Master & Cmd-R

OneDrive: Deleted user retention

As part of ongoing user management, this question comes up from time to time:

What happens to a user’s OneDrive library when their account is deleted?

The short answer is that user data is retained for 60 days after their account is deleted, and then irretrievable after that. During that time, the data can be retrieved by the user’s manager, or by a secondary site collection admin. It’s important to note that the OneDrive cleanup process ONLY happens on user account deletion, not disabling the account or removing their license(s).

Here’s the process:

  1. By default, when a user account is deleted ownership of their OneDrive library is assigned to their manager. For this to work, however, several things have to be in place beforehand.

     a. The manager field needs to be populated in AD
     b. Access Delegation needs to be enabled in SharePoint Online, as indicated in the following screenshot. Note that this is a global setting that will be applied for all users, and is recommended as a best practice.



     c. A secondary owner or site collection admin can be assigned on this page as well, allowing for further control or access to be provided for a deleted user.
  2. Once a user profile has been deleted, a timer job runs which marks the account for deletion in AD, and flags the OneDrive library for deletion in 30 days. If the Manager field is populated, they will receive a notification at this point that the site will be deleted in 30 days, so they can go and retrieve any data and save it elsewhere. If the Manager field isn’t populated, the notification will go to the Secondary Owner, or Secondary Site Collection Administrator. If none of these 3 fields is filled out, the workflow will continue below, but no email notifications will be sent.
  3. After 23 days, the Manager / Secondary Owner / Secondary Site Collection Admin will receive a final notification that the library will be deleted in 7 days.
  4. 30 days after the user has been deleted from AD, their OneDrive library is deleted, and moved to the Site Collection Recycle Bin.
  5. After another 30 days (60 days from user deletion in AD), the OneDrive library is cleared from the Site Collection Recycle Bin.

More info: https://support.microsoft.com/en-us/kb/3042522

What about if the account is disabled in AD?

 If a user has been disabled in AD (but not deleted), the account status in Office 365 changes to Blocked, and the user’s OneDrive site collection is not accessible until an administrator takes ownership of it.

In the case of my test account, the Manager property wasn’t set, neither was the secondary site collection owner/administrator – if either of those properties were in place, the library would have been available to those people. Since those attributes weren’t set, it required taking ownership manually as a SharePoint admin, at which point I could access the library.

Bottom line: the user’s OneDrive library deletion cycle starts when the account is deleted, not when it is disabled. This is a fairly large distinction, as I’ve seen many environments where user accounts are disabled, and sometimes left in that state for years without clearing them out. However, you need to be careful with this practice – if you disable the user account and move it into a Disabled Users OU (for instance) that is excluded in the Azure AD Sync, this WILL delete the user account in Azure AD and trigger the start of the deletion process.


Enable OneDrive domain sync restrictions

One of the admin controls that has recently been added to OneDrive for Business is the ability to restrict file sync to only work on domain joined machines. Here’s how you enable this:

First, you need to get the domain GUID by running the following command in PowerShell:

$domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -Identity $d | Select ObjectGuid}


Next, set the domain GUID as the only accepted domain for OneDrive sync:

Set-SPOTenantSyncClientRestriction  -Enable -DomainGuids "xxxxxxx-xxxx-415c-aa3b-9d06b595c714"

That’s really all there is to it – if you need to undo these changes and open sync back up again, simply run the following command:

Remove OneDrive domain sync restrictions:

Remove-SPOTenantSyncClientRestriction

When this feature is enabled the following will occur: (pulled directly from the TechNet article)

  • All OneDrive for Business Sync client requests originating from a domain that is not on the safe recipients list will be blocked.
  • All OneDrive for Business Mac Sync client requests will be blocked.
  • Mobile clients are not blocked when this feature is enabled.
  • Regardless whether a computer is managed by a device management solution, a sync relationship will not be established unless they are joined to a domain in the Safe Recipient List.
  • Any files that have been previously been synced down to your computer will not be deleted.
  • Please be aware the following upload behavior:
    • New or existing files added to the client will still be uploaded to the server and will not be blocked.
      • Regardless if the computer is joined to a domain which is set in the Safe Recipient List.
      • Regardless if the computer is joined to a domain which is not set in the Safe Recipient List.
      • And for all non-domain joined computers.
  • OneDrive for Business sync client prior to version 15.0.4693.1000 will stop syncing existing libraries.

 

For more information, see the following articles:
How to enumerate a domain GUID in an Active Directory forest: https://technet.microsoft.com/en-us/library/dn938435.aspx
Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list: https://technet.microsoft.com/en-us/library/dn917452.aspx

Lessons Learned, SharePoint Online Edition

When you connect to as many different Office 365 tenancies as I do, it’s easy to lose track of which tenant you’re connecting to – especially if you’re working on one project, but logging on to another tenant to test changes.

Sure enough, I was testing OneDrive sync restrictions for a client, and I accidentally ran the cmdlets in their production tenant, and not in my test tenant like I thought. Basically, the purpose of the cmdlet is to only allow domains on a safe list to sync – everything else (including Macs) gets blocked.

Needless to say, I was horrified when users company-wide started reporting that their OneDrive sync had stopped working! Thankfully, I was able to reverse the changes fairly quickly, and my client took my mistake and profuse apologies in good grace.

Now, it’s one thing to call this a Lesson Learned, and say that you should always double check your tenant name before you connect to run PowerShell commands, but a good friend and colleague of mine has a saying about lessons learned that I’ve taken to heart:

“There are only three responses to lessons learned: either we need more research, give feedback to the consultant, or change the process.”

So I took my feedback like a big boy, and decided that I was going to figure out how to change my process to prevent these types of mistakes from happening again – and I re-wrote my connection script to force me to put in the tenant name every time I connected. It can’t completely prevent mistakes, but it at least prevents autodialing the wrong tenant if I’m not paying attention to what I’m doing.

Here’s what the script looks like:

param (
[Parameter(Mandatory=$true,ValueFromPipeline=$false)]
[String] $TenantName = ""
)

$spoDomain = "https://" + $TenantName
$spoDomain = $spoDomain + "-admin.sharepoint.com"
$objCreds = Get-Credential

Connect-SPOService -Url $spoDomain -credential $objCreds
Connect-MSOLService -credential $objCreds

 

And here’s a copy that you can download and use if you’d like: Connect-SharePoint-Online.ps1. Simply run this script with the -TenantName parameter, like so:

.\connect-SharePoint-Online.ps1 -TenantName Contoso

If you only ever connect to a single tenant, all you need to do is change your connection string to look like this:

$objCreds = Get-Credential
$spoDomain = "https://contoso-admin.sharepoint.com"

Connect-SPOService -Url $spoDomain -credential $objCreds
Connect-MSOLService -credential $objCreds 

This connects you to both SharePoint Online, as well as the MSOL Service so you can query / manage AD objects as well.

Hope this helps… as always, scripts or cmdlets are provided without any guarantees on my part – read it over and make sure you know what you’re running before you execute scripts in a production environment!

OneDrive for Business Installer

OneDrive

I haven’t had a chance to install OneDrive for Business since the Microsoft rebranded SkyDrive Pro a few weeks ago, but I ran into a gotcha this morning when I tried to set up OneDrive on a client’s system: there is no automatic download available for OneDrive for Business (at least at this point). Instead, you get a popup on Windows 8 asking you how you want to open a grvopen:// link – similar to what happens if you try to install SkyDrive Pro with Office 2010, talked about in this blog post here: http://masterandcmdr.com/skydrive-pro-and-office-2010/

Thankfully, there is a download available here: http://support.microsoft.com/kb/2903984/en-us, and it uses the same Microsoft Click-To-Run technology as Office 2013 does. I’ve been a big fan of Click-to-Run in Office 2013, especially considering how quickly you have access to Office (streaming features in the background), and the fact that it keeps your programs up to date, and streams updates in as they become available. Having this tied in to OneDrive for Business is only going to make things better, as they can slipstream improvements in on they fly. I love OneDrive (in principle), but it can definitely stand to be improved up on – I haven’t been all that impressed with its stability and flexibility with handling different file types and such, but I’m willing to keep using it as part of my cloud strategy.

At any rate, grab the client if you need it, and follow the install procedure listed on the site:

Installing the client

To install the OneDrive for Business (formerly SkyDrive Pro) sync client, follow these steps:

  1. Uninstall any previous versions of OneDrive for Business (formerly SkyDrive Pro).
  2. In the “OneDrive for Business (formerly SkyDrive Pro) sync client installers” section, click the OneDrive for Business (formerly SkyDrive Pro) installer for your language and system edition. If you are already running an x86 or x64 edition of Office, you must select the same edition type for OneDrive for Business (formerly SkyDrive Pro).
  3. Run the downloaded file to start the Setup program.
  4. Follow the on-screen instructions to complete the installation.
  5. If you are asked to provide a license key, enter 3V9N8-W93CC-FQPB8-Y9WVF-TVGJ3.
  6. Open your personal OneDrive for Business (formerly SkyDrive Pro) document library or any SharePoint 2013 or Office 365 website document library. Then, click the Sync button to sync the libraries.

 

From <http://support.microsoft.com/kb/2903984/en-us>

Don’t do like I did and close my laptop halfway through because I had to run out to a meeting, screwing up my Click-to-Run install!

Good luck, have fun 😉

Yammer for all Office 365 Enterprise customers

Yammer for you!

Depending on your own personal level of adoption of the business social network, this announcement by Microsoft may or may not be exciting news for you: All Enterprise Office 365 accounts now have Yammer Enterprise licensing baked right in.

Not sure what Yammer Enterprise brings to the table? Here’s a breakdown of the differences.

Yammer and Office 365 Roadmap

You can read the full article above, but here’s some of the things I’m looking forward to (or at least interested to see how they work)

  • Email Interoperability: Because we know enterprise social adoption often takes time, we’ve invested in greater email interoperability so users can collaborate via Yammer and email together without having to leave their preferred communication channel. Email users can now participate in Yammer group discussions via email without having to set up a Yammer account.
  • Document conversation: Social is most effective when it’s woven into the apps people use every day. Now users can start a Yammer conversation for any document that is stored in a SharePoint Online document library or SkyDrive Pro web client. This enhancement makes it easier for users to collaborate, as well as improves the discoverability of the document by others.
  • Messaging: We are making it easier for users to communicate in real-time with an improved messaging experience on Yammer. New enhancements include: typing indicators, real-time likes, the ability to easily add multiple coworkers to a conversation and more.
  • Office 365 Integration: We’ve also been hard at work laying the foundation for deeper integration between Yammer and Office 365. Right now we’re focused on user mapping between Yammer and Office 365 (Office 365 users will be able to seamlessly access Yammer from their Office 365 navigation bar) and deepening connections across documents and conversations. 

    The Office 365 integration is the big one for me – right now, if you activate Yammer as your default newsfeed in Office 365, all it does is replace your Newsfeed link at the top of the page with a link that takes you to the Yammer website. Once the feed is integrated more tightly and accounts mapped accordingly, I think Yammer is going to get a lot more exciting in Office 365.

    Activating Yammer in Office 365

    To activate Yammer as the default newsfeed in Office 365, go to the SharePoint admin center, and click on settings: Choose use Yammer.com service as your default social experience, then scroll down to the bottom of the page and click Save.



    Before:



    Booyah!



    Don’t forget that clicking that link will still just take you to Yammer.com, but don’t worry… at the speed that Microsoft is rolling out these changes, it’ll be woven in to your Office 365 experience soon enough – enjoy!


Lync 2013 Test Drive

Found this excellent post by Benoit Hamet – Microsoft has provided a complete Test Drive environment allowing you to set up a Lync 2013 Lab for testing and evaluation purposes:

This download comes as a pre-configured set of VHD’s. This download enables you to fully evaluate the Microsoft Lync 2013, Microsoft Exchange 2013, SharePoint 2013, and UC developer platform APIs including the Microsoft Lync 2013 SDK, the Exchange Web Services Managed API 2.0 as well as the Microsoft Lync Server 2013 SDK and the Microsoft Unified Communications Managed API 4.0. Also, Lync Server

From <http://www.microsoft.com/en-us/download/details.aspx?id=40266>

This is great for testing various environment configurations, including Unified Messaging and different Office 365 Hybrid scenarios. Get ’em while they’re hot!


SkyDrive Pro and Office 2010

No soup for you!!

I recently ran into an issue trying to synchronize a SharePoint Online document library on a client’s computer – if you clicked on the link to synchronize a library, the following error would be displayed:



I’ve highlighted the clue as to what the problem is – this webpage requires a program that you don’t have installed.

Also contributing to our treasure hunt is the address it’s trying to connect to:



The Artist Formerly Known as “Groove”

Grvopen:// was the protocol that opened Groove – which was later changed to SharePoint Workspace, and then changed again to become SkyDrive Pro. So basically, SharePoint is trying to open SkyDrive Pro, but the application isn’t installed.

This causes a bit of a problem, since SkyDrive Pro comes as part of Office 2013, and Microsoft does not provide a download in the software section of Office 365, and you need to download SkyDrive Pro from the Microsoft Download Center (clicking on the image below will take you there)



You need to choose either the 32bit or 64bit version of SkyDrive Pro: this is not based (as I first thought) on your version of Windows, but on your version of Office – so unless you’re using 64bit Office, then choose the 32bit version:



Once you download and install the SkyDrive Pro client, go ahead and click on that link again in SharePoint:



You should now see SkyDrive Pro taking over:




Once it finishes connecting, you’ll be able to access your SkyDrive Pro (all glorious 25GBs of it!), as well as any libraries that you need to be able to synchronize on your computer.

Good luck, have fun!


Sync Multiple SkyDrive Pro Libraries

Right after my last blog post talking about increased SkyDrive Pro storage, I had Colin ask me whether or not it was possible to create a shortcut on your computer for your Office 365 SkyDrive Pro? We both already had Skydrive Pro installed and syncing with SharePoint 2013 on premise… Well, I’m happy to say that SkyDrive pro handles multiple sync locations quite elegantly – here’s my answer!

“For sure! Just log in to Office 365, and sync your SkyDrive:



Ready to sync? I was born ready!!



I was curious to see if I’d have multiple SkyDrive Pro clients in my taskbar, or just how it would handle multiple locations – easy… you’ll just end up with multiple SkyDrive Pro folders, like so:



If you’re like me and you can’t stand the name “SkyDrive Pro 1” – you can rename any shortcuts to the folder, but be warned – if you rename the folder it’ll break the synchronization.



Ahh… much better!”

British Airways takes to the cloud with Office 365

Saw this post today… Wow!

http://www.zdnet.com/british-airways-takes-to-the-cloud-with-microsoft-office-365-7000019108/

“Office 365 will allow employees to collaborate and achieve their work tasks regardless of the platform, product or device,” IAG chief information officer Nigel Underwood said in a statement. He added that creating a common IT platform for airlines across the group “will be more efficient and reduce our costs”. IAG said the Microsoft deal will allow the organisation to consolidate systems. “Office 365 and Yammer will enable us to switch off legacy email and related systems, including about 1,000 bespoke applications,” an IAG spokeswoman said.”

58,000 new users using Exchange, SharePoint, Lync and Yammer… allowing users to be more productive, and efficient while reducing costs at the same time? This statement holds true regardless of whether you are a small business owner, a sole proprietor, or a mega airline with 58,000 employees.

The one where I break Word

I was editing a template today and trying to get some Quick Parts in Word 2013 to automatically update and populate data from the document properties – this ensures that certain fields would automatically be filled in when creating a new document based on this template, which works really well for fields that need to be filled in like Author, Date, Client name, and so forth.

At any rate, I was messing around trying to get these fields to update from the document properties on a SharePoint library without having to close and re-open the document, and all of a sudden, my document fields were replaced with curly braces and a bunch of weird code… like this:




I restored a previous version of the document, I rebooted, I even did a repair of Office but nothing would fix it… I broke Word! Thankfully, all was not lost – if you’re reading this and you’re in the same spot as me – here’s the answer:

Hit Alt-F9!

Turns out there is a key combination that shows the code view in a Word document, and I found it… boy, did I find it! Just press Alt-F9 again, and all is right with the world once more.



That will teach me to try random key combinations to see if I can auto refresh a quick part field!