Wednesday, April 6, 2011

Windows:Event ID 7888(SharePoint AD user profile import error)

Issue:

When starting a full or incremental import of Active Directory, either manually or scheduled, the import is successful, but there is an error thrown as soon as the import is initiated. My assumption is the AD import kicks off several simulateous jobs such as updating users "My SharePoint Sites" in the MOSS and Office 2007 environments.
For reference, to kick off a manual import of AD: Central Administration > Shared Services > User Profile and Properties

Event ID 7888

Event Type: Error
Event Source: Office SharePoint Server
Event Category: Office Server General
Event ID: 7888

Description: A runtime exception was detected. Details follow.

Message: Access Denied! Only site admin can access Data Source object from user profile DB.

Technical Details:
System.UnauthorizedAccessException: Access Denied! Only site admin can access Data Source object from user profile DB.
at Microsoft.Office.Server.UserProfiles.SRPSite.AdminCheck(String message)
at Microsoft.Office.Server.UserProfiles.DataSource._LoadDataSourceDef(IDataRecord rec)
at Microsoft.Office.Server.UserProfiles.DataSource._LoadDataSourceDef(String strDSName)
at Microsoft.Office.Server.UserProfiles.DataSource..ctor(SRPSite site, Boolean fAllowEveryoneRead)
at Microsoft.Office.Server.UserProfiles.DataSource..ctor(SRPSite site)
at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.GetDataSource()
at Microsoft.Office.Server.UserProfiles.BDCConnector.RefreshConfiguration(String sspName)

Resolution

  1. Navigate to: Central Administration > Operations > Services on Server > Office SharePoint Server Search.
  2. In the "Configure Office SharePoint Server Search Service Settings" page, locate the account defined for "Farm Search Service Account" and write down the account name.
    1. For reference, the account defined serves as the account for the AD "Configure Profile Account" access account.
    2. For reference, you can get to AD Profile Account page: Central Administration > Shared Services > User Profile and Properties > Configure Profile Import.
  3. Navigate to: Central Administration > Shared Services > Personalization services permissions.
  4. On the "Manage Permissions: Shared Service Rights" page, add the account from before (or edit if already exists). The account needs one of the following permissions; I couldn't figure out which one:
    1. Manage user profiles
    2. Manage permissions
I've tested this resolution several times with success.
For reference, I've updated my Farm Search Service Account with the following permissions since the account in question will most likely be accessing the types of content referenced in the permissions at one point or another:
  • Manage user profiles
  • Manage audiences
  • Manage permissions
  • Manage usage analytics

Other Thoughts

As with Event ID 2424 I wrote about, I noticed that Event ID 7888 began around the time I installed the following WSS/MOSS security patches which came out prior to the SharePoint SP1 patch:
I'm going to make the assumption that this error will occur as soon as you install the SharePoint SP1 patch as well.

Conclusion

Somewhere along the line, the WSS/MOSS and/or SharePoint SP1 update(s) are modifying existing permissions… Shame on the updates.
I've read other posts whose resolution is to add the account in question to the local administrators group. Although their resolution may work, the profile import account should not be a server administrator; the administrator role should be reserved for the global MOSS service account admin (the account used to install MOSS) and the configuration account (the account MOSS uses to provision databases and other content that was defined during the MOSS install).
Enjoy!

No comments:

Post a Comment

SharePoint - Cannot convert a primitive value to the expected type 'Edm.Double'. See the inner exception for more details If y...

Ad