.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

User Profile Service account Write to AD Permissions

Posted By:      Posted Date: August 31, 2010    Points: 0   Category :SharePoint
I followed this guide here (http://www.harbar.net/articles/sp2010ups.aspx) to provision the UPS service in sharepoint 2010. I found the guide very helpful and informative. Everything is working correctly except for the write back to AD I've followed the steps and have assigned the listed permissions to the UPS service account, however I still get permissiong errors in the FIM GUI Our AD is running in a 2008 environment but is in 2003 mode, so I made sure to add the UPS account to Pre Windows 2000 Compatible access built in group and restart the server so that the new group settings would take affect. Do I need to reprovision the UPS service or something? Or am I missing something completely. (Hopefully the latter lol!) Thanks RKB

View Complete Post

More Related Resource Links

Change Service Account for User Profile Service application



I change service account for user profile service application from spfarm to spservice . and then FIM Synchronization Service is stopped and i found this error in event viewer.

"The server encryption keys could not be accessed.

User Action

Verify that the service account has permissions to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service

If the problem persists, run setup and restore the encryption keys from backup."

But i tried to set the permission for spservice in registry. Still can't start the FIM Synchronization Service and also the log on as "Account" is changed to spservice .

When I change to spfarm for User Profile Service Application, it is working fine.

Please advise me that what do i need to configure for spservice ?



SQL Agent - service account permissions - SQL Server 2008

Hi @ all   I installed two SQL Server 2008 on Server 2008 R2 Std (principal and mirror) and an AD Server 2008, with sperate service accounts, connect as SA, localy all works fine. I created some agent tasks (PowerShell, T-SQL), but I get some Error massages in the history, that service account of SQL Agent didn't have the permission to query a remote machine(access denied for wmi (HRESULT: 0x80070005 (E_ACCESSDENIED)) and linked database(SQLSTATE 42000 Error(7314)). The simple query with SA permissions on the remote machine works and the powershell scripts with the local domain user works too. But not with the SQL Agent. WHY?? Where ist the different between the user account permisions and service account permissions? Which settings are needed? Example: get-wmiobject -class win32_service -computername 192.168.xxx.xxx| where {$_.name -like '*SQL*'} Powershell Console: works                                     SQL Agent Job: access denied I tried some solutions with user rights, group policies and security permissions but nothing works. like: Configuration -Service Accounts, SQL Server or SQL Server Agent service account http://support.microsoft.com/kb/283811/en-us http://msdn2.microsoft.com/

Profile User Synchronisation Service

Hi, I have a problem to open Profile User Synchronisation. It doesn' work, I tried to verify this problem by opening services.msc but It show an error when I try to restart the service : Error 1068 The service or the groupe of dependency can't be restarted.   Thanks

Unable to start user profile synchronization service

Hello, I have the following problem. user profile synchronization service doesn't start up, with the following error in log: The service encryption keys could not be found. User Action Verify that the service account has permissions to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service If the problem persists, run setup and restore the encryption keys from backup. Permissions for registry are availabele. Thank you.    

User Profile Service - "The specified user or domain group was not found"

Hi there, I had configured the User Profile Service and all was working well (Syncing with AD etc.). However, something has gone wrong. The services still appear to be running; both Forefront Identity Manager services are running, and the services show as 'Started' in Central Administration. The 'My Profile' and 'My Site' options have disappeared though, and browsing to the My Sites page results in an error (Could not load user profile). To make matters much worse, it seems to have also broken the Central Administration site. If I try and go to 'Manage Service Applications' I get another error (The specified user or domain group was not found). This error seems to come up on around half of the pages on the Central Administration site. Looking up the error (abb6b174-0f71-413a-a27a-41cdc87b66d0) in the logs I find this: 09/06/2010 15:35:45.44  w3wp.exe (0x0868)                        0x06A0 SharePoint Portal Server       User Profiles                  cm6y High     User Profile Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileA

User Profile Synchronization: Name of user account / id uses wrong Netbios domain name?!

I've got an interesting situation: I've got a domain e.g. FOOBAR.FI. The Netbios domain is due to historical reasons BARFOO. When I use UPS to import accounts from the FOOBAR.FI domain, the user account names in SharePoint are given the id of FOOBAR\<useraccount>. This works so and so. Users are identified and My Sites is fine. However the organizational chart and other fields where you can specify another user don't work as they should. If the manager is specified from AD, the organizational chart works. However, if I edit a profile and check the manager, it's in the form of FOOBAR\<useraccount>. SharePoint highlights this and a tooltip says that the account cannot be found. As a suggestion, it gives BARFOO\<useraccount>, which is found from the AD. All fine and dandy, until you check the organizational chart, which turns out to be empty at this point. This is because in SharePoint there's no user with the name BARFOO\<useraccount>, but only those FOOBAR\<useraccount> users who've been imported from the AD. So bottom line question is: How does UPS select and set the user account name?

SharePoint 2007 - Survey list - Getting user's Windows account ID from a web service using display

Surveys...grrrr.   I am developing a .NET console application that accesses survey data from a single survey list using the MOSS web service "Lists".   I am able to enumerate the survey list and get to the items except for the author of the survey response.  When I get to the column ows_Author, it appears to be a lookup value formatted like this:  "1066;#JOHN DOE".   How can I, using web services alone, lookup the corresponding Windows login ID of that user?  If I go to the survey in SharePoint and click on the name in the view, it takes me to a site-based user profile page that does show the account ID I want.  The page that displays appears to be a virtualized page like this "_layouts/userdisp.aspx?ID=1066".   What I really need is JOHN DOE's account ID like "domain\id". Can I get to this with the data I have available? Thanks

User Profile Service Synchronization Connection: Client Timout

Hi, I have scenario on configuring User Profile Synchronization service on customer site as below. Window AD Server 2003 Domain NetBIOS: foo FDQN: foo.bar.com  User Account to connect: foo\ad-connect This account already set permission as describe in http://technet.microsoft.com/en-us/library/ee721049.aspx  when I try to create connection, system took long time to process then return error as "Client Timeout". I try to check FIM and it's seems to work fine (no error return and can get users data). So could anyone told me what's wrong? Since I've didn't have much knowledge on Network and AD, please advice.Theeraphat.P SharePoint Information Worker

User Profile Service lookup in dataview web part

I'm attempting to setup a web part in SharePoint Designer 2007 that will list team members that are currently on call.  I've created the data connection to our oncall database and a dataview web part that has two columns.  One column lists the users ID, and the other lists their oncall priority.  This part works great! Example: USERID  |   PRIORITY ID1234   |       1 ID5678   |       2 Now, what i would like to see instead is the user's name instead of their ID. Example: USERNAME  |   PRIORITY John, D       |       1        Jane, B       |       2 I thought originally i could pull this information from AD using the user profile service from here:  http://<servername>/_vti_bin/userprofileservice.asmx?wsdl I've created the data connection to the user profile service, but at this point, i'm unsure how to merge the two data connection columns and get the right user data to display. Any tips?  Has anyone done this before?

Error while trying to access User Profile Service

Hi, I'm tryiong to setup UPA service but having some issues after running the UPA service.UPA service appears running, but clicking on the link in Central Administration does not take me to the Service Configuration page. Instead Central Admin flashes unknown error. Error log shows error message similar to the following o    User Profile Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: No User Profile Application available to service the request. Contact your farm administrator.     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PartitionIDs()     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.IsAvailable(SPServiceContext serviceContext)                34e709d0-90b0-4419-afd0-44aff54ac385 We have a central admin server and two WFE servers. User Profile Application is created on the application pool in central admin server and the Instance (only instance) runs on the Central Admin Server. If anyone has faced the same issue kindly revert back to me. Regards, A

User Profile Service Application_SyncDB_0521bfcf77694b419f8086e9e7d94822 issues

HI, I following this try to fix my MOSS2010 USer profile Sych issues, http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010general/thread/398f3553-5de7-456b-b935-4e22cee26b2f 1)    Login as farm account 2)    Backup the User Profile DB and the User Profile Sync DB 3)    Stop the SharePoint 2010 Timer service: PS D:\> net stop sptimerv4 4)    Delete the data in the Sync DB using the following PowerShell script: PS D:\> Get-SPDatabase 5)    Copy the GUID associated with the User Profile Sync DB in the command line below PS D:\> $syncdb=Get-SPDatabase -Id <GUID of User Profile Sync DB> 6)    Execute these commands, in exactly the following order. This is not a script. So please cut and paste each of these commands one by one. PS D:\> $syncdb.Unprovision() PS D:\> $syncdb.Status='Offline' PS D:\> Get-SPServiceApplication #Copy the GUID associated with the User Profile Service and paste it after "Id" in the next command: PS D:\> $upa=Get-SPServiceApplication -Id <GUID of User Profile Service PS D:\> $upa.ResetSynchronizationMachine() PS D:\> $upa.ResetSynchronizationDatabase() 7)    Provision the Sync DB: PS D:\> $syncdb.Provision() 8)    Add the User Profile Synchronization service account (farm account)

Problems with AD Connection in User Profile Service

I found a great resource that I have used successfully to set up and configure the User Profile Service: http://www.harbar.net/articles/sp2010ups.aspx I am now tryin to do this in a new environment and everything works until i get to Configure Connection to Do a Sync and click "Populate Containers"  I don't get an AD container for "SharePoint Users" according to the example. Any pointers or assistance you could provide would be greatly appreciated. Thank you, David

User profile service


This is the event viewer  Error I am recieving

The Execute method of job definition Microsoft.Office.Server.Administration.ProfileSynchronizationSetupJob (ID e7651211-f1c0-40a4-a076-8d10d6e787ed) threw an exception. More information is included below.

An update conflict has occurred, and you must re-try this action. The object UserProfileApplication Name=User Profile Service Application was updated by IMRA\spfarm, in the OWSTIMER (3656) process, on machine ENET.  View the tracing log for more information about the conflict.

When I try to change the service account associated with the User Profile service I get this error

An object of the type Microsoft.SharePoint.Administration.SPWindowsServiceCredentialDeploymentJobDefinition named "windows-service-credentials-FIMSynchronizationService" already exists under the parent Microsoft.Office.Server.Administration.ProfileSynchronizationService named "FIMSynchronizationService".  Rename your object or delete the existing object.

Troubleshoot issues with Microsoft SharePoint Foundation.

Correlation ID: 00f4ac26-e40b-4646-849d-8e95d08cff4d

Date and Time: 9/21/2010 9:40:05 AM


When I go back to

"Use Social Features" permission in "User Profile Service Application"



We wish to disable the "Tags and Notes" feature on our SharePoint 2010 site.  When I remove the "Use Social Features" permission from the "User Profile Service Application" this also removes the "My Site" link from the drop down at the top of the page.

Why on earth would this happen?  According to the TechNet page on social features (http://technet.microsoft.com/en-us/library/ee721063.aspx) the Use Social Features permission "Includes social tags, Note Board, and ratings."  Nothing in there indicates that it would remove the link to My Site.

My Site continues to work of course, it is just that the link is removed (which confuses users).

We want to disable Tags and Notes but leave the link to My Site.  Is there a way?


User Profile Synchronization service seems to stop on its own accord. What's usually the cause?


I've noticed in several environments that the UPS service stops every now and then. All I can do is go an restart it in Central Administration, and it usually retains all synchronization connection settings and works fine again. I've been too busy to examine the cause though.

Does this happen for others as well? What is the usual cause for it to stop?

Restarting Server: How to restart User Profile Sync Service?


Greetings all,


We had to restart our server, and once restarted, the User Profile Service (that we so laboriously fixed/reconfigured a month back) isn't starting. We get a retry on "User Profile Sync is provisioning, please wait..." before it terminates.

Can someone please recommend the best order in which to re-start the services so User Profile Sync restarts and continues to update?

Thanks SO MUCH,


User Profile Service


This question may look silly but I am not really gettong it.

Whatever I have read about user profiles, all talk is about synchronizing with Ad DS . So does it mean that we can't create users from sharePoint itself & store in user profile services' profile database & which does not exist in AD ? Since configuring user profile service creates profile database.

Also 2nd question is if I am  using user profile services, does it mean that I don't need to set up my custom authentication provider e.g. sqlmembership provider anymore ???

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend