Creating Site Collection – Access Denied

I am remotelly installing SP 2013 via AutoSPInstaller and I am having trouble during script while its try to create site collection.

 -------------------------------------------------------------- --------------------------------------------------------------  - Creating web applications...  - Web app "Portal" already provisioned.  - Setting up managed paths for "http://portal.asd.local:80"   - Setting up explicit managed path "help" at "http://portal.asd.local:80" and HNSCs...  - Done setting up managed paths at "http://portal.asd.local:80" --------------------------------------------------------------  - Applying object cache accounts to "http://portal.asd.local:80"...  - Done applying object cache accounts to "http://portal.asd.local:80"  - Checking for Site Collection "http://portal.asd.local"...  - Creating Site Collection "http://portal.asd.local"... --------------------------------------------------------------  - Script halted!   Exception             : System.UnauthorizedAccessException:                         0x80070005Access denied.                            at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessExceptio                         n ex)                            v Microsoft.SharePoint.Library.SPRequest.CreateSite(Guid gApplicationId, String bstrUrl, Int                         32 lZone, Guid gSiteId, Guid gDatabaseId, String bstrDatabaseServer, String bstrDatabaseName, S                         tring bstrDatabaseUsername, String bstrDatabasePassword, String bstrTitle, String bstrDescripti                         on, UInt32 nLCID, String bstrOwnerLogin, String bstrOwnerUserKey, String bstrOwnerName, String                         bstrOwnerEmail, String bstrSecondaryContactLogin, String bstrSecondaryContactUserKey, String bs                         trSecondaryContactName, String bstrSecondaryContactEmail, Boolean bADAccountMode, Boolean bHost                         HeaderIsSiteName, Int32 iDatabaseVersionMajor, Int32 iDatabaseVersionMinor, Int32 iDatabaseVers                         ionBuild, Int32 iDatabaseVersionRevision, String bstrSiteSchemaVersion)                            v Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSit                         eSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID,                          Int32 compatibilityLevel, String webTemplate, String ownerLogin, String ownerName, String owne                         rEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail                         , String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName, Boolean override                         CompatibilityRestriction)                            v Microsoft.SharePoint.PowerShell.SPCmdletNewSite.CreateDataObject()                            v Microsoft.SharePoint.PowerShell.SPNewCmdletBase`1.InternalProcessRecord()                            v Microsoft.SharePoint.PowerShell.SPCmdlet.ProcessRecord() TargetObject          : Microsoft.SharePoint.PowerShell.SPCmdletNewSite CategoryInfo          : InvalidData: (Microsoft.Share...SPCmdletNewSite:SPCmdletNewSite) [New-SPSite], UnauthorizedAcce                         ssException FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSite ErrorDetails          : InvocationInfo        : System.Management.Automation.InvocationInfo ScriptStackTrace      : at CreateWebApp, C:\Install\AutoSPInstaller\AutoSPInstaller\AutoSPInstallerFunctions.ps1: line                         2790                         at CreateWebApplications, C:\Install\AutoSPInstaller\AutoSPInstaller\AutoSPInstallerFunctions.p                         s1: line 2575                         at Setup-Farm, C:\Install\AutoSPInstaller\AutoSPInstaller\AutoSPInstallerMain.ps1: line 209                         at , C:\Install\AutoSPInstaller\AutoSPInstaller\AutoSPInstallerMain.ps1: line 408                         at , : line 1 PipelineIterationInfo : {} PSMessageDetails      :    ----------------------------------- | Automated SP2013 install script | | Started on: 11. 9. 2015 17:49:13 | | Aborted:    11. 9. 2015 17:50:48 | ----------------------------------- 

I have tried a lot of things

  1. Try to running SharePoint Product Configuration Wizard manually to see if it stabilizes my farm, then try run the script again
  2. Manually set user policy to SuperUser and SuperReader in SP Central Adminsitration to my site collection (as said link on line 2790 in AutoSPInstallerFunctions.ps1 – see Error msg)
  3. checked (System cryptography: FIPS)
  4. Added all avaible DB users all permission (just for control) not working
  5. Set the pool identity from SP_AppPool to Network Service + add SP_Farm into “Log on as a service” and “Log on as a batch” in Local Secuirty Policy
  6. Delete all database, users, web aplications, disconnect the farm via SP Product config wizard and try to run it all over again

None of these working

Is is possible that this problem is due to remote install? because i am getting out of relevant google page to search.

Thank you in advance

/////EDIT////// Source code from AutoSPinstaller that creating it ( @Waqas Sarwar MCSE )

 # =================================================================================== # Func: CreateWebApp # Desc: Create the web application # =================================================================================== Function CreateWebApp([System.Xml.XmlElement]$  webApp) {     Get-MajorVersionNumber $  xmlinput     # Look for a managed account that matches the web app type, e.g. "Portal" or "MySiteHost"     $  webAppPoolAccount = Get-SPManagedAccountXML $  xmlinput $  webApp.Type     # If no managed account is found matching the web app type, just use the Portal managed account     if (!$  webAppPoolAccount)     {         $  webAppPoolAccount = Get-SPManagedAccountXML $  xmlinput -CommonName "Portal"         if ([string]::IsNullOrEmpty($  webAppPoolAccount.username)) {throw " - `"Portal`" managed account not found! Check your XML."}     }     $  webAppName = $  webApp.name     $  appPool = $  webApp.applicationPool     $  dbPrefix = Get-DBPrefix $  xmlinput     $  database = $  dbPrefix+$  webApp.Database.Name     $  dbServer = $  webApp.Database.DBServer     # Check for an existing App Pool     $  existingWebApp = Get-SPWebApplication | Where-Object { ($  _.ApplicationPool).Name -eq $  appPool }     $  appPoolExists = ($  existingWebApp -ne $  null)     # If we haven't specified a DB Server then just use the default used by the Farm     If ([string]::IsNullOrEmpty($  dbServer))     {         $  dbServer = $  xmlinput.Configuration.Farm.Database.DBServer     }     $  url = $  webApp.url     $  port = $  webApp.port     $  useSSL = $  false     $  installedOfficeServerLanguages = (Get-Item "HKLM:\Software\Microsoft\Office Server$  env:spVer.0\InstalledLanguages").GetValueNames() | ? {$  _ -ne ""}     # Strip out any protocol value     If ($  url -like "https://*") {$  useSSL = $  true}     $  hostHeader = $  url -replace "http://","" -replace "https://",""     if (((Get-WmiObject Win32_OperatingSystem).Version -like "6.2*" -or (Get-WmiObject Win32_OperatingSystem).Version -like "6.3*") -and ($  env:spVer -eq "14"))     {         Write-Host -ForegroundColor White " - Skipping setting the web app directory path name (not currently working on Windows 2012 w/SP2010)..."         $  pathSwitch = @{}     }     else     {         # Set the directory path for the web app to something a bit more friendly         ImportWebAdministration         # Get the default root location for web apps         $  iisWebDir = (Get-ItemProperty "IIS:\Sites\Default Web Site\" -name physicalPath -ErrorAction SilentlyContinue) -replace ("%SystemDrive%","$  env:SystemDrive")         if (!([string]::IsNullOrEmpty($  iisWebDir)))         {             $  pathSwitch = @{Path = "$  iisWebDir\wss\VirtualDirectories$  webAppName-$  port"}         }         else {$  pathSwitch = @{}}     }     # Only set $  hostHeaderSwitch to blank if the UseHostHeader value exists has explicitly been set to false     if (!([string]::IsNullOrEmpty($  webApp.UseHostHeader)) -and $  webApp.UseHostHeader -eq $  false)     {         $  hostHeaderSwitch = @{}     }     else {$  hostHeaderSwitch = @{HostHeader = $  hostHeader}}     if (!([string]::IsNullOrEmpty($  webApp.useClaims)) -and $  webApp.useClaims -eq $  false)     {         # Create the web app using Classic mode authentication         $  authProviderSwitch = @{}     }     else # Configure new web app to use Claims-based authentication     {         If ($  ($  webApp.useBasicAuthentication) -eq $  true)         {             $  authProvider = New-SPAuthenticationProvider -UseWindowsIntegratedAuthentication -UseBasicAuthentication         }         Else         {             $  authProvider = New-SPAuthenticationProvider -UseWindowsIntegratedAuthentication         }         $  authProviderSwitch = @{AuthenticationProvider = $  authProvider}         If ((Gwmi Win32_OperatingSystem).Version -like "6.0*") # If we are running Win2008 (non-R2), we may need the claims hotfix         {             [bool]$  claimsHotfixRequired = $  true             Write-Host -ForegroundColor Yellow " - Web Applications using Claims authentication require an update"             Write-Host -ForegroundColor Yellow " - Apply the http://go.microsoft.com/fwlink/?LinkID=184705 update after setup."         }     }     if ($  appPoolExists)     {         $  appPoolAccountSwitch = @{}     }     else     {         $  appPoolAccountSwitch = @{ApplicationPoolAccount = $  ($  webAppPoolAccount.username)}     }     $  getSPWebApplication = Get-SPWebApplication | Where-Object {$  _.DisplayName -eq $  webAppName}     If ($  getSPWebApplication -eq $  null)     {         Write-Host -ForegroundColor White " - Creating Web App `"$  webAppName`""         New-SPWebApplication -Name $  webAppName -ApplicationPool $  appPool -DatabaseServer $  dbServer -DatabaseName $  database -Url $  url -Port $  port -SecureSocketsLayer:$  useSSL @hostHeaderSwitch @appPoolAccountSwitch @authProviderSwitch @pathSwitch | Out-Null         If (-not $  ?) { Throw " - Failed to create web application" }     }     Else {Write-Host -ForegroundColor White " - Web app `"$  webAppName`" already provisioned."}     SetupManagedPaths $  webApp     If ($  useSSL)     {         $  SSLHostHeader = $  hostHeader         $  SSLPort = $  port         $  SSLSiteName = $  webAppName         if (((Get-WmiObject Win32_OperatingSystem).Version -like "6.2*" -or (Get-WmiObject Win32_OperatingSystem).Version -like "6.3*") -and ($  env:spVer -eq "14"))         {             Write-Host -ForegroundColor White " - Assigning certificate(s) in a separate PowerShell window..."             Start-Process -FilePath "$  PSHOME\powershell.exe" -Verb RunAs -ArgumentList "-Command `". $  env:dp0\AutoSPInstallerFunctions.ps1`; AssignCert $  SSLHostHeader $  SSLPort $  SSLSiteName; Start-Sleep 10`"" -Wait         }         else {AssignCert $  SSLHostHeader $  SSLPort $  SSLSiteName}     }      # If we are provisioning any Office Web Apps, Visio, Excel, Access or PerformancePoint services, we need to grant the generic app pool account access to the newly-created content database     # Per http://technet.microsoft.com/en-us/library/ff829837.aspx and http://autospinstaller.codeplex.com/workitem/16224 (thanks oceanfly!)     If ((ShouldIProvision $  xmlinput.Configuration.OfficeWebApps.ExcelService -eq $  true) -or `         (ShouldIProvision $  xmlinput.Configuration.OfficeWebApps.PowerPointService -eq $  true) -or `         (ShouldIProvision $  xmlinput.Configuration.OfficeWebApps.WordViewingService -eq $  true) -or `         (ShouldIProvision $  xmlinput.Configuration.EnterpriseServiceApps.VisioService -eq $  true) -or `         (ShouldIProvision $  xmlinput.Configuration.EnterpriseServiceApps.ExcelServices -eq $  true) -or `         (ShouldIProvision $  xmlinput.Configuration.EnterpriseServiceApps.AccessService -eq $  true) -or `         (ShouldIProvision $  xmlinput.Configuration.EnterpriseServiceApps.AccessServices -eq $  true) -or `         (ShouldIProvision $  xmlinput.Configuration.EnterpriseServiceApps.PerformancePointService -eq $  true))     {         $  spservice = Get-SPManagedAccountXML $  xmlinput -CommonName "spservice"         Write-Host -ForegroundColor White " - Granting $  ($  spservice.username) rights to `"$  webAppName`"..." -NoNewline         $  wa = Get-SPWebApplication | Where-Object {$  _.DisplayName -eq $  webAppName}         $  wa.GrantAccessToProcessIdentity("$  ($  spservice.username)")         Write-Host -ForegroundColor White "OK."     }     if ($  webApp.GrantCurrentUserFullControl -eq $  true)     {         $  currentUser = "$  env:USERDOMAIN$  env:USERNAME"         $  wa = Get-SPWebApplication | Where-Object {$  _.DisplayName -eq $  webAppName}         if ($  wa.UseClaimsAuthentication -eq $  true) {$  currentUser = 'i:0#.w|' + $  currentUser}         Set-WebAppUserPolicy $  wa $  currentUser "$  env:USERNAME" "Full Control"     }     WriteLine            ConfigureObjectCache $  webApp      if ($  webApp.SiteCollections.SelectSingleNode("SiteCollection")) # Only go through these steps if we actually have a site collection to create     {         ForEach ($  siteCollection in $  webApp.SiteCollections.SiteCollection)         {             $  dbPrefix = Get-DBPrefix $  xmlinput             $  getSPSiteCollection = $  null             $  siteCollectionName = $  siteCollection.Name             $  siteURL = $  siteCollection.siteURL             $  CompatibilityLevel = $  siteCollection.CompatibilityLevel             if (!([string]::IsNullOrEmpty($  CompatibilityLevel))) # Check the Compatibility Level if it's been specified             {                 $  CompatibilityLevelSwitch = @{CompatibilityLevel = $  CompatibilityLevel}             }             else {$  CompatibilityLevelSwitch = @{}}             if (!([string]::IsNullOrEmpty($  ($  siteCollection.CustomDatabase)))) # Check if we have specified a non-default content database for this site collection             {                 $  siteDatabase = $  dbPrefix+$  siteCollection.CustomDatabase             }             else # Just use the first, default content database for the web application             {                 $  siteDatabase = $  database             }             # If an OwnerAlias has been specified, make it the primary, and the currently logged-in account the secondary. Otherwise, make the app pool account for the web app the primary owner             if (!([string]::IsNullOrEmpty($  ($  siteCollection.Owner))))             {                 $  ownerAlias = $  siteCollection.Owner             }             else             {                 $  ownerAlias = $  webAppPoolAccount.username             }             $  LCID = $  siteCollection.LCID             $  siteCollectionLocale = $  siteCollection.Locale             $  siteCollectionTime24 = $  siteCollection.Time24             # If a template has been pre-specified, use it when creating the Portal site collection; otherwise, leave it blank so we can select one when the portal first loads             $  template = $  siteCollection.template             If (($  template -ne $  null) -and ($  template -ne ""))             {                 $  templateSwitch = @{Template = $  template}             }             else {$  templateSwitch = @{}}             if ($  siteCollection.HostNamedSiteCollection -eq $  true)             {                 $  hostHeaderWebAppSwitch = @{HostHeaderWebApplication = $  ($  webApp.url)+":"+$  ($  webApp.port)}             }             else {$  hostHeaderWebAppSwitch = @{}}             Write-Host -ForegroundColor White " - Checking for Site Collection `"$  siteURL`"..."             $  getSPSiteCollection = Get-SPSite -Limit ALL | Where-Object {$  _.Url -eq $  siteURL}             If (($  getSPSiteCollection -eq $  null) -and ($  siteURL -ne $  null))             {                 # Verify that the Language we're trying to create the site in is currently installed on the server                 $  culture = [System.Globalization.CultureInfo]::GetCultureInfo(([convert]::ToInt32($  LCID)))                 $  cultureDisplayName = $  culture.DisplayName                 If (!($  installedOfficeServerLanguages | Where-Object {$  _ -eq $  culture.Name}))                 {                     Write-Warning "You must install the `"$  culture ($  cultureDisplayName)`" Language Pack before you can create a site using LCID $  LCID"                 }                 Else                 {                     $  siteDatabaseExists = Get-SPContentDatabase -Identity $  siteDatabase -ErrorAction SilentlyContinue                     if (!$  siteDatabaseExists)                     {                         Write-Host -ForegroundColor White " - Creating new content database `"$  siteDatabase`"..."                         New-SPContentDatabase -Name $  siteDatabase -WebApplication (Get-SPWebApplication $  webApp.url) | Out-Null                     }                     Write-Host -ForegroundColor White " - Creating Site Collection `"$  siteURL`"..."                     $  site = New-SPSite -Url $  siteURL -OwnerAlias $  ownerAlias -SecondaryOwner $  env:USERDOMAIN$  env:USERNAME -ContentDatabase $  siteDatabase -Description $  siteCollectionName -Name $  siteCollectionName -Language $  LCID @templateSwitch @hostHeaderWebAppSwitch @CompatibilityLevelSwitch -ErrorAction Stop                      # JDM Not all Web Templates greate the default SharePoint Croups that are made by the UI                     # JDM These lines will insure that the the approproprate SharePoint Groups, Owners, Members, Visitors are created                     $  primaryUser = $  site.RootWeb.EnsureUser($  ownerAlias)                     $  secondaryUser = $  site.RootWeb.EnsureUser("$  env:USERDOMAIN$  env:USERNAME")                     $  title = $  site.RootWeb.title                     Write-Host -ForegroundColor White " - Ensuring default groups are created..."                     $  site.RootWeb.CreateDefaultAssociatedGroups($  primaryUser, $  secondaryUser, $  title)                      # Add the Portal Site Connection to the web app, unless of course the current web app *is* the portal                     # Inspired by http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=264                     $  portalWebApp = $  xmlinput.Configuration.WebApplications.WebApplication | Where {$  _.Type -eq "Portal"} | Select-Object -First 1                     $  portalSiteColl = $  portalWebApp.SiteCollections.SiteCollection | Select-Object -First 1                     If ($  site.URL -ne $  portalSiteColl.siteURL)                     {                         Write-Host -ForegroundColor White " - Setting the Portal Site Connection for `"$  siteCollectionName`"..."                         $  site.PortalName = $  portalSiteColl.Name                         $  site.PortalUrl = $  portalSiteColl.siteUrl                     }                     If ($  siteCollectionLocale)                     {                         Write-Host -ForegroundColor White " - Updating the locale for `"$  siteCollectionName`" to `"$  siteCollectionLocale`"..."                         $  site.RootWeb.Locale = [System.Globalization.CultureInfo]::CreateSpecificCulture($  siteCollectionLocale)                     }                     If ($  siteCollectionTime24)                     {                         Write-Host -ForegroundColor White " - Updating 24 hour time format for `"$  siteCollectionName`" to `"$  siteCollectionTime24`"..."                         $  site.RootWeb.RegionalSettings.Time24 = $  ([System.Convert]::ToBoolean($  siteCollectionTime24))                     }                     $  site.RootWeb.Update()                 }             }             Else {Write-Host -ForegroundColor White " - Skipping creation of site `"$  siteCollectionName`" - already provisioned."}             if ($  siteCollection.HostNamedSiteCollection -eq $  true)             {                 Add-LocalIntranetURL ($  siteURL)                 # Updated so that we don't add URLs to the local hosts file of a server that's not running the Foundation Web Application service                 if ($  xmlinput.Configuration.WebApplications.AddURLsToHOSTS -eq $  true -and !(($  xmlinput.Configuration.Farm.Services.SelectSingleNode("FoundationWebApplication")) -and !(ShouldIProvision $  xmlinput.Configuration.Farm.Services.FoundationWebApplication -eq $  true)))                 {                     # Add the hostname of this host header-based site collection to the local HOSTS so it's immediately resolvable locally                     # Strip out any protocol and/or port values                     $  hostname,$  null = $  siteURL -replace "http://","" -replace "https://","" -split ":"                     AddToHOSTS $  hostname                 }             }             WriteLine         }     }     else     {         Write-Host -ForegroundColor Yellow " - No site collections specified for $  ($  webapp.url) - skipping."     } }  # =================================================================================== 

Access denied to site collection administrator

I am facing a very strange issue.

I have two web applications. Inside those applications are two site collections each. When I log in as site collection administrator I can access all three site collections except one. When I try to access that particular site in browser I get message:

Sorry, this site hasn’t been shared with you.

This user is added in Site Collection Administrator section of all 4 sites but only 1 site has problem.

I have even added site collection admin in User Policy in CA and gave FULL RIGHTS and FULL READ permissions.

Did iisreset, restart SQL server and SharePoint timer server but no luck. How do I solve this issue?

EDIT

User NT AUTHORITY was missing from user policy of problematic web application (not that it should have any effect because other site collection are working fine in this web application) but still I added this user and noticed that:

In problematic web application it appears as i:0#.w|NT AUTHORITY

While in other web application it appears as NT AUTHORITY

mongodb keyfile permission denied

I configured in /etc/mongod.conf to enforce keyfile access control, in security option enabled, keyFile is /root/dbtest.key (the absolute path of keyfile). I already gave the ownership to mongodb user by chown, and granted 400 permission on that dbtest.key file.

But mongod keeps failing to start, after checking log, the error is Error reading file /root/dbtest.key: Permission denied. After checking the ownership and permissions on dbtest.key

Which means I already granted correctly. So I don’t know at which step I did wrong

Access denied while accessing Site Permission under a subsite

User with full control over root site/subsite, gets Access Denied error while trying to access Site permissions under Site Settings of a specific subsite. Same user is able to access Site permissions of all other subsite including the root site.

  1. User has access to the MP gallery/Style Library.
  2. All MPs and CSS are checked-in/published.
  3. User has Full Control on the subsite. Given explicitly.
  4. The site uses the same MP (across entire site collection).

Everything seems to be correct but unable to figure out what can go wrong only with one subsite. Kindly help.

SP 2016 Workflows – Access Denied on Current List

In SharePoint 2016, I have created a workflow to run on creation. If fields in the item match certain criteria, the item should have a field updated with a specified value.

enter image description here

I receive the following error using my test account that has Contribute permissions on the list. enter image description here

The guid 8e944724-18a2-4e12-8610-6f159acf7d96 matches the guid of the list the workflow runs on.

Why is my test account (and other accounts with the same permssions) receiving this error if I have Contribute rights?

I can access the list’s properties through the REST API endpoint mentioned in the error.

I also attempted to run the same workflow with an App Step and gave the Workflow add in Full Control. This still did not allow me or other users to run the workflow and resulted in the same error.

<AppPermissionRequests AllowAppOnlyPolicy="true">   <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /> </AppPermissionRequests> 

enter image description here

How can this be corrected?

Permission denied when SSHing into Ubuntu Virtual Machine

I have a VirtualBox machine running Ubuntu 18.04.2. I have installed OpenSSH on it.

In the Settings of the Virtual Machine I have set up this port forwarding rule:

Protocol: TCP

Host IP: 127.0.0.1

Host Port: 2222

Guest IP: 10.0.2.15

Guest Port: 22

The SSH command I run in my local terminal is:

ssh myname@127.0.0.1 -p2222 

It then asks me for the password, which I enter, and I get this error:

Permission denied, please try again.

The username and password are the ones I created when setting up Ubuntu.

users with Edit permission level are able to access the site navigation, but will get “Access Denied” when they try to submit the change

we have a classic team site collection with publishing features enabled + we have a sub-site which does not have the publishing features enabled. now i granted some users Edit permission on the sub-site and Read on the root site. where those users will be able to access the sub-site’s site navigation as follow:- enter image description here

and also those users will be able to add new links and chnage the order of the navigation links >> but when they try to submit the site navigation page, they will ger this error:- enter image description here

so its weird that users can access the site navigation + add/remove links but can not submit the changes .. any idea what is going on? Thanks