Monday, November 16, 2009

How to add a Windows group in the SharePoint Farm Administrator’s group

I know what’s your gone say: “it’s easy just add the Windows group in the Farm Administrator’s group from Central Admin”. You’re almost right.

Here’s the thing :

One of our developers created a custom  “Self-Service Site Creation” application. Has you know, to be able to create a new site collection you must be a member of the “Farm Administrator’s group”, so his application has to do an impersonate with an account that is a member of that group.

We always prefer to use Windows Groups (when possible), so we have created a new windows group “SharePoint Farm Admins”, added the impersonated user in that group and added that group to the SharePoint Administrator’s group.

Here’s the problem :

When the Self-Service Site Creation application try to create a new site collection an error is generated :

Insufficient SQL database permissions for user ‘***** ’in database 'SharePoint_AdminContent_******’ on SQL Server instance ‘****’. Additional error information from SQL Server is included below.  The EXECUTE permission was denied on the object …

Here’s the solution :

Just logon once in Central Admin with your impersonated account and recyle the application pool in IIS.

Here’s the explanation :

I’m not a SharePoint engineer (so I could be wrong), but as I understand it any account that logon to SharePoint must have a profile stored in the database (tables UserInfo and  AllUserData in SharePoint_AdminCoutent DB ). When you logon for the first time through a SharePoint page a new profile is created by SharePoint. When you use system’s API to do an impersonate the new profile doesn’t get created at your first logon, so you get an error.

That’s why you simply have to logon once to Central Admin, your new profile gets created and everything starts to work after that.

Note :

This type of profile is not visible in any Central Admin’s UI pages. You have to dig in SharePoint DB to see it.