Skip Ribbon Commands
Skip to main content

Quick Launch
Todd Klindt's home page > Todd Klindt's SharePoint Admin Blog > Posts > Get “Access Denied” When Creating Site Collection
August 15
Get “Access Denied” When Creating Site Collection
by  Todd O. KlindtNo presence information  on 8/15/2009 2:22 PM

I stumbled onto a weird problem this week and I wanted to share it with you all. The problem itself is kind of weird, but that's not really what surprised me about it. What surprised me is that it took so long to find and more people aren't having it. Here is the most succinct way I can describe the it:

"When a default quota template is defined for the web app if a Farm Administrator that is NOT the System Account tries to create a site collection where that Farm Administrator is NOT a site collection administrator the creation will fail with an 'Access Denied' error."

That's a mouthful, so let's walk through the steps to reproduce it, which might help explain it some. To reproduce this error you'll need three accounts:

  1. SP_Farm – This account is used for everything except content crawl. Bits were installed as this user, PSConfig was run as this user. The Timer Job service runs as this user, and all your app pools run as this user. When you log into a SharePoint page with this account the Welcome banner on the top right says "Welcome System Account."
  2. Todd – Obviously this account can have any name. What's important is that this account is in the Farm Administrators group in SharePoint, and it is used for day to day SharePoint administrative tasks instead of SP_Farm. When you log into a SharePoint page with this account the Welcome banner on the top right does not say "Welcome System Account." It welcomes the user by name instead.
  3. Jill – This account must be named this. Okay, I'm kidding, it can be named anything. This account is a regular old user account. This account represents someone that called the helpdesk or used whatever process you have for creating a Site Collection. To reproduce this bug you don't actually have to log in as this account, it just must exist.

Now that we've got all the accounts created, let's get down to reproducing the error. Verify the Todd user is in the Farm Administrators group by going to Central Admin > Operations > Update farm administrator's Group. You can make this user a farm administrator by adding them individually, or adding a group they are in. Either way works. Now verify you're logged into Central Admin as this user. You should see this in the upper right hand corner:

 

If you see "Welcome System Account" instead you're logged in with the wrong account and the problem won't exist.

Next go to Central Admin > Application Management >Web application general settings. Make sure you take note of which Web app's general settings you're changing. I recommend your portal or main content web app for this demonstration. In the Default Quota Template area select a quota as the default. If none show up in the dropdown go to Central Admin > Application Management > Quota templates and create one. The name and the sizes don't matter. Put anything in there. Now go back to Application management and click Create Site Collection. Make sure you're creating this site collection in the same web app that you just assigned the quota to. You can put whatever you'd like as the title, though I've found "Todd is cool" seems to work the best. Same goes for the URL of the new site collection. The important part is that you assign the Jill account and only the Jill account as a site collection administrator. DO NOT put the Todd or SP_Farm accounts as an administrator. Verify at the bottom of the page that a default quota is being applied. You page should look something like this:

 

I've pointed out the parts that are most import. It's important that a non privileged account is the only administrator, and that a default template is being applied. When you hit Ok to create the site collection you should be greeted with this:

Huh? Todd is a Farm Admin, he should be able to create site collections. What gives?

Well, honestly I don't know what gives. I've pored through the ULS logs and I have yet to determine exactly what Todd doesn't have access to. Here's what I do know, if I hit the back arrow and add Todd as a site administrator, the error goes away. I also know that if SP_Farm tries to create a site collection with just Jill as an administrator, it works. I also know that if I go back to the web app general settings and remove the default quota template, now Todd can create Jill's site collection. I have no idea what triggers that error. I have confirmed it on SP2 (build 6421) and the June CU (build 6510). I also know you get this behavior whether you use Central Admin or STSADM.

A couple of other notes. It seems the site collection creation process gets started, but is interrupted before it can complete. You'll notice the site collection you tried to create does not exist if you try to browse to it, or list the site collections in Central Admin or with STSADM. However, enough of it is written to the content database that if you detach the content database it was going into and reattach it, the site collection is now there. It doesn't have a template, but it's there. Go ahead, try it, I'll wait…

This is because the entries for the site collection are created in the ContentDB's Sites table, but are never written to the ConfigDB's sites table. When you attach a ContentDB SharePoint walks through its Sites table to see what site collections exist in it, and it adds them to the ConfigDB's Sites table. I mention this because your Site Collection count will jump if you ever detach and reattach this ContentDB. Also, it doesn't matter what quota template is picked on the site collection page itself, it only matters if a default has been chosen for the web app. If you DO have a default chosen but set it to "None" when you create the site collection, it still fails. If you DO NOT have a default chose, but chose a quota at site collection creation, it does not fail. I have no way to explain this.

While this problem is completely nonsensical that's not what was the most surprising to me about it. I'm surprised that after three years of using the product I've never stumbled across this. It's the meeting of several best practices I preach. I tell people to always set quotas from the beginning, even if they think they'll never need them. I tell people not to use the SP_Farm account for day to day tasks. I tell people to put the user in charge of the site collection and not to make IT manage things at that level. Somehow though, those things have never converged to create this problem before this week. Weird. I did find one forum thread about this problem as I researched. When I scrolled down and saw that one of the guys trying to help the poster was me, I knew he and I were both in trouble. J

This doesn't seem to be a big problem, and the workarounds are easy. Any one of the following things will get you around this issue.

  1. Don't set a web app default quota
  2. Create site collections as the System Account
  3. Add your farm user as an administrator when you create the site collection, then immediately remove them

Any of those will get you around this. I spent the better part of four days trying to get this figured out. I hope this blog post helps at least one person and saves them some time and frustration.

tk

 

 

Permanent Link to Post | Email Post Link | Number of Comments 12 Comment(s)

Comments

Access Denied because its accessing something during provisioning

The access denied message is more than likely caused by the site collection administrator Jill not have access to something oh say the quota template list? Maybe because the default quota template is secured by a farm administrator and Jill isn't one?

It's an odd problem, yes.

Maybe if you use reflector on the site creation process, it might shed some light on where the access denied is coming from.
 on 8/15/2009 9:30 PM

Re: Access Denied because its accessing something during provisioning

Thanks for the response. I've never used Reflector, so I have no idea if it would expose something or not.

tk
Todd O. KlindtNo presence information on 8/15/2009 9:37 PM

I don't accept the use of the SP_Farm acount the way you describe it.

If you folow the steps in the link below the "Service Account" issue should go away. In addition I would be your site collection error may be resolved. This is a section of an architecture document I have used for years with success. Please share your thoughts after reading.

http://www.paulswider.com/best-practice-for-user-accounts-when-installing-moss.html
 on 8/18/2009 12:24 AM

Re: I don't accept the use of the SP_Farm acount the way you describe it.

Hey Paul,
I'm not sure what you mean by "the 'Service Account' issue should go away." Do you mean "System Account?" If so, I'm not sure what the "System Account issue" you're referring to.

tk
Todd O. KlindtNo presence information on 8/18/2009 11:08 AM

"Welcome System Account"

"Welcome System Account" in your post. Typo. Sorry. You should never see this unless you log in using application pool account. Correct?
 on 8/18/2009 12:13 PM

Re: "Welcome System Account"

Yes, you get "Welcome System Account" when you log in as the app pool account. The point of my post was the site collection creation only works if you log in as the app pool account. Getting "Welcome System Account" isn't the issue. It was only a way to verify you are or are not logged in as the app pool account.

tk
Todd O. KlindtNo presence information on 8/24/2009 1:39 PM

Operate as "System Account"

Hi Todd,

today I experienced some similar issues when i was trying to change a qouta on a site that had exceeded the quota limit. It is impossible to edit the qouta of a site that reached its limits if you haven't visited it with your account before (because the user can not be added to the user information list). Since I didn't know the login data from the "System Account",  I tried to activate user operates as "System Account" under "Policy for Webapplication" and then I could do all the things I couldn't do before
 on 10/8/2009 4:06 AM

Re: Operate as "System Account"

Interesting find. I hadn't stumbled across that myself. Thanks for sharing it.

tk
Todd O. KlindtNo presence information on 10/9/2009 8:39 AM

Can also happen if you don't give yourself access to the new site collection

You also get Access Denied if you don't add yourself (or some group containing your account) as a primary or secondary site collection administrator. This is true even if you are a farm admin/server admin/domain admin/all of the above.

But as soon as you put yourself as either primary or secondary (even with the same site template and quota template), it lets you create the site. You can then go back into Site Collection Administrators to set the primary/secondary admins you really want.

SPV
 on 12/17/2009 10:28 AM

Thanks for sharing

Hi Todd
I came across the exact same problem today. Your post was extremely insightful and corrected my problem.

Much appreciated
Clayton
 on 7/22/2010 5:02 PM
1 - 10Next

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person

Twitter


Want a message when I reply to your comment? Put your Twitter handle here.

Attachments

 

 SPDocKit-150x180