Friday, August 11, 2017

Office 365 – You can now manage domain guest access for Groups

Guest Domain Access for O365


An update is being rolled out to let you manage allowed/blocked domains for guest access to Office 365 Groups.
After allowing guest access to Groups, Microsoft now helps securing this access by allowing administrators to define a list of allowed/blocked domains.
This feature is not available (yet?) using the Office 365 administration portal but with PowerShell.
This functionality is using Azure AD policy feature

Important Points

  • When using this functionality, you can not define both options. This means any domains not listed as allowed, will then be blocked and vice versa
  • Only one policy per tenant
  • This is a different list than the one used for SharePoint Online sharing; you will be able to import the existing SPO list but after you will have to manage it separately
  • This does not apply to guests already members of an Office 365 Groups; only new guest will have the policy applied

How to use

Install the prerequisites

The PowerShell command to set the domain allow/block list for Office 365 Groups guest access is using the preview modules of Azure Active Directory PowerShell modules.
  • You must use Azure AD PowerShell Preview – at least version 2.0.0.98 – you can get Azure AD PowerShell Preview using the following procedure
    • Run a PowerShell command prompt using the runadadministrator and check the installed Azure AD PS module installed with the command Get-Module -ListAvailable AzureAD*
image
  • If you get a version different than 2.0.0.98 (or later), you need to uninstall your current version with the command Uninstall-Module AzureAD
image
  • If you have no result or after uninstalling the previous version run the command Install-Module AzureADPreview to install the required preview module; you may be prompted to trust the repository to download the module
image

Configure the domains list

Once you have the required module installed, you can use the script available https://technet.microsoft.com/library/a86bb46f-0e5b-43a3-b6ef-7394f344a8da#bkmk_script to manage the domains list.
Once you have saved the script you can then use it to add/update/remove/import the domains list
  • Create the allow/block domain list Set-GuestAllowBlockDomainPolicy.ps1 -Update –AllowList / –BlockList @("domain1.com", "domain2.com") – this command can be used to overwrite an existing list
  • Import the existing list from SharePoint Online Set-GuestAllowBlockDomainPolicy.ps1 –MigrateFromSharepoint: don’t forget after this import you will have to manage it separately
  • Add a domain to the existing list Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList / –BlockList @("domain3.com")
  • Or finally remove the policy with Set-GuestAllowBlockDomainPolicy.ps1 –Remove
Unfortunately there is not (yet?) a way to get the existing list or remove one domain; if you want to remove one domain you need to overwrite the list with the domain(s) you want to remove not included
Reference: Benoit Hamet 

Thursday, July 6, 2017

"Sorry, another account from your organization is already signed in on this computer" - SharePoint Online | Office Apps

OVERVIEW

This issue first popped up in my business' tenant. My office staff were losing their minds and of course not happy with the IT department (okay, me). I have since seen this issue multiple times in my own business as well as my clients.

Inevitably the issue is raised as a SharePoint issue (stupid SharePoint!), something along the lines of:
"I cannot open any SharePoint documents! I get access denied!"
Well..., not so fast. This time, SharePoint is not the issue (yeah, I know, I first, right?) The issue resides with Office 2013(+) apps (whichever version).

In Office 2013(+) apps, you can access Office 365 content in SharePoint Online by providing your Office 365 user ID and password. If you have multiple Office 365 user IDs from different organizations, you can access content from the SharePoint Online deployments of each organization.

However, Office 2013(+) only supports signing in one Office 365 user from each tenant or organization per session.

Office 2013(+) makes a best effort to prevent a user from signing in when another user from the same organization is already signed in. However, there may be cases in which this scenario is not detected, and Office 2013(+) user interface may show that another user is successfully signed in. In this case, the second user cannot access his or her own content. All Office 365 content that he or she tries to open will be performed by using the first user’s credentials.

Be aware that Office 2013(+) respects the permissions of all documents and SharePoint Online libraries. That is, if the first user doesn’t have access to a document that the second user has access to, and the second user (who thinks he or she is signed in) tries to open that document, the document will not open because Office tries to open the document as the first user.

To fix this scenario, the signed-in user can sign out of Office 2013(+), and then restart his or her computer. Doing this makes sure that a clean state is present when the other user tries to sign in again.

PROBLEM

When you try to sign in to an Office 2013(+) app by using your Office 365 user ID and password, you receive the following error message:
"Sorry, another account from your organization is already signed in on this computer."
This behavior is expected. It occurs if you are already signed in to Office 2013(+) by using a different Office 365 user account in the same organization.

WORKAROUND

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

Note: I do not recommend this workaround because some account settings may be lost. Additionally, I have fixed this issue for more than a dozen people without touching the registry (step 3), fwiw.

To work around this behavior, remove the existing user account and all connected services from your Office 2013(+) profile, and clear cached credentials that may be on the computer.

Step 1
  1. Remove the user account from your Office 2013(+) profile
  2. In the upper-right corner of the Office 2013(+) app, click your name, and then click Switch Account.
  3. On the Accounts screen, click Sign out.
  4. Locate the account that you want to remove, and then click Sign out.
Step 2
Remove connected services from your Office 2013(+) profile
  1. Go to File, and then click Account.
  2. Under Connected Services, remove all the services for the existing account.
Step 3 (see warning above)
Clear cached credentials on the computer
  • Edit the registry to remove cached credentials. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\Identities
    3. Select the Office account that you want to delete, and then click Delete.
    4. In the Identity subkey, locate Profiles, right-click the same Office account that you deleted in step A3 of this procedure, and then click Delete.
    5. Exit Registry Editor.
  • Remove the cached credentials in Credentials Manager. To do this, follow these steps:
    1. Open Control Panel, and then click Credentials Manager.
    2. Under Generic Credentials, locate the account that you want to remove, and then click Remove.
    3. Log off, and then log on to the computer.

Wednesday, June 14, 2017

SharePoint Online's User Profile Synchronization Process (One-way only!)

SharePoint Online's AD attribute sync process has changed quite a bit from on premise or SP 2016 Server version (understandable). However, the depth of that change was surprising to me and my collegues. While researching a solution for users at my current client Toyota of North America, to upload a photo of themselves and have that photo sync to O365 and on-premise Exchange/Skype, as well as Workday, I dug deep and have listed the changes that were pertinent to my task. Take a look and let me know your thoughts.

AD DirSync Import syncs a subset of the Azure Active Directory attributes that are synced by Azure AD Connect. The profile properties that are synced by AD Import aren't configurable.

The following are my observations after research:
  • Active Directory information only goes in one direction f rom the on-premises Active Directory server to SharePoint Online
  • Data flow:  AD on Premise -> Azure Active Directory -> SharePoint Online directory store -> SharePoint Online User Profile Service -> SharePoint Online Site Collection (one-way)
  • User Profile Synch Service’s timer job’s run frequency cannot be changed, which occurs during regularly scheduled one-way synchronization—which should occur at least every 24 hours.
  • AD Import syncs a subset of the Azure Active Directory attributes that are synced by Azure AD Connect. The profile properties that are synced by AD Import aren't configurable.
  • AD Import syncs the following 24 Azure Active Directory attributes to the User Profile Application: 
      
     
Azure Active Directory attribute
SPO User Profile property
Notes
UserPrincipalName
DisplayName: User Name
Name: UserName
The value in this property is used to create the path of a user’s OneDrive for Business site collection.
For example:
gherrera@contoso.com and /gherrera_contoso_com/
This property is replicated to the site collection by WSS Sync.
UserPrincipalName
DisplayName: Account name

Name: AccountName
This property stores the claims-encoded User Principal Name for the user.
For example: i:0#.f|membership|gherrera@contoso.com
This property is used to look up the user profile.
UserPrincipalName
DisplayName: Claim User Identifier
Name: SPS-ClaimID
This property stores the user’s claims identifier. The identifier is the User Principal Name.
For example: gherrera@contoso.com
UserPrincipalName
DisplayName: User Principal Name
Name: SPS-UserPrincipalName
This property stores the User Principal Name of the user.
For example: gherrera@contoso.com
GivenName
DisplayName: First name
Name: FirstName
This property is replicated to the site collection by WSS Sync.
For example: Gabriela
sn
DisplayName: Last name
Name: LastName
This property is replicated to the site collection by WSS Sync.
For example: Herrara
Manager
DisplayName: Manager
Name: Manager
The manager property is used to determine colleagues and will be used in the user profile and OneDrive for Business deletion process. 
For more information see: 3042522 How user profiles are deleted in SharePoint Online and OneDrive for Business.
DisplayName
DisplayName: Name
Name: PreferredName
This property is replicated to the site collection by WSS Sync.
For example: Gabriela Herrara
telephoneNumber
DisplayName: Work phone
Name: WorkPhone
This property is replicated to the site collection by WSS Sync.
For example: (123) 456-7890
proxyAddresses
DisplayName: Work email
Name: WorkEmail
Processed in this order when it's added to the profile: 
  • WorkEmail if the value in proxy address is prefixed with SMTP: (Must be in CAPS)
  • WorkEmail if the value in proxy address is prefixed with smtp: (Must be lowercase)
This property is replicated to the site collection by WSS Sync.
For example: gherrera@contoso.com
ProxyAddresses
DisplayName: SIP Address
Name: SPS-SIPAddress
SPS-SIPAddress if the value in proxy address is prefixed with sip:.
This property is replicated to the site collection by WSS Sync.
PhysicalDeliveryOfficeName
DisplayName: Office
Name: Office
This property is replicated to the site collection by WSS Sync.
Title
DisplayName: Title
Name: Title
This property is replicated to the site collection by WSS Sync
Title
DisplayName: Job Title
Name: SPS-JobTitle
SPS-JobTitle contains the same value as Title. SPS-JobTitle is connected to a Term Set.
This property isn't replicated to the site collection.
Department
DisplayName: Department
Name: Department
This property is replicated to the site collection by WSS Sync.
Department
DisplayName: Department
Name: SPS-Department
SPS-Department contains the same value as Department. SPS-Department is connected to a Term Set.
This property isn't replicated to the site collections.
WWWHomePage
DisplayName: Public site redirect
Name: PublicSiteRedirect

PreferredLanguage
DisplayName: Language Preferences
Name: SPS-MUILanguages
SPS-MUILangauges is used by SPO to determine which language a site is displayed in for the user when MUI is enabled. 
msExchHideFromAddressList
DisplayName: SPS-HideFromAddressLists
Name: SPS-HideFromAddressLists

msExchRecipientTypeDetails
DisplayName: SPS-RecipientTypeDetails
Name: SPS-RecipientTypeDetails

ObjectGuid
DisplayName: Active Directory Id
Name: ADGuid
Internal
DistinguishedName
DisplayName: Distinguished Name
Name: SPS-DistinguishedName
Internal
ObjectId
DisplayName: msonline-ObjectId
Name: msOnline-ObjectId
Internal
UserType
DisplayName: SPS-UserType
Name: SPS-UserType
Internal

There are four processes in the user synchronization pipeline in Office 365:

Sync process
Description
Azure AD Connect
Azure AD Connect syncs data from your on-premises Active Directory to Azure Active Directory. For more information, see: Integrating your on-premises identities with Azure Active Directory.
AAD to SPO Sync
Azure Active Directory syncs data from Azure Active Directory to the SPO Directory Store.
AD Import
Active Directory Import syncs data from the SPO Directory Store to the User Profile Application.
WSS Sync
WSS Sync syncs data from the User Profile Application to the SharePoint Online site collection.




Default user profile properties are fed into SharePoint Online from the Office 365 directory service. But a SharePoint Online admin can enhance the SharePoint capabilities by adding user profile properties, defining user policies, and creating audiences.
 SharePoint Online receives profile information from the Office 365 directory service during regularly scheduled one-way synchronization—which should occur at least every 24 hours.
 When your organization signs up and deploys Office 365, user accounts will either be:
·        Manually created and added to the Office 365 directory service, or
·        Synched with an on-premises Active Directory.
 If your organization manually created user accounts in the Office 365 directory service, then users will receive Microsoft Azure Active Directory credentials for signing into Office 365. These credentials are separate from other desktop or corporate credentials. You’ll use the Office 365 admin center to make changes to these user accounts.
 Your organization may choose to use the Office 365 Directory Sync (DirSync) tool to populate user information from an on-premises Active Directory. DirSync supports federated single sign-on. For information about setting up DirSync, see Set up directory synchronization for Office 365.

 The Directory Synchronization Tool (DirSync) allows on-premises Active Directory user profiles to be synchronized with the Office 365 directory service, which is then synched with SharePoint Online user profiles. Active Directory information only goes in one direction—from the on-premises Active Directory server to SharePoint Online. This ensures that user information in SharePoint Online reflects the most current and accurate state of your user data in Active Directory.
 Note:  Automatic profile synchronization with the Office 365 directory service occurs at regular predetermined intervals. Changes may take up to 24 hours before they appear in a user’s profile. Note that with Office 365 for Education, user profiles are not created or synced until a user visits a SharePoint site.
 By default, SharePoint Online user profiles are populated by the Office 365 directory service. Basic profile properties, such as a user’s first and last name, phone number, and job title, are also synchronized. If there are additional properties that you’d like to add to user profiles to enhance search and collaboration features within SharePoint, then the SharePoint Online admin can create those user profile properties. See Add and edit user profile properties for more info.
 Note:  Creating a new user profile property, by using SharePoint Online admin center, will not create that property in the Office 365 directory—this user profile data will be unique to SharePoint Online.
 As shown in the following illustration, a user’s About me page can be composed of properties that are imported from the Office 365 directory service and from custom SharePoint Online profile properties. For example, the directory service will supply default user profile information, such as users’ account names, work telephone numbers, job titles, and work email addresses. Users will not be allowed to edit this information.



Thursday, September 29, 2016

SharePoint Content Database PowerShell Scripts
There are a number of PowerShell database cmdlets provided by SharePoint; in this tip I will cover the ones that deal with content databases.  The following is the outline for this tip:
If you choose to use SharePoint Central Administration to manage content databases, you'll use the Manage content databases option in the screenshot below.  I will cover using Central Administration to manage content databases in a future tip.
SharePoint 2010 Central Administrator

PowerShell 101

There are quite a few tips on using PowerShell to perform various SQL Server tasks; take a look at the PowerShell tips category onMSSQLTips.com for some great content.   For managing SharePoint content databases, you have two options available in Windows Server 2008:
  • SharePoint 2010 Management Shell
  • Windows PowerShell ISE
The SharePoint 2010 Management Shell is installed automatically by SharePoint; you can find it in the Microsoft SharePoint 2010 Products program group.  The user interface is pretty much like the Command Prompt; it is simple and effective.  The Windows PowerShell ISE is what I prefer; it is a GUI tool that's a little more polished than the SharePoint 2010 Management Shell.  A good SQL Server analogy would be SQLCMD versus SQL Server Management Studio.
Windows PowerShell ISE is not installed by default on your Windows 2008 server; follow these steps to install it:
  • Go to Server Manager, Add Features
  • Check Windows PowerShell Integrated Scripting Environment (ISE)
After installing Windows PowerShell ISE, you can launch it from the Accessories / Windows PowerShell program group.  There is one additional step that you need to perform in order to use it with SharePoint; you need to load the Microsoft.SharePoint.PowerShell snap-in.  There are two ways to do this:
The following is an example of the code you can put in the profile to add the snap-in:
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
    Add-PSSnapin "Microsoft.SharePoint.PowerShell"
  }
There is one more thing you need and that is proper permission to use PowerShell to update a content database and the farm configuration database; you need to be a member of the SharePoint_Shell_Access database role in the respective databases.  You will need a SharePoint farm admin to add you to this role using the Add-SPShellAdmin cmdlet.
Add a user to the SharePoint_Shell_Access role in the farm configuration database only:
Add-SPShellAdmin-UserName domain\username
Add a user to the SharePoint_Shell_Access role in the farm configuration database and content database specified:
Add-SPShellAdmin -UserName DOMAIN\USERNAME -Database DATABASENAME
Add a user to the SharePoint_Shell_Access role in the farm configuration database and every content database:
Get-SPContentDatabase | Add-SPShellAdmin -UserName DOMAIN\USERNAME

Introduction

Here are a couple of points before we get in to the details:
  • If you are new to SharePoint 2010, take a look at our earlier tip Introduction to SharePoint 2010 for DBAs.  In the sections that follow the concepts presented in the earlier tip are fundamental to your understanding.
  • A content database can either be attached to a web application or detached; where a cmdlet works with a content database that is detached you will see the -Name parameter; when a cmdlet works with a content database that is attached to a web application you will see the Identity parameter; the Identity parameter can be the database name, its Id (GUID or UNIQUEIDENTIFIER as returned by Get-SPContentDatabase), or a SPContentDatabase object in the PowerShell pipeline.
  • Along the same lines you don't specify the DatabaseServer parameter when a content database is attached to a web application; SharePoint knows where it is.
  • In the sample code when I use contentdb I mean the database name
  • I'm running the PowerShell cmdlets on a Windows 2008 server that is connected to a SharePoint farm; I'm not going in to running the cmdlets remotely.

Get-SPContentDatabase

Get-SPContentDatabase returns information about one or more content databases in the SharePoint farm.  The server where you run the command is connected to a particular SharePoint farm so the available databases include only those in the farm. 
To show information about all databases in the farm, run the Get-SPContentDatabase cmdlet without any parameters.  The output is (only one database shown):
Id : 2fb2c72c-e098-4405-9d39-fefd3686fb67
Name : WSS_Content
WebApplication : SPWebApplication Name=SharePoint - 80
Server : DEV-FARM
CurrentSiteCount : 2
Server is the name of the database server; the current site count is the number of site collections in the content database.  To get information about a particular database you can add the -Identity contentdb parameter.

New-SPContentDatabase

To create a new content database run the New-SPContentDatabase cmdlet.  I would contend that this is the most important of the database cmdlets as it allows you to create content databases that you can then use for specific site collections.  A typical command to create a new content database would be:
New-SPContentDatabase -Name contentdb -DatabaseServer dbserver -WebApplication webappname `
  -MaxSiteCount 1 -WarningSiteCount 0
The funny character at the end of the first line above is the one to the left of the number 1 on your keyboard; it is the PowerShell line continuation character (a very poor choice in my opinion).  Note that the content database is associated with or owned by a web application.  You will likely need to get the web application name from your SharePoint administrator.  An example web application name would be http://intranet.yourdomainname.com
You can (and probably should) specify the MaxSiteCount parameter to limit the number of site collections that can be stored in this content database; the default value is 15,000.  I prefer to set the MaxSiteCount to 1 so that someone using SharePoint Central Administration to create a new site collection doesn't inadvertently put in in this content database.  The MaxSiteCount can be changed with the Set-SPContentDatabase cmdlet (described later) or in Central Administration.
Creating a content database is the first step in proactively managing your content databases.  The next step is to specify which site collection(s) are to be stored in the content database.  Your SharePoint administrator should use the New-SPSite cmdlet along with the ContentDatabase parameter when creating a new site collection in order to specify the content database for the site collection.  If you are using Central Administration to create site collections you cannot directly specify the content database for the site collection; you can make sure that only one content database is available by setting the MaxSiteCount or Database Status (described later).

Dismount-SPContentDatabase

Dismount-SPContentDatabase detaches a content database from the web application.  You would do this if you wanted to move the content database to a different web application and/or a different database server.  The operation updates the farm configuration database but otherwise leaves the content database intact in the SQL Server instance.   
A typical command to detach a database would be:
Dismount-SPContentDatabase -Identity contentdb

Mount-SPContentDatabase

Mount-SPContentDatabase is the inverse of Dismount-SPContentDatabase.  In this case you are attaching a content database to a web application.  This would be the case if you ran Dismount-SPContentDatabase and are now ready to attach the content database to a different web application or you moved a detached content database from another database server. 
A typical command to attach a content database would be:
Mount-SPContentDatabase -Name contentdb -DatabaseServer dbserver -WebApplication webappname
Mount-SPContentDatabase can also be used when you upgrade a SharePoint 2007 database to SharePoint 2010; this is referred to on TechNet as the database attach upgrade method  The database will be upgraded to the SharePoint 2010 schema and attached to the web application.  You will get a list of any errors or warnings generated by the upgrade.  Typical errors have to do with customizations referenced in the content database that are not in the web application.  I will not cover those issues here as the DBA isn't usually (hopefully) the person who needs to resolve them.

Remove-SPContentDatabase

Remove-SPContentDatabase detaches a content database from the web application and drops it from the SQL Server instance.  As a general rule I don't use this one.  Even if I do want to drop the database I use Dismount-SPContentDatabase then go to SQL Server Management Studio and drop the database. 
A typical command to detach a content database and drop it would be:
Remove-SPContentDatabase -Identity contentdb

Set-SPContentDatabase

Set-SPContentDatabase is used to set the properties of the content database.  Typical properties to set are:
  • MaxSiteCount - the maximum number of site collections that can be stored in the content database
  • WarningSiteCount - the number of site collections when a warning notification is sent
  • Status - Disabled (no site collections can be added) or OnLine (site collections can be added as long as the MaxSiteCount hasn't been reached)
A typical command to disable new site collections from being added to the content database would be:
Set-SPContentDatabase -Identity contentdb -Status Disabled
A typical command to enable new site collections to be added to the content database would be:
Set-SPContentDatabase -Identity contentdb -Status OnLine
As an aside there is a little bit on inconsistency with the content database Status in Central Administration versus the Set-SPContentDatabase cmdlet.  If you select the Manage content databases option from Central administration, you will see a list of content databases with a Database Status column that has the values Started or Stopped.  When you select a database to view or modify its properties, you will see a Database Status dropdown with the options Ready and Offline.

Test-SPContentDatabase

Test-SPContentDatabase will check a content database against a web application to determine whether all of the customizations referenced in the content database are available in the web application.  This cmdlet can check a content database that is attached to a web application or one that is detached.  In either case the output of the command is a list of errors and warnings which hopefully will be resolved by someone other than the DBA.  This is the same list that Mount-SPContentDatabase generates when you are attaching a SharePoint 2007 content database to SharePoint 2010.
A typical command to test a content database that is attached to a web application would be:
Test-SPContentDatabase -Identity contentdb
A typical command to test a content database that is not attached to a web application would be:
Test-SPContentDatabase -Name contentdb -WebApplication webappname

Wednesday, September 28, 2016

Stop SharePoint Completely/Stopping Farm PowerShell


For Wss 3.0:
Stop the farm by following these steps:
1. in the Services snap-in, stop the following services:
  • Windows SharePoint Services Administration service
  • Windows SharePoint Services Search service
  • Windows SharePoint Services Timer service
  • Windows SharePoint Services Tracing service
  • Windows SharePoint Services VSS Writer service
2.    at the command prompt, type iisreset /stop.
Do it for all SharePoint installed servers in your farm.
http://technet.microsoft.com/en-us/library/cc512723(v=office.12).aspx
For Moss 2007
Stop the farm by following these steps:
1.  in the Services snap-in, stop the following services:
  • Microsoft Single Sign-On service
  • Office Document Conversions Launcher service
  • Office Document Conversions Load Balancer service
  • Office SharePoint Server Search service
  • Windows SharePoint Services Administration service
  • Windows SharePoint Services Search service
  • Windows SharePoint Services Timer service
  • Windows SharePoint Services Tracing service
  • Windows SharePoint Services VSS Writer service
2. On the server that is running the Central Administration Web site, at the command prompt, type iisreset /stop.
Do it for all SharePoint installed servers in your farm.
http://technet.microsoft.com/en-us/library/cc512725(v=office.12).aspx
For SharePoint Foundation 2010
1. in the Services snap-in, stop the following services:
  • SharePoint 2010 Administration
  • SharePoint 2010 Timer
  • SharePoint 2010 Tracing
  • SharePoint 2010 User Code Host
  • SharePoint 2010 VSS Writer
  • SharePoint Foundation Search V4
  • SharePoint Server Search v4
  • World Wide Web Publishing Service
2. at the command prompt, type iisreset /stop.
Do it for all SharePoint installed servers in your farm.
http://technet.microsoft.com/en-us/library/cc512723(v=office.14).aspx
For SharePoint Server 2010
1.  in the Services snap-in, stop the following services:
  • SharePoint 2010 Administration
  • SharePoint 2010 Timer
  • SharePoint 2010 Tracing
  • SharePoint 2010 User Code Host
  • SharePoint 2010 VSS Writer
  • SharePoint Foundation Search V4
  • World Wide Web Publishing Service
  • SharePoint Server Search 14
  • Web Analytics Data Processing Service
  • Web Analytics Web Service
Not:  The final two services are part of the Web Analytics service application. If you are running the Web Analytics service application and choose to rename your server, you must also reconfigure the Web Analytics database locations. For details, see To reconfigure Web Analytics database locations .
2. On the server at the command prompt, type iisreset /stop.
Do it for all SharePoint installed servers in your farm.
http://technet.microsoft.com/en-us/library/cc512725(v=office.14).aspx
For SharePoint 2013
1. in the Services snap-in, stop the following services:
  • SharePoint 2013 Administration
  • SharePoint 2013 Timer
  • SharePoint 2013 Tracing
  • SharePoint 2013 User Code Host
  • SharePoint 2013 VSS Writer
  • World Wide Web Publishing Service
  • SharePoint Server Search
2. On the server that is running the SharePoint Central Administration website, at a command prompt, type iisreset /stop.
Do it for all SharePoint installed servers in your farm
http://technet.microsoft.com/en-us/library/cc512725(v=office.15).aspx