More Advanced WSS Administration

Now you know the basics of sites and how to control them. In this section, you learn the details about site groups, anonymous access, site templates, and how to activate the search feature in WSS.

SharePoint Groups

Previously, you learned that a user must be associated with a Permission Level role before he can access anything in SharePoint. The default Permission Levels are Read, Contribute, Design, and Full Control. The easiest way to grant a user permissions is to use any of the three SharePoint groups that automatically are created for each new SharePoint site configured to use its own security settings (i.e., each site that does not inherit its permissions from a parent site). The name for these SharePoint groups will start with the name of the site they belongs to, for example, if the site is named "ABC," the SharePoint groups will start with "ABC." Although these groups have been mentioned earlier, they are listed here as well, in this example for a site named "ABC":

• q ABC Visitors: This SharePoint group is associated with the Permission Level Read. Any member of this group can view, copy and print content in list and libraries, including previous versions, if any.

• q ABC Members: This SharePoint group is associated with the Permission Level Contribute. Members of this group can also add, modify, and delete lists and library content.

• q ABC Owners: This SharePoint group is associated with the Permission Level Full Control. Members of this group have full access to this site, and all its content, corresponding to a local site administrator.

Important

Not only are these SharePoint groups convenient for granting users access, but they also have some magic functionality when used in MOSS and its My Site. More about that in Chapter 5.

When necessary you can create new SharePoint groups. For example, if you need a group of users that can read content but also create subsites, none of the three default groups will allow that. But before you start creating this new group, you must first create a new Permission Level role that matches the permission you need, that is, Read plus Create Site, in this example. The following Try It Out demonstrates how you do this.

Try It Out Create New Permission Level Role

1. Log on as a SharePoint administrator and open the top site in this site collection.

2. Click People and Groups in the Quick Launch bar to display the Permission configuration page.

3. Click Site Permissions in the Quick Launch bar.

4. Click Settings Permission Levels. This will display all existing Permission Level roles.

5. You could now click Add a Permission Level and start defining the new permission level role needed. However, a smarter way is to copy the settings for the Read role and modify its detailed permission settings. So, click Read to open that role's detailed permissions. Scroll down to the end of that page, and click Copy Permission Level.

6. Enter a name for this Permission Level role, for example Super Reader. Next, enter a short description to explain the permissions for this role, then check the permission Create Subsites (under the headline Site Permissions). Click Create at the bottom of this page to save and close the form. The new permission level is now listed along the others, as shown in Figure 3-19.

Figure 3-19

Now you have the permission level you need for the new SharePoint group, so the next step is to create the new SharePoint group that will be associated with the Super Reader role, as explained in the following Try It Out.

Try It Out Create New SharePoint Groups

1. Log on as a SharePoint administrator, and open the site where you want to create the new SharePoint groups, for example http://srv1.

2. Click People and Groups in the Quick Launch bar, click next to the New button (but not on it) to open its menu, and then select New Group.

3. On the web form, enter these settings (see Figure 3-20):

   1. Name: Enter the name for this group, for example Team Site Super Readers. Try to use a descriptive name. A good idea is to use the same prefix as the default group's.

   2. About Me: Enter a description of this group.

   3. Group Owner: Define who can change the settings for this group, including its membership. By default, it will be the user who created the group.

   4. Group Settings: This section allows you to define who can view the membership of this group and who can edit its membership.

   5. Membership Requests: This section allows you to define whether users can request to join and leave this group. The default setting is No. If you set this option to Yes, you can also define what e-mail address any request will be sent to. This could also be a mail group, such as Support@filobit.com.

   6. Give Group Permission to this Site: In this section, you will see the newly created permission level Super Reader. Check it, and click Create.

4. This new SharePoint group is now listed along the other groups on the People and Groups page. You can now start adding users and security groups to it. Initially, it will only contain one member - the user that created the group.

5. Optional: If you need to modify the permission level for this particular group, select the group so that its members is displayed, then use the menu Settings Group Settings, and you will see the same configuration form as when you created this group. Make whatever modification is needed, and then click OK. Notice that this page also has a button for deleting this group.

Figure 3-20

In the following tables, you can see all the default permission levels and their exact settings. Knowing this information can be useful if you start changing these site groups and want to restore the default settings. Unfortunately, there is no such thing as a Restore Default button, so be careful if you need to change these settings.

Open table as spreadsheet

Permission Level: Read	Description
View Items	View items in lists, view documents in document libraries, view web discussion comments, and set up e-mail alerts for lists.
Open Items	View the source of documents with server-side file handlers, for example open files and documents in a library.
View Versions	View past versions of a list item or document.
Create Alerts	Create e-mail alerts.
View Application Pages	View forms, views, and application pages. Enumerate lists.
Use Self-Service Site Creation	Create a web site using Self-Service Site Creation.
View Pages	View pages in the current web site.
Browse User Information	View information about users of the web site.
Use Remote Interfaces	Use SOAP, WebDAV, or SharePoint Designer interfaces to access the web site.
Use Client Integration Features	Use features that launch client applications. Without this permission, users will have to work on documents locally and upload their changes.
Open	Allows users to open a web site, list, or folder in order to access items inside that container.
Manage Lists	Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
Override Check Out	Discard or check in a document that is checked out to another user.
Add Items	Add items to lists, documents to document libraries, and web discussion comments.
Edit Items	Edit items in lists, edit documents in document libraries, edit web discussion comments in documents, and customize web part pages in document libraries.
Delete Items	Delete items from a list, documents from a document library, and web discussion comments from documents.
View Items	View items in lists, view documents in document libraries, view web discussion comments, and set up e-mail alerts for lists.
Approve Items	Approve a minor version of a list item or document.
Open Items	View the source of documents with server-side file handlers, for example open files and documents in a library.
View Versions	View past versions of a list item or document.
Delete Versions	Delete past versions of a list item or document.
Create Alerts	Create e-mail alerts.
View Application Pages	View forms, views, and application pages. Enumerate lists.
Add and Customize Pages	Add, change, or delete HTML pages or web part pages, and edit the web site using a Windows SharePoint Services–compatible editor.
Apply Themes and Borders	Apply a theme or borders to the entire web site.
Apply Style Sheets	Apply a style sheet (.CSS file) to the web site.
Browse Directories	Browse directories in a web site, for example document libraries.
View Pages	View pages in a web site.
Browse User Information	View information about users of the web site.
Use Remote Interfaces	Use SOAP, WebDAV, or SharePoint Designer interfaces to access the web site.
Use Client Integration Features	Use features that launch client applications. Without this permission, users will have to work on documents locally and upload their changes.
Open	Allows users to open a web site, list, or folder in order to access items inside that container.
Edit Personal User Information	Allows a user to change his or her own user information, such as adding a picture.
Manage Personal Views	Create, change, and delete personal views of lists.
Add/Remove Personal Web Parts	Add or remove personal web parts on a web part page.
Update Personal Web Parts	Update web parts to display personalized information.

Open table as spreadsheet

Permission Level: Full Control	Description
Manage Lists	Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
Override Check Out	Discard or check in a document that is checked out to another user.
Add Items	Add items to lists, documents to document libraries, and web discussion comments.
Edit Items	Edit items in lists, edit documents in document libraries, edit web discussion comments in documents, and customize web part pages in document libraries.
Delete Items	Delete items from a list, documents from a document library, and web discussion comments from documents.
View Items	View items in lists, view documents in document libraries, view web discussion comments, and set up e-mail alerts for lists.
Approve Items	Approve a minor version of a list item or document.
Open Items	View the source of documents with server-side file handlers, for example open files and documents in a library.
View Versions	View past versions of a list item or document.
Delete Versions	Delete past versions of a list item or document.
Create Alerts	Create e-mail alerts.
View Application Pages	View forms, views, and application pages. Enumerate lists.
Manage Permissions	Create and change permission levels on the web site and assign permissions to users and groups.
View Usage Data	View reports on web site usage.
Create Subsites	Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
Manage Web Sites	Grants the ability to perform all administration tasks for the web site as well as manage content.
Add and Customize Pages	Add, change, or delete HTML pages or web part pages, and edit the web site using a Windows SharePoint Services– compatible editor.
Apply Themes and Borders	Apply a theme or borders to the entire web site.
Apply Style Sheets	Apply a style sheet (.CSS file) to the web site.
Create Groups	Create a group of users that can be used anywhere within the site collection.
Browse Directories	Browse directories in a web site, for example document libraries.
View Pages	View pages in a web site.
Enumerate Permissions	Enumerate permissions on the web site, list, folder, document, or list item.
Browse User Information	View information about users of the web site.
Manage Alerts	Manage alerts for all users of the web site.
Use Remote Interfaces	Use SOAP, WebDAV, or SharePoint Designer interfaces to access the web site.
Use Client Integration Features	Use features that launch client applications. Without this permission, users will have to work on documents locally and upload their changes.
Open	Allows users to open a web site, list, or folder in order to access items inside that container.
Edit Personal User Information	Allows a user to change his or her own user information, such as adding a picture.
Manage Personal Views	Create, change, and delete personal views of lists.
Add/Remove Personal Web Parts	Add or remove personal web parts on a web part page.
Update Personal Web Parts	Update web parts to display personalized information.

Taking some time to study the preceding tables will help you understand what permission level a SharePoint group, user, or security group should be associated with. Also notice that only the Full Control permission level is allowed to create new subsites in an existing top site. It is common for organizations to request that users with the permission level Contribute be able to create subsites. This is easy to fix: Simply modify the Contribute permission level and add the right Create Subsite to it.

However, this might not be such a brilliant idea, after all. Imagine that six months after this modification, a new SharePoint administrator joins your team. She notices that several users can create subsites, although they are just granted the Contribute permission level. Because she knows that this level should not have the right to do this, she starts to troubleshoot the WSS environment. You get the idea, right? Changing default and well-known permission level roles is just asking for confusion later. Or worse, imagine some administrator adding the Add Item ability to the Read permission level! This would then give users with Read level the ability to also create new items, such as documents and contacts, although the name Read clearly implies read access only. This could easily confuse administrators later on. Best practice is instead to create a new permission level. Fortunately, there is a way to copy existing permission level settings, as described in the previous Try It Out, "Create New Permission Level Role," so adding a new permission level role is an easy task.

Anonymous Access

In some situations, you need to allow anonymous users access to a web site. You should think hard about this before you open up SharePoint - or anything else, for that matter - to everyone. Or perhaps you want to open WSS to all users in your organization, which is different from opening it up to anonymous users. In the following section, you will find the steps on how to perform both of these configurations.

Opening WSS Sites for Every User in Your Organization

The important thing to understand here is that you can grant access to all users who log on; that is, they all have logged on using user accounts in Active Directory and have been authenticated. This is not the same as opening the SharePoint environment to anonymous access! Windows Server has several special groups; one of these groups is called Everyone, and another is called Authenticated Users. The difference between them is that the Authenticated Users group contains only members who have actually logged on, using an ordinary user account, whereas the group Everyone also contains any type of connected session that does not require explicit log on, also known as a NULL session. In other words, it is safer to grant the group Authenticated Users access to SharePoint, and you should think hard before you give the group Everyone access. To add the Authenticated Users group access, follow the instructions in the Try It Out.

Try It Out Open WSS to All Authenticated Users

1. Log on as the WSS administrator.

2. Open the web site you want to open to all authenticated users. Note that this setting will only affect the current site (and all subsites that inherit permission settings from it). This setting can be used on every web site that has unique permission settings, not just the top site.

3. Choose People and Group. Since you want to allow all authenticated users Read access, you can simply add the security group Authenticated Users as a member of the SharePoint group Visitors. Click on the <Site Name> Visitors group listed in the Quick Launch bar. Remember that all WSS sites automatically have this group created when configured for local permissions, instead of inheriting permissions from its parent site.

4. Click New.

5. On the following web form (see Figure 3-21), click the link Add all authenticated users (to the right), and the security group Authenticated Users will automatically show up in the Users/Groups field. Clear the check box Send welcome e-mail to the new users, since the Authenticated Users group is not mail-enabled.

   
   Figure 3-21

6. Click OK to save and close this page.

Once again, this is a safe method if you want to open a WSS site to everyone in your organization - you can be sure no one outside the organization will be able to access this site.

Opening WSS Sites for Anonymous Access

But if you want to allow everyone access, regardless if they are internal or external users, the previous method will not work. A typical example is when you want to open a WSS site to everyone on the Internet. Most likely, such a WSS environment will not contain sensitive information or anything not meant for public access. There are three typical scenarios when exposing a WSS server to the Internet:

• q Connect the WSS server directly to the Internet: Bad idea! It will not survive for long before someone hacks it. Do not connect any server directly to the Internet!

• q Protect the WSS server behind a firewall: Better idea. Many organizations find this an acceptable solution - if the firewall is properly configured. Typically such a WSS server will be connected to the Demilitarized Zone (DMZ) network segment.

• q Protect the WSS behind an MS ISA server, which in turn may be protected by the ordinary firewall: This is a very good - and safe - solution that will satisfy even high-security requirements. Users on the Internet will never access the WSS directly; they will instead be directed to the MS ISA server, which in turn connects to the WSS server, grabs the information the user requests, and sends it back to the user.

The WSS server in the last scenario is so well protected that you may choose to allow external access to all or parts of the same WSS server you use for internal access. For example, your users could access the WSS site when they are working from home, or your partners may access WSS as a extranet, perhaps placing orders and looking up internal prices. It is up to you whether you want a separate WSS server for this or you accept to run a single server for all WSS information, including Internet access, internal users, and extranet users.

If you need to open all or parts of WSS for anonymous access, follow the steps in the next Try It Out.

Try It Out Open WSS for Anonymous Access

1. Log on as an administrator to the WSS server, and open the SharePoint 3.0 Central Administration tool.

2. Switch to the Application Management page.

3. Click on the Authentication providers in the Application Security section. On the web page, do this:

   1. Make sure the web application is the one used by your WSS site collection; for example http://srv1.

   2. Click Default zone. This will open a new web form.

   3. In the Anonymous Access section, check Enable anonymous access.

   4. Click Save to close and save this form.

   The actions you just took were to open the web application http://srv1 to anonymous access. For this to work, the corresponding virtual IIS web server (e.g., the default web site) must also be configured to allow anonymous access. In previous SharePoint versions, this was a manual step, but in WSS 3.0 it was automatically performed by the Central Administration tool. If you want to check the virtual IIS server, then do this:

4. Open the Internet Information Service (IIS) Manager, then:

   1. Right-click the virtual IIS server used by WSS (for example, Default Web Site), and select Properties.

   2. Switch to the Directory Security tab.

   3. In the Authentication and access control section, click the Edit button.

   4. Note that the setting Enable anonymous access is selected. Observe that the account IUSR_SRV1 (assuming that the server is named SRV1) is listed in the User name box. This account will be used by IIS whenever someone tries to access anything in this virtual IIS web server. If you prefer, you can use your own account instead. The IURS_SRV1 user is a member of the built-in Active Directory group Guest but is not a member of Authenticated Users.

   5. Click OK if you modified any of these settings; otherwise, click Cancel.

   6. Close the IIS Manager. You do not need to reset IIS!

   Important

   If you later uncheck the Enable anonymous access setting as described in step 4, it will also disable anonymous settings in the virtual IIS web site.

5. Open the WSS web site you want to open to anonymous access (for example, http://srv1).

6. Click People and Groups Site Permissions Settings Anonymous Access. You will see a web form like the one in Figure 3-22.

   
   Figure 3-22

7. Select what rights the anonymous users will have on this site. You have the following options:

   • q Entire Web site: Anyone can access every part of this particular WSS site, including all lists and libraries and their contents. Warning: this will also open any subsite that inherit its permissions from this site to anonymous access.

   • q Lists and libraries: Anyone can access any list or library on this WSS site that has explicitly enabled anonymous access. They cannot view the pages in this web site, such as the home page, so users must have a direct link that opens the particular list or library that they are allowed to view.

   • q Nothing: The default choice. Nothing is accessible to anonymous users.

8. Click OK to save and close this web folder. This setting will immediately be active.

If you opened the complete site to anonymous access, then open a new web browser to test how it works, (you may have to log out from Windows first, to clear any cached credentials). Notice that you will be able to view any part of this WSS site now, but you cannot add or change any settings, since you are accessing the site anonymously. Therefore, SharePoint cannot see what permission your user account normally would have. But there is a new link named Sign In in the upper-right corner of the home page for this site (see Figure 3-23). Click on it to log on, and then your normal permission level will become active.

Figure 3-23

To make this discussion about anonymous access complete, you need to know how to open specific lists for anonymous access. The second option in step 7 above, Lists and libraries, allows anonymous users to view, modify, or add information in any list that you open to anonymous access. If you selected that option, then follow the steps in the next Try It Out to open a list or library for anonymous access.

Try It Out Open a List or Library to Anonymous Access

1. Log on as a site owner or SharePoint administrator.

2. Open the web site that is opened for anonymous access, using the Lists and libraries option.

3. Open the list or library to be accessed by anonymous users, for example the Shared Documents library.

4. Click Settings Document Library Settings, then click Permissions for this document library.

5. Click Actions Edit Permissions. You must now first stop the inheritance of the parent's permissions before this list can be opened for anonymous access. Click OK to accept the option to stop the inheritance of permissions.

6. Click Settings Anonymous Access.

7. Set the type of access anonymous users will have in this particular list (or library):

   • q In Lists: Anonymous users can be granted Full Access (that is, they can view, add, modify, and delete items.

   • q In Libraries: Anonymous users can be granted View Items access only.

8. Click OK to save and close this page. These settings will become effective immediately.

Working with Custom Site Templates

By now you have a rather good understanding of the basics in WSS. You know how to create sites and subsites, add users and groups, create custom SharePoint groups and permission level roles, and enable anonymous access. But there is more - a lot more!

Wouldn't it be nice to control exactly what new sites look like right from the beginning? For example, assume that you have been asked to create 10 web sites for an upcoming project and that they all must look the same. You know that the look and feel of each web site can be designed by adding and modifying web parts on the site's home page, and you want happy users, so you start working on the design. After some time, you have created the first web site and it looks good. You check with the future users of these sites, and they are happy, too. Now you only have nine more web sites to create, with the exact same layouts and web parts, and then you are done.

But wait - there is a smarter way of doing this. The work process looks like this:

1. Create the first web site. Make sure that it really looks like the users expect it to!

2. Save the site as a site template.

3. Create the second web site, using this new site template.

That's all there is to it - Now it is very easy to create as many new sites with this template as needed!

Creating Custom Site Templates

You can take any existing web site, including a subsite, and save it as a custom site template. A template can also contain actual data, such as documents and list content. You can create as many site templates as you need. All site templates can be used anywhere in this site collection. If you want to use a site template in another site collection, you can do this by exporting the template from the content database to a file in a file system, and then importing that file back to the database into the other site collection.

However, there are some important limitations:

• q You cannot modify an existing template. You can, however, delete the old template and create a new one with the same name and description.

• q Any site that has been created using a custom template will not be affected if the template is recreated. Make sure that the template is perfect before you create new web sites based on it.

• q Site templates are language-dependent. If you create a site template from a Swedish web site, it cannot be used when creating English web sites. (In fact, it will not even be visible for sites based on languages other than the template's language.)

• q The content included in the site template cannot be larger than 500 MB.

Important

The Canadian company KWizCom offers a free language type converter for SharePoint templates. Using this, you could take an English site template and convert its language type, for example, to German. Note that you still need to change the text labels manually. Download this excellent tool from this address: http://www.kwizcom.com.

Only top site administrators and full SharePoint administrators can create and apply custom templates. If you want to create a template using a subsite, you must be an administrator on both the current subsite and the top site. All custom templates are stored as STP files, which is a SharePoint-specific file format for templates. These STP files are stored in the content database, not in the ordinary file system, but you can export them to the file system. These templates are all collected into something SharePoint calls a site template gallery, where you can view, import, and delete custom sites. There is only one site template gallery per site collection, and it is only available from the top site of this site collection. To create a custom site template, follow the steps in the next Try It Out.

Try It Out Create a Custom Site Template

1. Log on as the owner of the site you want to create a site template from, then open that site.

2. Design the look and feel of this site. Make sure that you have created all the lists, document libraries, and web parts you need for this site template. When you (and especially the future users of these sites) are happy with the look and feel of this site, save it as a site template like this: Click Site Actions Site Settings.

3. In the Look and Feel section, click Save site as template. You will see web form requesting information about this new template (see Figure 3-24).

   
   Figure 3-24

4. Fill in the template information:

   • q File name: Enter the name of the template file. (As mentioned previously, it will not be stored in the file system but in the SQL database!)

   • q Template name: Enter a short description for the template. This will be listed along with all other templates later.

   • q Template description: Enter more information about the template (for example, what it is used for, who should use it, and what it contains). This information will also be visible on the template list.

   • q Include content: Use this check box if you want to store current content in the site template. Note that the maximum size for this content is 500 MB.

   • q Click OK to save and close the web form.

5. The next page shows you whether the template was successfully created or not. If it was successful, you see a link to the site template gallery. If you want to list all site templates now, click that link. If not, you can click OK to close the page.

Important

If you want to return to the site template gallery, open the top site first, then click Site Actions Site Settings Site templates in the Galleries section. If you cannot successfully create the site template, check that you have administrative rights for both the top site in this site collection and the current site!

Now you must test it to make sure it works:

1. Make sure that you are logged on as a user with owner permissions for the current site, enabling you to create a new subsite. Note that this can be anywhere in the site collection tree; it does not have to be under the site you used to create this custom template!

2. Choose Site Actions Create Sites and Workspaces in the Web Pages section.

3. Enter the following on this form:

   1. Title: Enter the title for this new site.

   2. Description: Enter a description for this new site.

   3. URL name: Enter the URL name for this new site.

   4. Select a language: (This option is only available if you have installed WSS language packs.) If you have installed any WSS language packs, then select the correct language. (Remember that site templates are language-dependent!)

   5. Select a template: Select the Custom tab, and it will list all the site templates available for the selected language. Select the newly created site template.

   6. Permissions: Select the type of user permissions you want (either Use same permissions as parent site or Use unique permissions).

   7. Navigation: Select if you want this site to be listed on the Quick Launch bar of the parent site, or not.

   8. Navigation Inheritance: Select if you want to use the same top link menu bar as the parent site.

   9. Finally, click Create to save and close the page. After the site is created, it will automatically open.

4. Inspect the new site. Make sure that everything looks the same as the template: the same lists and libraries, the same color scheme, and the same web parts and layout. The only things that should differ are the title, description, and URL for the site, as well as the permission settings.

Copying Custom Site Templates to Other Site Collections

You now know how to create and use the site templates. Suppose that you show your template to your colleague, who is the owner of a separate site collection, and he is so impressed that he demands a copy of your site template! The question is how do you copy the template to the other site collection? As you may recall from the earlier discussion about site collections, a template can only be used within the site collection in which it was created. But you can export a template; the general steps are:

1. Go to the site template gallery where the template is located.

2. Save the template to a file on the file system.

3. Go to the template gallery for the other site collection.

4. Import that file to that gallery.

The detailed steps are also quite straightforward and easy. To copy your site template, just follow the steps in the next Try It Out.

Try It Out Copy a Site Template to Another Site Collection

1. Log on as an administrator for the first site collection.

2. Open the top site where the site template is currently stored.

3. Choose Site Actions Site Settings.

4. Click Site templates in the Galleries section. You will see a list of all custom site templates for the site collection.

5. Click the name for the site template you want to copy (for example, IT-Projects).

6. Choose to Save this file, and select a folder to save the file in. Keep the filename (IT- Projets.stp) unless you want to change it, and click the Save button. Then click Close to close the dialog box.

7. Open the top site in the other site collection. Make sure that you are logged on as an administrator for the second site collection.

8. Choose Site Actions Site Settings, and click Site templates. You now see all custom site templates for the site collection.

9. Click Upload to import the template from the file system to that site collection. Use the Browse button to select the template file you saved in step 6; click Open and then Save and OK. The template has now been copied to that site collection.

10. Test it by creating a new subsite in that site collection using the copied template. Everything should look exactly as it did in the first site collection.

Adding a Site Template to the Global Site Template Gallery

The templates you have been working with up to this point have all been limited to a given site collection. But what happens when you create a new top site, and thus a new site collection? How do you make your own site templates available when creating a new top site?

Doing this is actually something that requires extra help, because WSS does not allow you to do it with the ordinary web-based administrator tool. Once again, you must call upon the STSADM.EXE tool you used for backups and restore. If you followed the instructions in Chapter 2 on how to add the path to this tool to the system environment path, you will find this to be very easy to do.

Try It Out Add Site Templates Using STSADM

1. Log on to the WSS server as a SharePoint administrator.

2. Start up a command prompt (Start Run, then enter Cmd and press Enter).

3. Use steps 1 to 6 of "Try It Out: Copy a Site Template to Another Site Collection" to save the site template you want to add to the global site template gallery. For this example, you can assume that the file is c:\tmp\it-project.stp.

4. Type the following command, and press Enter:

      STSADM --o addtemplate --filename c:\tmp\it-projekt.stp --title "My Template" ↩   --description "This is a global site template imported using stsadm" 

   Important

   If you get a list of all available options for STSADM now, you have misspelled something. Check your spelling and repeat this step.

5. You must now reset the IIS. While still at the command prompt, type IISRESET, and press Enter.

6. When the command is finished, test by creating a new site collection, using this template for the top site. Go to http://srv1 (or whatever your first top site is called), and use its previously added link to create a new site collection. You should see the new site template My Template on the Custom tab in the Template Selection section in the list of templates.

How Custom Site Templates Really Work

While you still have the command prompt window open, you can try some more things. For example, if you want to see what global site templates are installed, type this command:

     STSADM --O enumtemplates 

It will show all custom site templates that you have added manually. But what about those default site templates, such as the Team Site and the Blank Site? They are listed along with your own templates when creating the new site, but they are not listed here by STSADM. Well, they are a bit special. You will not see them listed here because they are part of the actual site definition. When you created your custom templates, you actually told WSS to save the modifications to the site that differed from its basic site definition - nothing more. In other words, the template file you copied to the file system before is not a complete site definition! For example, if you try importing this file into another WSS installation that for some reason does not have the same basic site definition, it will fail!

In Chapter 6, you learn how to create your own site definitions. Using that technique, you will be able to make modifications to a site definition, and all existing web sites, based on this site definition, will be updated.

Importing Custom Site Templates from External Sources

As you have seen, creating custom site templates and exporting them to other WSS environments is easy. It will work as long as the receiving WSS server has the same basic site definition installed, based on the same WSS language pack. This is something you could use, for example, to make nice templates to distribute to others.

Microsoft has made 40 ready-to-use site templates that it gives away for free. These are known internally at Microsoft as the "Fab40"or the Fabulous Forty. These are really good, and you are free to modify them as you wish. Microsoft does not actually call them custom site templates but Application templates for WSS. The easiest way to find them is by going to http://www.microsoft.com and searching for "Application templates for Windows SharePoint Service 3.0." Or you can try this direct link: http://www.microsoft.com/technet/windowsserver/sharepoint/wssapps/v3templates.mspx.

Here, you will find 40 site templates. Note that some are multi-language, but most of them are for US- English sites only, but these can be converted to any language, using the previously mentioned tool from http://www.kwizcom.com. A few of them are described here to help give you an understanding of what they contain:

• q Absence Request and Vacation Schedule Management: Use this web site to make vacation requests, see when your team members are away, and find links to job sites if you want to help others.

• q Board of Directors: Use this web site to track tasks required by the board, keep member information, manage a calendar of meetings and activities, and store mission and business meeting minutes.

• q Classroom Management: A teacher can use this web site to store all information regarding a single class, such as lesson plans, assignments, tasks, and grading.

• q Helpdesk: Use this web site to assist the help desk or customer support in managing requests from customers and to improve team communication. It contains an issue tracker, a document library for storing scripts, Knowledge Base articles, how-to guides, and more.

• q Project Tracking Workspace: Use this web site as a central place to store all information regarding a project. It will help the project manager and the team to collaborate and keep track of issues, tasks, and deadlines.

• q Compliance Process Support Site: Use this web site to assist in your compliance process, for example for the Sarbanes-Oxley Act, and ISO 9000 certifications.

Using these templates is easy, but remember that they are based on the default site definition, using the English language (language code: 1033). If you want to use these templates, you must create an English web site for several of these Fab40 templates, while others are available in multiple languages.

Removing User Accounts

As you know by now, all users must be members of site groups in order to access any part of SharePoint. In most organizations, these domain user accounts are stored in the Active Directory. This section describes what happens when these user accounts are deleted from the AD. You might assume that SharePoint automatically cleans up when someone is removed from the AD. But if you do, you are wrong!

A related situation occurs when someone moves from one department to another, making it necessary for his or her rights to be updated accordingly. In the following sections are some of the most common scenarios in which a user account would need to be removed and how you should act in each situation.

Removing Single User Accounts

Say that the owner of user account Filobit\Michael has decided to leave the company. He has been a very active user in WSS and has been granted access with different types of permission levels to different parts of the SharePoint environment. For example, he is a member of the Visitor SharePoint group in two site collections; he is also the owner of one site collection and an administrator of five subsites. Now you remove his user account from the Active Directory - what happens next?

Because SharePoint is not directly dependent on the AD or even Windows NT, there is no automatic synchronization between SharePoint and the AD. If you remove a user account in the AD, the only thing that will happen in the AD is that the user account will no longer be able to be used for accessing SharePoint. But the name of this account will still be listed everywhere, which is annoying. But think again. Assume that SharePoint removed an account, as soon as it was deleted from the Active Directory. If it did so, this name would suddenly be removed from all sites and workspaces that this user had been using! In fact, SharePoint cannot just clear a user automatically; it could remove important information. So you have to do it yourself, if you need to remove this name.

One way of clearing a user name is to remove this account in every place it is listed. But unless you have a very small WSS environment, doing this is a very labor-intensive task. To easily remove a user from every location in a given site connection, just follow the steps in the next Try It Out.

Try It Out Remove a User Account from a Site Collection

1. Log on as the site collection administrator.

2. Open the top site for this site collection.

3. Click People and Groups and then All People.

4. Check the user to be removed from this site collection, then click Actions Delete Users from Site Collection. Click OK when asked if you really want to delete this user. This user is now removed from every instance in this site collection, including any SharePoint groups.

Important

If a user account is renamed instead of removed, you must run the STSADM tool to update all existing permissions to use the new user account name instead! Open a command prompt and run stsadm –o migrateuser–oldlogin <name> -newlogin <name> -ignoresidhistory.

Okay, that was easy. But what do you do if there are lots of site collections? Well, you will not like this answer: You must remove the user account from each site collection individually.

Removing a Domain Security Group

This is no different from how you remove a user account. The method previously described to remove a user will also work when removing security groups.

Removing the Owner of a Site Collection

This is a bit tricky because the ownership of site collections does not necessarily show up in the ordinary lists where users and groups are displayed with their site group membership. So, you must first list the actual site collection administrators, replace that owner's name, and then remove the user account from the site collection. You might remember that there can be up to two owners of a site collection. You can see the ownership by following the steps in the next Try It Out.

Try It Out List Owners of a Site Collection

1. Log on as the site collection administrator.

2. Open the SharePoint 3.0 Central Administration tool.

3. Open the Application Management page.

4. In the SharePoint Site Management section: click Site collection administrators.

5. On the following page (see Figure 3-25) make sure that the right web application is displayed; to know that you must know the URL of your site collection. Note the two name fields on this page: Primary Site Collection Administrator and Secondary Site Collection Administrator. Every site collection must at least have a primary site collection administrator.

Figure 3-25

Now that you know the names for this site collection, the next step is to replace the site collection administrator's name with a new user name, and then remove that old administrator account from the site collection.

Try It Out Remove a Site Administrator Account from the Site Collection

1. Start by replacing the old site collection administrator (in the form presented in step 5 above), with the new administrator, then click OK.

2. After removing a site collection administrator, he or she will still be listed as a user in this site collection. The next step, therefore, is to remove that user account from this site collection. Open the top site in that site collection.

3. Click People and Groups, then click All People.

4. Check the user account of the old site collection administrator, and click Actions Delete Users from Site Collection. Then click OK to accept to delete the user.

Important

You cannot remove a site collection administrator from the site collection's user list. You must always first remove the role of site collection administrator first!