Access denied to User Profile Service Application

Question

Hi,

I'm currently facing an access denied issue, but I didn't found the root cause.
I wrote a PowerShell script that create User Profile and synchronize the properties. So far, the script is running well with the Farm account.
Now my goal is to switch the execution of the script to dedicated service account.
So I gave the following permission:

• Local Admin of the server and SharePoint_Shell_Access of SharePoint Config DB, in order to have the possibility to load the SharePoint snapin.
• Give Full Control permissions on User Profile Service Application. I also gave the Full Control for Administrators of User Profile (but I don't think this one is necessary).

With this, the script is able to execute the following commands:
$context = Get-SPServiceContext($site)
$upm = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$upm.UserExists($claimIdUser)

But return an access denied on this command:
$userProfile = $upm.GetUserProfile($claimIdUser)

Error details:
System.Management.Automation.MethodInvocationException
Exception calling "GetUserProfile" with "1" argument(s): "UserProfileDBCache_WCFLogging
:: ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied."

In ULS logs I have:
Unable to write service call usage entry.
ChannelInvoke::GetUserData::1 -- CommunicationException occurred: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.
UserProfile.RetrieveUser() Exception: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileDBCache_WCFLogging :: ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.
GetUserProfile_RetrieveUser_Cache Failure: RetrieveUser_Cache: Failed because of Exception Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileDBCache_WCFLogging :: ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

I don't see what permission is missing. Any idea ?

Kind regards,
jlmsy

Answer 1

Hi @jlmsy ,

Here is a similar issue: User Profile Service Access Denied Issues.

You could try to execute following PowerShell commands:

$USPA = Get-SpServiceapplication | Where-Object {$_.TypeName -eq "User Profile Service Application"}  
  
$sec = Get-SPServiceApplicationSecurity $USPA  
  
#This is where I found the issue  
  
$sec.AccessRules  
  
#And here's how I fixed it  
  
$account = New-SPClaimsPrincipal <domain\user> -IdentityType WindowsSamAccountName  
  
$sec = Get-SPServiceApplicationSecurity $USPA  
  
Grant-SPObjectSecurity $sec -Principal $account -Rights "Full Control"  
  
Set-SPServiceApplicationSecurity -Identity $USPA -ObjectSecurity $sec   

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi @CaseyYang-MSFT ,

Tricky SharePoint...
Yes, I had the exact same issue explained on the User Profile Service Access Denied Issues.

Thanks for pointing me out this, now it's OK, the script is running well with its dedicated service account.

Answer 3

does this user account also have shell admin role for User profile service db? (not to User profile service itself, but it's db) If not try to grant it there also:

$upsDB = Get-SPDatabase ... 
Add-SPShellAdmin -Username domain\username -Database $upsDB