Tuesday, July 8, 2014

SharePoint 2013: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Problem

You attempt to run a PowerShell script against the SharePoint 2013 farm My Site web application and experience the following error message appearing for each website the script iterates through:
Get-SPWeb : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:79
+ Get-SPWebApplication http:/[YourWebAppURL] | Get-SPSite -Limit All | Ge ...
+                                                                               ~~
    + CategoryInfo          : InvalidData: (Microsoft.Share....SPCmdletGetWeb:SPCmdletGetWeb) [Get
   -SPWeb], UnauthorizedAccessException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletGetWeb
You verify that you are running the script in the SharePoint Management Shell as Administrator.  You also verify that the user account you are logged in as is a member of the Farm Administrators group and that it is the Primary site collection administrator for the root site collection of the My Site web application.

Solution
  • Configure a new User Policy for the My Site web application that grants your administrator account Full Control to all the site collections in this web application:
    1. Login to the farm's Central Administration as a farm administrator.
    2. Navigate to: Application Management > Web Applications > Manage Web Applications.
    3. Select the target web application.  This will enable the options on the Web Applications ribbon.
    4. Click the User Policy button.
    5. Click Add Users.
    6. Click Next.
    7. Enter a username, select Full Control, and then click Finish.  When adding the username, be sure to prefix it with i:0#.w|.  So, for example, DOMAIN\John.Smith would be entered as:
      i:0#.w|DOMAIN\john.smith
    8. Open a fresh SharePoint Management Shell as Administrator and re-run the script.
References
Notes
  • An account added to the SharePoint Farm Administrators group is not automatically granted access to a farm web application or to user sites.  A SharePoint Farm Administrator can, however, add himself to a site collection's Site Collection Administrators group and thereby gain administrative access to that site collection and all of its subsites.
  • Administrators of site collections and sites must be members of the Site Collection Administrators group or of the site Administrators group.  A member of the Site Collection Administrators group has administrative access to all sites and subsites within the site collection.
  • This issue can also affect the results you get when you use PowerShell to harvest My Site metrics.  For example, running this command
    Get-SPWebApplication http:/[MySiteURL] | Get-SPSite -Limit All | Select URL, @{Expression={$_.Usage.Storage/1024/1024}}
    will return a list of "0" for the storage values for all My Sites for which your administrator account is not configured as the Site Collection Administrator.

4 comments:

Karim said...

Amazing :)

Thank you for your sharing, your post has helped me much

Vijay said...

Thank you. These little tips are what truly worthy of writing blogs. Adding to Spfarm admin groups and adding spshelladmin access to all content DBs did not help until I added as per the post.

Anonymous said...

i use Expression={$_.Usage.Storage/1MB}} instead 1024/1024

Aftab said...

Very helpful information. Thank you.