation is also the user who accepts it. If an invitation is sent to stephen@contoso.com, only a user who can log into stephen@contoso.com is able to accept the invitation. Any other email account displays an error page that directs to user to use the appropriate account.

https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85

https://technet.microsoft.com/library/fp161390

 

Using the SharePoint Online Management Shell, IT administrators can now require that all external sharing invitations be accepted only by the e-mail address that was originally shared with.

 

To enable this feature, simply run the Set-SPOTenant
cmdlet and set the “RequireAcceptingAccountMatchInvitedAccount” parameter to true.

 

The parameter accepts two values: True or False.

 

True-User must accept this invitation with bob@contoso.com.

 

False– When a document is shared with an external user, bob@contoso.com, it can be accepted by any user with access to the invitation link in the original e-mail.

Administrators who desire increased control over external collaborators should consider enabling this feature.

You have first to download the online management shell

Then connect use the following command

Connect-sposervice

Then add the URL of the office 365 administration website

Which will be

EX: https://Domain-admin.sharepoint.com

Then you will be asked for the SharePoint credential to connect

username@domain.com

 

Then run the following command

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $Null

 

Set-spotenant

https://technet.microsoft.com/library/fp161390

Kerberos authentication ticket


4768: A Kerberos authentication ticket (TGT) was requested

4771: Kerberos pre-authentication failed

Result codes:

Result code

Kerberos RFC description

Notes on common failure codes

0x1

Client’s entry in database has expired

  

0x2

Server’s entry in database has expired

  

0x3

Requested protocol version # not supported

  

0x4

Client’s key encrypted in old master key

  

0x5

Server’s key encrypted in old master key

  

0x6

Client not found in Kerberos database

Bad user name, or new computer/user account has not replicated to DC yet

0x7

Server not found in Kerberos database

 New computer account has not replicated yet or computer is pre-w2k

0x8

Multiple principal entries in database

  

0x9

The client or server has a null key

 administrator should reset the password on the account

0xA

Ticket not eligible for postdating

  

0xB

Requested start time is later than end time

  

0xC

KDC policy rejects request

Workstation restriction

0xD

KDC cannot accommodate requested option

  

0xE

KDC has no support for encryption type

  

0xF

KDC has no support for checksum type

  

0x10

KDC has no support for padata type

  

0x11

KDC has no support for transited type

  

0x12

Clients credentials have been revoked

Account disabled, expired, locked out, logon hours.

0x13

Credentials for server have been revoked

  

0x14

TGT has been revoked

  

0x15

Client not yet valid – try again later

  

0x16

Server not yet valid – try again later

  

0x17

Password has expired

The user’s password has expired.

0x18

Pre-authentication information was invalid

Usually means bad password

0x19

Additional pre-authentication required*

  

0x1F

Integrity check on decrypted field failed

  

0x20

Ticket expired

Frequently logged by computer accounts

0x21

Ticket not yet valid

  

0x21

Ticket not yet valid

  

0x22

Request is a replay

  

0x23

The ticket isn’t for us

  

0x24

Ticket and authenticator don’t match

  

0x25

Clock skew too great

Workstation’s clock too far out of sync with the DC’s

0x26

Incorrect net address

 IP address change?

0x27

Protocol version mismatch

  

0x28

Invalid msg type

  

0x29

Message stream modified

  

0x2A

Message out of order

  

0x2C

Specified version of key is not available

  

0x2D

Service key not available

  

0x2E

Mutual authentication failed

 may be a memory allocation failure

0x2F

Incorrect message direction

  

0x30

Alternative authentication method required*

  

0x31

Incorrect sequence number in message

  

0x32

Inappropriate type of checksum in message

  

0x3C

Generic error (description in e-text)

  

0x3D

Field is too long for this implementation

  

Free Security Log Quick Reference Chart

Ref: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768

Ref: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771

Use Windows PowerShell to control how external sharing invitations can be accepted


You can use Windows PowerShell to turn external sharing on or off. Using the SharePoint Online Management Shell, administrators can now enforce new controls over how external users accept invitations. When enabled, the RequireAcceptingAccountMatchInvitedAccount parameter requires external users to accept invitations with the email account with which they originally received the invitation.

  • If this parameter is not set or is set to null:

When a user shares with an external user, they enter an e-mail like stephen@contoso.com, and an email is sent to Stephen at stephen@contoso.com. When he attempts to accept the invitation (by clicking the link in the email), he can log in with any account he wants to use. For example, he could use stephen@contoso.com, stephen@live.com, or even dwight@contoso.com. The sharing email can be forwarded and accepted by anyone. This system ensures that external users who use email aliases or who do not have a Microsoft account or organization account are able to accept the invitation.

  • If this parameter is set to true:

The RequireAcceptingAccountMatchInvitedAccount parameter ensures that the user who receives the invitation is also the user who accepts it. If an invitation is sent to stephen@contoso.com, only a user who can log into stephen@contoso.com is able to accept the invitation. Any other email account displays an error page that directs to user to use the appropriate account.

https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85

https://technet.microsoft.com/library/fp161390

Using the SharePoint Online Management Shell, IT administrators can now require that all external sharing invitations be accepted only by the e-mail address that was originally shared with.

To enable this feature, simply run the Set-SPOTenant cmdlet and set the “RequireAcceptingAccountMatchInvitedAccount” parameter to true.

The parameter accepts two values: True or False.

True-User must accept this invitation with bob@contoso.com.

False– When a document is shared with an external user, bob@contoso.com, it can be accepted by any user with access to the invitation link in the original e-mail.

Administrators who desire increased control over external collaborators should consider enabling this feature.

You have first to download the online management shell

Then connect use the following command

Connect-sposervice

Then add the URL of the office 365 administration website

Which will be

EX: https://Domain-admin.sharepoint.com

1

Then you will be asked for the SharePoint credential to connect

username@domain.com

2

Then run the following command

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $Null

3

Set-spotenant

https://technet.microsoft.com/library/fp161390

4