Permission | SharePoint Technical Support

SharePoint search resultsresultsundund for Farm account not for normal users

When doing a search, using the farm account, you get search results, but when a “Normal” user does a search, they did not get any results.

It relates to giving the service accounts access to read users TGGAU attributes. (http://support.microsoft.com/kb/331951)

It Seems like Search crawl account needs to be given read permissions in all user accounts and groups.

The MSDN KB article has all Technical reason why

How do you give these permissions to crawl account, as below

The Windows Authorization Access Group (WAA group) has read permissions to the TGGAU attribute of all user accounts and groups.So,if you add the SharePoint Services service accounts to the WAA group,the SharePoint Services service account has read permissions to the TGGAU attribute of the user accounts.

To add the SharePoint Services service account to the WAA group, follow these steps:

On the domain controller, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
In the Active Directory Users and Computers window, expand DomainName, and then click Users or another appropriate organization unit (OU).
Double-click the SharePoint Services service account you want to modify.
In the Properties dialog box, click the Member Of tab.
On the Member Of tab, click Add.
In the Select Groups dialog box, type Windows Authorization Access Group under Enter the object names to select, and then click OK.
Restart the SharePoint Services.

That worked for me, hope it helps someone else out as well.

SharePoint 2010 Search result Not found documents for a specific library in specific SharePoint site

Hi All,

I came across a situation where user is trying to search documents selecting the option “search in same site” instead of “all sites” from search box and getting no result where as can find documents from other library with in same site.

Why such happens ?

The first point comes to mind for search error is content not crawled, indexing not done for this situation.

Yes , its true but we need to think why ?

As per my investigation I found the setting of the library as below

Draft-items-are-not-crawled-in-SharePoint

By default SharePoint only crawls major versions of files and draft items are only viewable by their creators. SharePoint is behaving as expected out of box.Draft items are not crawled in SharePoint

Resolution :

This behavior can be altered in Document Library Settings -> Versioning Settings -> Draft Item Security

Select the option “Any user who can read items”.

This will allow all users to see draft items including the crawling account.

Else you need to select “Create major versions” option or can publish the documents as major versions if want to get those documents in search result as per client wish.

https://support.microsoft.com/en-us/help/2304855/draft-items-are-not-crawled-in-sharepoint

Access Denied Error after migrating to SharePoint 2013

Scenario:

We were working for a client, they had many groups and we had to build a collaboration portal for all the groups. Key thing was few sites of some groups were already present in SharePoint 2010 in different standalone servers. Migration was a key thing here as the existing sites has huge data, and huge user base.

The Requirement was to build a portal /web application which will have migrated sites and new set of sites as per agreed site structure. According to the agreed architecture and design we created a new web application and started building the site hierarchy.

As part of this we followed the regular approach database detach –attach method and migrated the existing SharePoint 2010 site .Migration was successful and we were able to access the site with the system account. Later we tried with couple of site admin accounts, to our surprise we were getting “ACCESS DENIED” with any other user id.

Background:

By default when we create a web application in SharePoint 2013, it gets created with Claims authentication. When we migrate the content DB to 2013, it recognizes the user account only in this format i:0#.w|domainusername . Though it’s an AD account it no more recognizes the DomainUserName format.

SharePoint assumes all users to be claim users and renders them so. Therefore, a normal windows user – “DomainUserName” appears as “i:0#.w|DomainUserName”. Moreover, it uses the username in this same format to check for its permissions but does not find a matching entry for the user as the database has windows users – “DomainUserName”. So, the site will give you an access denied.

Note that the System Account will work since its “DomainUserName” is never used and System Account is a keyword used by SharePoint for the application pool identity. Therefore, it remains unaffected.

Solution:

In brief the share point 2010 site which needs to be migrated should be converted to claims format and then migrate it to 2013. But a word of caution , do not directly change the SP 2010 site to claims format in a production environment as it will not allow existing windows accounts to login and existing SharePoint 2010 site will be no more operational.

Below power shell script converts classic mode site to claims mode:

This script converts user accounts to claims format:

On executing the first script (to enable claims authentication) the SharePoint Content Database is made ready for claims based authentication but the already existing site users were windows users, are not “migrated” to be understood by claims authentication.

We use the second script to “migrate” the users. MigrateUser($true) will convert all user accounts to claims format. After running this script user accounts are converted in the database to claims format, therefore, user names are read correctly by SharePoint therefore, permissions for users are associated correctly by SharePoint hence the site permissions work correctly.

Note:

By any chance if you execute these scripts directly in productions, by executing $webapp.MigrateUsers($false) will not convert user accounts to windows mode, rather it will throw an exception. Make sure you have a temporary environment built where you execute the above scripts. Also note that these scripts are running on Web Applications so they will affect all site collections in that web application

Accounts used to install and configure SharePoint 2013

Account	Purpose	Requirements
SQL Server service account	The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:  MSSQLSERVER  SQLSERVERAGENT If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:  MSSQL  SQLAgent	Use either a Local System account or a domain user account. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (). The instance name is arbitrary and was created when SQL Server was installed.

Setup user account

The Setup user account is used to run the following:  Setup  SharePoint Products Configuration Wizard

 Domain user account.  Member of the Administrators group on each server on which Setup is run.  SQL Server login on the computer that runs SQL Server.  Member of the following SQL Server roles:  securityadmin fixed server role  dbcreator fixed server role If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_ownerfixed database role for the database.

Server farm account or database access account

The server farm account is used to perform the following tasks:  Configure and manage the server farm.  Act as the application pool identity for the SharePoint Central Administration Web site.  Run the Microsoft SharePoint Foundation Workflow Timer Service.

 Domain user account. Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:  dbcreator fixed server role  securityadmin fixed server role  db_owner fixed database role for all SharePoint databases in the server farm

Accounts used by application pools or service identities are in the local machine Administrators group SharePoint

Rule Name: Accounts used by application pools or service identities are in the local machine Administrators group.

Summary: A user account that is used by application pools or services must have permissions of a domain user account and must not be a member of the Farm Administrators group or a member of the Administrators group on the local computer. Using highly privileged accounts for application pools or services poses a security risk to the farm, and could allow malicious code to execute.

Cause: Accounts that are used by application pools or services are members of the Administrators group on the local computer.

Resolution: Change the user account to a predefined account, or to a domain user account that is not a member of the Administrators group.

Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
On the Central Administration home page, in the Security section, click Configure service accounts.
On the Service Accounts page, in the Select the component to update list, click the application pool or service that uses the credentials of a member of the Administrators group on the local computer as its security account.
In the Select an account list, click an appropriate account for this component — for example, the predefined account Network Service — or click Register new managed account, and then on the Register Managed Account page, specify the credentials and the password change settings that you want.
Click OK.

Sorry we could’t follow the document or site sharepoint 2013

Problem

Now what this is really about and the reason why you stopped at this post. SharePoint 2013 gives an error when you hit the ‘Follow‘ button with the next message: Something went wrong.

Sorry we could’t follow the document or site sharepoint 2013

In this example I tried to follow a document in a library.

Cause

This pop-up doesn’t provide a lot of information. except that it’s not working. The next step is to check the good old SharePoint logs at the ‘15 Hive‘ location: C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15LOGS

Analyzing the log file shows that there is a problem opening the content database hosting the users
My Sites. Now it starts to get interesting. reading further down the logs shows the name of the user account that has failed to login. (search the term ‘for Cannot open database’)

Sorry we could’t follow the document or site sharepoint 2013

The cause of this problem is that the Application Pool Account has no access to the database. This is most probably caused by the service accounts that are used for the SharePoint default web application and the My Sites web application.

This can easily be checked with a PowerShell script :

Add-WindowsFeature Web-WMI | Format-List
Get-CimInstance -Namespace root/MicrosoftIISv2 -ClassName IIsApplicationPoolSetting -Property Name, WAMUserName, WAMUserPass | select Name, WAMUserName, WAMUserPass

powershell app pool account

Solution:

This is what you’ve all been waiting for! How do I solve this annoying issue.
Well the resolution is pretty easy. You have to go to the database server and give the Application Pool Account access to the needed database.

Open your SQL server and correct instance and select the user that you’ve found in the SharePoint log. In my case this was the user: ‘TESTSP_WebApps‘

Go to the Security – Logins node and right-click on the user that you found earlier in the SP Logs and select properties.

Sorry we could’t follow the document or site sharepoint 2013

Now select the ‘User Mapping‘ node and select the My Sites content database.
Also select the ‘SPDataAccess‘ and hit the OK button.

SQL login properties user maping settings

Close the SQL Server and go back to your SharePoint site.

Your set to go and ready to follow documents, Libraries, Sites, etc.

Site not appear in IIS Manager,error opening in SharePoint Designer

I have created a site collection and then create two team sites on sharepoint server. Sites are working fine from central Admin but they are not appearing in IIS manager. Also when I try to edit a sharepoint site on SharePoint designer 2010 follwing error comes.

Unable to open website following causes:

1) the web server may not have sharepoint installed

2)The web server may be temporarily out of service

3)if you are connecting through a proxy server the proxy settings may be incorrect

4) An error may be occurred in the web server

The IIS manager only showing the follwing sites SharePoint 80 and SharePoint central admin

When I try to create a site on SharePoint designer following error comes:

The web site must be created on a server that is running Microsoft SharePoint foundation server please choose another location.

I have installed SharePoint server 2010, SharePoint foundation server 2010 and SharePoint designer on my pc.

Solution :

In IIS Manager, you’re only going to see the Web apps, the site collections and sites are wont show up (if you have another web app that isn’t showing up, that’s a bigger issue. I’d delete it and try to recreate it).
The SharePoint Designer issue, I’ve had before. For me, the issue was a firewall setting. But basically if you can get to the pages with the browser, make sure you have correct permissions set for your login, etc.

Share this:

Like this:

Resolution :

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Problem

Cause

Solution:

Share this:

Like this:

Solution :

Share this:

Like this: