For starters, you should not have any local Administrators running a service or application pool for SharePoint 2007. As tempting as it may be to resolve errors by simply adding them to the Administrators group, it is simply not necessary.
Issue
When you start to back out/restrict permissions after installation/configuration ... you will most likely start to see a number of errors popping up (6641 and 6482). They are permissions related.
Event Type: Error
Event Source: Office SharePoint Server
Event Category: Office Server Shared Services
Event ID: 6641
Date: 12/15/2007
Time: 2:00:00 AM
User: N/A
Computer: COMPUTERNAME
Description:
The SSP Timer Job User Profile Change Job was not run.
Reason: Logon failure: the user has not been granted the requested logon type at this computer
Solution
For each of these steps I recommend restarting IIS and affected services ... or if you can (to eliminate any doubts) ... reboot the server.
Step 1 - Check to make sure your service accounts have "Log on as a Service" permissions.
- Go to Start > run > gpedit.msc ... to pull up group policies (shown right).
- Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments
- Double click "Log on as service" and check to see if your service accounts are listed under the "Local Security Setting" tab
- If they are not there they will need to be added
- Double click "Log on as a batch job" and check to see if your service accounts are listed under the "Local Security Setting" tab
- If they are not there they will need to be added
- If you have updated your policies you will at least need to run gpupdate/force from the command line.
- The Backup Operators have a few more policy permissions that can tackle some of those pesky errors.
- There are a number of posts out there that tell you to go into component services and manually add the service accounts to IIS WAMREG or SPSEARCH. DO NOT add them individually. SharePoint has already populated the WSS_WPG group to these DCOM applications.
- Start > Programs > Admin Tools > Component Services
- Computers > My Computer > DCOM Config > IIS WAMREG (and SPSearch)
- Right click > Properties > Security tab
- Under Launch and Activation Permissions click Edit
- Check the checkbox for Remote Launch and Remote Activation
- Click OK
4 comments:
Hi Richter,
Thanks for your solution. I went through the steps but i am not able to add my account service in "log on as batch" since the button is gerreyed out and below it says "This setting is not compatible with computer running windows 2000 service pack 1 or earlier. Policy object containing this setting only to computers running later version of the operating system.".
Moreover, have you ever come across Event Id 22745, I digged the internet and all the sharepoint forums but i have not find any useful solution.
Thanks
Hamid,
It will definitely be a different path for Windows 2000. Lucky for me, I have only worked with WIN2k3 and WIN2k8 installations.
I have not come across the 22745s ... again, lucky for me ;-).
Sorry, I can't be more help.
Hamid,
If you are unable to add an account because the button is greyed out, you will need to speak to the individual responsible for your AD. There is a policy that locks that button down.
Also Event 22745 is related to some database issue. You might want to look that way
great work .. it helped a lot.
Post a Comment