It Seems like Search crawl account needs to be given read permissions in all user accounts and groups.
The MSDN KB article has all Technical reason why
How do you give these permissions to crawl account, as below
The Windows Authorization Access Group (WAA group) has read permissions to the TGGAU attribute of all user accounts and groups.So,if you add the SharePoint Services service accounts to the WAA group,the SharePoint Services service account has read permissions to the TGGAU attribute of the user accounts.
To add the SharePoint Services service account to the WAA group, follow these steps:
On the domain controller, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
In the Active Directory Users and Computers window, expand DomainName, and then click Users or another appropriate organization unit (OU).
Double-click the SharePoint Services service account you want to modify.
In the Properties dialog box, click the Member Of tab.
On the Member Of tab, click Add.
In the Select Groups dialog box, type Windows Authorization Access Group under Enter the object names to select, and then click OK.
Restart the SharePoint Services.
That worked for me, hope it helps someone else out as well.
This issue usually occurs when a request from an authenticated user without local admin rights results in a failed read of the /BIN directory by the impersonating w3wp.exe (IIS worker process for ASP.NET) process.
This behavior is typically associated with lack of permissions to the temporary folder /BIN where ASP.Net assemblies are Just In Time (JIT) compiled.
The solution is to ensure that the Authenticated Users or \Users group (which usually contains DOMAIN\Users group) has Read & Execute, List Folder Contents and Read permissions on the /BIN folder below
Follow the steps below to grant the required permissions:
a. Open Windows Explorer and navigate to the /bin directory of your web application b. Right-click on the folder and click on Properties c. Go to Security tab and click on Edit d. Click on Add and add the local server group Authenticated Users or \Users (this usually contains DOMAIN\Users group). e. Select the Read & Execute, List Folder Contents and Read permissions (if you are planning to add Everyone to the /bin folder, grant Read permissions only) f. Click OK to apply the new settings g. Refresh the page and we should be able to browse to the site.
If an administrator accesses the site/feature that caused the error, the subsequent requests from non-administrators would succeed. This behavior is typically associated with lack of permissions to the temporary folder where ASP.Net assemblies are Just In Time compiled.
The freb trace shows a 403.0 for ManagedPipelineHandler
It seems to go through quite a few ASPNet events – but happens during the ASPNetPageRender – it goes to the ASPNetPageRender Enter, then ASPNetHTTPHandler Leave.Only then does it get a 403.0 which is not an official RFC error. The first sub-status for 403 is 403.0.
Application pool in Classic or Integrated mode
Application Pool in Classic Mode – In this case, we can configure a Wildcard mapping for ASPNET_ISAPI.dll at the website level. That would propagate to child virtual directories. That should not need any further modifications at the virtual directory level.
Application Pool in Integrated Mode – In this case, all relevant virtual directories would need individual modifications. They need to be set for specific handler.
The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following: MSSQL SQLAgent
Use either a Local System account or a domain user account. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (). The instance name is arbitrary and was created when SQL Server was installed.
Setup user account
The Setup user account is used to run the following: Setup SharePoint Products Configuration Wizard
Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer that runs SQL Server. Member of the following SQL Server roles: securityadmin fixed server role dbcreator fixed server role If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_ownerfixed database role for the database.
Server farm account or database access account
The server farm account is used to perform the following tasks: Configure and manage the server farm. Act as the application pool identity for the SharePoint Central Administration Web site. Run the Microsoft SharePoint Foundation Workflow Timer Service.
Domain user account. Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all SharePoint databases in the server farm