Group Policy, Windows Server 2008 and SharePoint 2007 issue


Recently I was tasked to prepare some VMs for some SharePoint Developers and the configuration we decided upon was:

  • Windows Server 2008 w/SP2 x64
  • SharePoint Server 2007 w/SP2 x64
  • SQL Server 2008 w/SP1 x64

After the installation/configuration of SharePoint 2007 the Central Administration site was launched and Internet Explorer displayed a blank page.  This was very odd so one of the first things I did was add the database farm account to the local Administrators group and tried it again.  The Central Administration site displayed correctly.

Since these VMs belonged to a corporate domain I suspected this might be a Group Policy problem so initially we changed the OU that the machines belonged to so it would inherit the policy settings they had for Web Servers, no dice on that one.

Just to make sure it was an environment problem I decided I had better replicate the installation with my own DC just to rule out anything else.  The installation and configuration went perfectly (what I figured).

Next step I decided to download Sysinternals Process Monitor to help track down the source of the problem.  I removed the database farm account from the administrators group, performed an iisreset and then tried the Central Administration site again….blank web page.  So now it was time to get Process Monitor to watch what was happening in IIS.

I configured Process Monitor to display the w3wp.exe events and found this problem

Process Monitor | BAD IMPERSONATION

It seemed that the identity used by the Application Pool for the Central Administration was not able to perform any impersonation unless it was a member of the local Administrators group.  I checked the machines local policy on impersonation and found that it was missing a group.

Local Security Policy

The missing group was IIS_IUSRS which is used by IIS 7.0 and IIS 7.5 on Windows Server 2008.

About wesmacdonald

Wes MacDonald is a Visual Studio ALM MVP, PSD, MCT and a Principal Consultant for LIKE 10 INC., a SharePoint Server, Visual Studio and Team Foundation Server Consulting Firm providing premium support and guidance services.

5 Responses to “Group Policy, Windows Server 2008 and SharePoint 2007 issue”

  1. Thanks, very helpfull.

  2. Thank you for this post. I am having the same issue. I added the IIS_IUSRS to impersonations in GPO but when went back to my local security settings on Windows Server, the group is not being replicated. I ran gpupdate /force, and still nothing. I waited a whole day, restarted, nothing. Could this be the reason why my service accounts still aren’t being validated?
    Do you have any suggestions. I would greatly appreciate it.

    • The local group IIS_IUSRS needs to be allowed to be listed in the impersonate a client after authentication right. If you can configure the GPO to allow overrides then you could edit the Local Policy on the machine yourself and add it. If you want to see the policies that are being applied to that machine you can run gpresult /v to get a list of the GPOs that are being applied on that server.

      Wes

  3. Btw, I am on Windows Server R2 and is in the process of installing SharePoint 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: