When starting a full or incremental import of Active Directory, either manually or scheduled, the import is successful, but there is an error thrown as soon as the import is initiated. My assumption is the AD import kicks off several simulateous jobs such as updating users "My SharePoint Sites" in the MOSS and Office 2007 environments.
For reference, to kick off a manual import of AD: Central Administration > Shared Services > User Profile and Properties
Event ID 7888
Event Type: Error
Event Source: Office SharePoint Server
Event Category: Office Server General
Event ID: 7888
Description: A runtime exception was detected. Details follow.
Message: Access Denied! Only site admin can access Data Source object from user profile DB.
Technical Details:
System.UnauthorizedAccessException: Access Denied! Only site admin can access Data Source object from user profile DB.
at Microsoft.Office.Server.UserProfiles.SRPSite.AdminCheck(String message)
at Microsoft.Office.Server.UserProfiles.DataSource._LoadDataSourceDef(IDataRecord rec)
at Microsoft.Office.Server.UserProfiles.DataSource._LoadDataSourceDef(String strDSName)
at Microsoft.Office.Server.UserProfiles.DataSource..ctor(SRPSite site, Boolean fAllowEveryoneRead)
at Microsoft.Office.Server.UserProfiles.DataSource..ctor(SRPSite site)
at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.GetDataSource()
at Microsoft.Office.Server.UserProfiles.BDCConnector.RefreshConfiguration(String sspName)
Resolution
1) Navigate to: Central Administration > Operations > Services on Server > Office SharePoint Server Search.
2) In the "Configure Office SharePoint Server Search Service Settings" page, locate the account defined for "Farm Search Service Account" and write down the account name.
i ) For reference, the account defined serves as the account for the AD "Configure Profile Account" access account.
ii) For reference, you can get to AD Profile Account page: Central Administration > Shared Services > User Profile and Properties > Configure Profile Import.
3) Navigate to: Central Administration > Shared Services > Personalization services permissions.
4) On the "Manage Permissions: Shared Service Rights" page, add the account from before (or edit if already exists). The account needs one of the following permissions; I couldn't figure out which one:
Manage user profiles
Manage permissions
I've tested this resolution several times with success.
For reference, I've updated my Farm Search Service Account with the following permissions since the account in question will most likely be accessing the types of content referenced in the permissions at one point or another:
- Manage user profiles
- Manage audiences
- Manage permissions
- Manage usage analytics
Other Thoughts
As with Event ID 2424 I wrote about, I noticed that Event ID 7888 began around the time I installed the following WSS/MOSS security patches which came out prior to the SharePoint SP1 patch:
WSS Update: kb934525
MOSS Update: kb937832
I'm going to make the assumption that this error will occur as soon as you install the SharePoint SP1 patch as well.
Conclusion
Somewhere along the line, the WSS/MOSS and/or SharePoint SP1 update(s) are modifying existing permissions… Shame on the updates.
0 comments:
Post a Comment