Access denied to User Profile Service Application

jlmsy 41 Reputation points
2022-02-10T12:47:20.423+00:00

Hi,

I'm currently facing an access denied issue, but I didn't found the root cause.
I wrote a PowerShell script that create User Profile and synchronize the properties. So far, the script is running well with the Farm account.
Now my goal is to switch the execution of the script to dedicated service account.
So I gave the following permission:

  • Local Admin of the server and SharePoint_Shell_Access of SharePoint Config DB, in order to have the possibility to load the SharePoint snapin.
  • Give Full Control permissions on User Profile Service Application. I also gave the Full Control for Administrators of User Profile (but I don't think this one is necessary).

With this, the script is able to execute the following commands:
$context = Get-SPServiceContext($site)
$upm = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$upm.UserExists($claimIdUser)

But return an access denied on this command:
$userProfile = $upm.GetUserProfile($claimIdUser)

Error details:
System.Management.Automation.MethodInvocationException
Exception calling "GetUserProfile" with "1" argument(s): "UserProfileDBCache_WCFLogging
:: ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied."

In ULS logs I have:
Unable to write service call usage entry.
ChannelInvoke::GetUserData::1 -- CommunicationException occurred: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.
UserProfile.RetrieveUser() Exception: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileDBCache_WCFLogging :: ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.
GetUserProfile_RetrieveUser_Cache Failure: RetrieveUser_Cache: Failed because of Exception Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileDBCache_WCFLogging :: ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

I don't see what permission is missing. Any idea ?

Kind regards,
jlmsy

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,297 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,897 questions
0 comments No comments
{count} votes

Accepted answer
  1. CaseyYang-MSFT 10,341 Reputation points
    2022-02-11T09:36:34.237+00:00

    Hi @jlmsy ,

    Here is a similar issue: User Profile Service Access Denied Issues.

    You could try to execute following PowerShell commands:

    $USPA = Get-SpServiceapplication | Where-Object {$_.TypeName -eq "User Profile Service Application"}  
      
    $sec = Get-SPServiceApplicationSecurity $USPA  
      
    #This is where I found the issue  
      
    $sec.AccessRules  
      
    #And here's how I fixed it  
      
    $account = New-SPClaimsPrincipal <domain\user> -IdentityType WindowsSamAccountName  
      
    $sec = Get-SPServiceApplicationSecurity $USPA  
      
    Grant-SPObjectSecurity $sec -Principal $account -Rights "Full Control"  
      
    Set-SPServiceApplicationSecurity -Identity $USPA -ObjectSecurity $sec   
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. sadomovalex 3,631 Reputation points
    2022-02-10T16:54:17.557+00:00

    does this user account also have shell admin role for User profile service db? (not to User profile service itself, but it's db) If not try to grant it there also:

    $upsDB = Get-SPDatabase ... 
    Add-SPShellAdmin -Username domain\username -Database $upsDB
    

  2. jlmsy 41 Reputation points
    2022-02-15T13:25:19.287+00:00

    Hi @CaseyYang-MSFT ,

    Tricky SharePoint...
    Yes, I had the exact same issue explained on the User Profile Service Access Denied Issues.

    Thanks for pointing me out this, now it's OK, the script is running well with its dedicated service account.

    0 comments No comments