Error: Access Denied – SharePoint 2010

Had a tricky problem which took a little while to solve today: Some users were granted contribute permissions to a SharePoint site, but only members of the Owner group could see the site – everyone else got this message.

image

At first I thought it might have been a problem caused by the migration of this site from QA to Production (which only happened a few days before) – but the site looked fine. Then I noticed that some of the services were shut down on the server (including the “server” service, which was causing problems with the Search index distribution as having it off prevents SMB shares from being created or used) – but the problem remained when the services were re-enabled.

Then I started thinking through all of the situations where something like this error would appear and it occurred to me that someone might have changed the permissions on the siteassets library or something similar… so to test I went to a document library (which I knew did not have security access based on a page library) and saw the same error there as well! But… I could get to a list with one of the problem accounts, no worries.

It turned out that one of the administrators (who has since received some more training) decided to lock down access to the Document library… but was a bit overzealous and also locked down access to the “Site Pages” library in the same site! That explained why half the pages were coming up access denied for the majority of users. And because the inheritance had been broken on the Doc Library, the SharePoint groups had to be added there as well. Essentially the root cause was User Error caused by a Poor Governance model and lack of training.

So what’s the moral of the story? If you have access permissions for some users but not all, the solution may be as simple as checking the security of the lists and libraries that appear on this page: http://MyFancySite/_layouts/uniqperm.aspx – you are looking for unique permissions on Site page libraries.

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

32 Responses to Error: Access Denied – SharePoint 2010

  1. Eric Xue says:

    Poor Brad! Glad you got to the bottom of it 😉

    A really good story to tell for an user-caused issue.

    thanks
    EX

  2. ronguy says:

    I just wish that SharePoint had a way of showing what caused the “Access Denied” message. SharePoint has so many logs, but nothing that logs what resource was denied…shame.

  3. Daniel says:

    Hi

    I have a similar issue tho I have yet to track down the root cause. As admin I was asked to create some users and add them to site. Normal everyday stuff.

    I create the users, initially in a test OU/AD group. Then I am them to a SP group with contrib permissions. I have 2 out of 4 users that will simply not logon – I am testing them. This is despite deleting and recreating them in the AD or password resets. SharePoint will simply not acknowledge their presence in the group.

    • Brad Saide says:

      Hi Daniel.

      Try adding them to the Site Coll Administrators group (Temporarily) and see if they can log in – If they cannot access the site from that group, but you can… then it points to the AD security rather than SharePoint security. Also ensure you have not got a user policy set up at the Web App level which denies a group / individual access to the site.

      If you eventually work it out, let me know!

      • westerdaled says:

        Hi

        Retried the users and this time they got in. Currious. I had a nightmare visions of having to apply CUs to the site which is never fun.

        Thanks gor getting back to me. If i reoccurs I will get back here and post the ULS logs.

        Daniel

  4. Anujahnavi says:

    Hi
    Iam getting the same issue for one of the user who is first a owner of the site. then i allotted site collection administrator access, but no luck the same error message saying access denied. Please can you suggest any other step go with. if all the possibilities in sharepoint are checked then i wana go to AD team to check if there is any issue.

    Anu

    • Brad Saide says:

      Hi Anu.
      It’s a bit tough to respond to your query – all you have given me to go on is you cannot give a user access to a site even if you assign site collection admin rights. It sounds like the person might be blocked in user policy permissions??

  5. Shannon says:

    I have a very similar issue, but with a slight variation, so the user only gets this error message from his machine, and I checked all the normal things(credentials vault is empty, not remembering password etc..). Also, it happens with other users on this same machine weird !!! I set IE back to default, and even tried a different browsers ..

  6. sbbinendienst@drieo.nl says:

    I have a really peculiar problem with AD access on a Sharepoint 2010.
    We have Multi Tenant User profile setup and that works fine.
    Until about a month ago new users ( or changes to the user profile) are not being picked up.
    So i did a little testing and this is the strange thing.
    We have the OU’s as such: Fictive names here
    Customers / CusA / Workers. And an OU for Groups
    Customers / CusB / Workers. And an OU for Groups
    In groups we have Customer specific groups with accounts added as needed.
    Now here comes the strange part. A Site that has access controlled by AD groups that already exist cannot be accessed by members of that group.
    If i add the user account directly they can access the site.
    If i create a new group and add the user account to that group and use that AD group for access is does work.
    What has happened to the existing groups that they cannot be used to assign access?

    • Brad Saide says:

      The only thing I can think of is that the group was deleted and recreated as a Distribution list, not a security group. Other than that, hunt down what the error is that comes up in the ULS logs when you try to access it.

  7. Jennifer says:

    We are having a problem with uers accessing sharePoint from outside our firewall. they are able to do so using Mozilla but not with IE. Do you know of any such issues? some of the users work for an institution which will not allow anything but IE!

    • Brad Saide says:

      Hi Jennifer (sorry the reply is so late).
      If they cannot log in when they are inside the firewall:
      It sounds like the user is set up to pass through the current user’s credentials, which is not the same ones that they are supposed to use to log into the site. Go to IE’s Internet Options –> Security tab. Pick the security mode that the site resolves to (probably internet). Either move the site to another mode (such as Intranet) or else configure the current mode to not pass through the credentials (the “Prompt for username and pwd” option in Custom Settings).
      If they can log in when they are inside the firewall, then it’s probably either your firewall / Reverse Proxy not configured correctly or your Alternate access mappings need to be changed so they work for the external inbound requests.

  8. sbbinnendienst@drieo.nl says:

    Well thats just the wierd thing about it. This happens for all the existing groups for a certain customer. The groups where not deleted and re-created. The groups are still mail-enabled security groups.

    • Brad Saide says:

      Have you checked the web application policy settings to make sure that client’s main group (like an “all users” group) is not configured for “Deny” access in Central Admin?
      Alternatively it’s possible the Web Application account does not have access to a particular file or folder on the physical machine…

  9. J says:

    I am having issues where a document library had inheritance broke, only certain groups were removed from permission to the library and now no one can access the library on the site. How can I reset permissions for this library?

    • Brad Saide says:

      Using the Site Collection administrator account, go to the libraries settings and reset the security to inherit from the parent. Should be a snap!

      AFAIK, there’s no way to lock out the farm account, so if site coll admin does not work, go in as the farm account.

  10. Hopefully I figure this out soon, but I am getting the ‘access denied’ for administrators (domain, builtin, sharepoint levels).To be more specific, I can’t log in as an administrator. Is there a certain group that they have to be a part of in order to access the Central Administration? And the sharepoint site is no longer reachable. The webpage doesn’t load. Thanks for any insight.

    • Brad Saide says:

      Hi Ibe.

      Sorry, but I don’t have much to go on from your post. There must be errors coming up in the event logs or the uls logs when you try to log in. When you find them post them back here and I’ll have a look.

  11. Jenny says:

    HI, i have granted read access in a shrepoint group for my intranet site, But when i login, it says access denied. So i clicked the access denied page “Go Back to Site”, i am able to access the site. Another thing, it happens randomly and not all the time. Whats the problem here?

  12. Jaap says:

    Hi Brad,

    Nice puzzle in case you have an extended collection of sites and a variety of permissions.
    We experienced a similar scenario: site was working fine until all of a sudden some pages replied ‘Access denied’. It turned out one of the administrators had tweaked the permissions for the visitors group and then we found out certain pages had no major published version, only 0.1’s.
    Off course i did not see this until I followed your article and inspected all permissions on every list, library and what not. 🙂
    Still: good article, thanks for sharing, it got me in the right direction.

  13. Karan Rana says:

    HI Brad,

    I have same kind of problem i am using a standalone sharepoint 2010 server on a machine running windows server 2008r2 and connected that machine to AD that is on different machine.. The user can access the site allocated to them but can not do any editing, even cannot add document to the library. Any solution.

    Karan

    • Brad Saide says:

      Hi Karan – 2 things spring to mind – either their access is coming via a read-only App policy (Central Admin) or the site is marked read-only (stsadm) – Either way though, it seems like a permissions thing, so just start at the beginning and check everything… A bit hard to tell without more information though…

      • karan says:

        Hi Brad,

        Thanks for your reply. The problem is with the admins as well. The can add the documents to the library from the sharepoint server machine but not from any other machine. They get the error LIST NOT FIND. Hope you can give me more help on this.

        Thank you.

      • Brad Saide says:

        Hi Karan. It definitely sounds like a security issue, but it might be either in IIS or folder / item security on the server – Not being able to perform actions except when logged into the server normally indicates that the contextual security being granted at the Operating system level is providing a “back door” past the problems that you are experiencing when not logged into the server.

        My recommendation is you get someone in to help you (like Intergen – the company I work for) – this is not something you can troubleshoot over the web. If you want to try and do it yourself, you will need to use Process Monitor to work out what files are being denied write access on the server, and maybe have a look at the ULS logs or the Server (Operating system) logs to see where the problem lies.

  14. Karan Rana says:

    Hi Brad,

    Thanks for your help. I had check all the security issue and created new access rule for each user. Finally i come a to a solution there was nothing wrong with the user permission. There was something to do with the AAM (Alternate access mapping). Now the users are able to upload documents in the library.

    Thank you.

  15. Julie says:

    You saved my life! Thank you!

  16. I’m glad I found this… I made a change to ‘site pages’ and it affected the entire site. I don’t know how permissions on a document library does that. I had no idea.

  17. Sagir Kazi says:

    I have the same problem as Daniel mentioned above. I tried adding the user to the Site Collection Admins and it works. But when I grant regular Read/Contribute permission for that user, it doesnt. This user cannot access the site from any machine. Also other logins work from this users machine. So its not the machine issue. I tried deleting the user from SharePoint and adding it back but still no progress. There are handful of such (random) users who are facing this issue. Please advice. Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s