Event ID 3359 (Windows SharePoint Services health model)
Applies To: Windows SharePoint Services 3.0
When Windows SharePoint Services 3.0 is in Active Directory account creation mode, any user added to a site is automatically added to the Active Directory organizational unit identified for use by Windows SharePoint Services 3.0. When running in Active Directory account creation mode, every application pool that contains one or more sites must use an account that has permissions to create, read, and update accounts in the Active Directory organizational unit that the domain administrator configured for Windows SharePoint Services 3.0.
Event Details
Product: |
Windows SharePoint Services |
ID: |
3359 |
Source: |
Windows SharePoint Services 3 |
Version: |
12.0 |
Symbolic Name: |
ULSEvtTag_3359 |
Message: |
The application pool account has insufficient permission to add user accounts to Active Directory. |
Diagnose
Windows SharePoint Services 3.0 could not add a new user to an end-user-accessible site. This error might be caused by one of the following conditions:
The application pool account has insufficient permissions to add/read user accounts to/from Active Directory.
The Active Directory organization unit registered in Windows SharePoint Services 3.0 does not exist. To determine if the organizational unit exists, contact your domain administrator. To fix this, see the section titled "Ensure that the Active Directory organization unit exists".
To see which account is being used by the application pool for the site where you could not add a user
You must be a member of the SharePoint Administrators group to perform this task.
In Central Administration, on the left navigation pane, click Application Management.
On the Application Management page, in the SharePoint Site Management section, click Site collection list.
On the Site Collection List page, you will see the site collections listed for a specific Web application. If you do not see the site collection that contains the site where you could not add a user, then click the drop-down list next to Web Application to switch to another Web application.
On the left navigation pane, click Application Management.
On the Application Management page, in the SharePoint Application Management section, click Web application list. The name of the Application pool will be to the left of the URL.
In Internet Information Services Manager, expand the server node and then expand the Application Pools node.
Right-click the application pool and click Properties.
In the Properties dialog box, on the Identity tab, the account is shown in the User name box.
To fix permissions issues, see the section titled Assign the application pool account sufficient permissions.
Resolve
To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly
Cause | Resolution |
---|---|
The Active Directory organization unit registered in Windows SharePoint Services 3.0 does not exist |
Ensure that the Active Directory organization unit exists |
The application pool account has insufficient permissions to add/read user accounts to/from Active Directory |
Assign the application pool account sufficient permissions |
Ensure that the Active Directory organization unit exists
Ask the domain administrator to locate the correct organizational unit name in Active Directory. If the organizational unit has been deleted, ask the domain administrator to recreate the organizational unit.
Use the psconfig.exe adminvs -provision command to reprovision the site. You must be a member of the SharePoint Administrators group to perform this action.
For more information about this command-line operation, see the Windows SharePoint Services 3.0 online documentation (https://go.microsoft.com/fwlink/?linkid=73952) or the Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Windows SharePoint Services) (https://technet2.microsoft.com/windowsserver/WSS/en/library/eae2818a-e247-43c2-932f-f914f271d8a41033.mspx) article on TechNet.
Assign the application pool account sufficient permissions
In order for Windows SharePoint Services 3.0 to have permissions to create accounts in the sharepoint_ou organizational unit, the identity account for the SharePoint Central Administration v3 application pool and the identity accounts for any Web applications must have the correct permissions delegated to it.
To see which account is being used by the application pool for the site where you could not add a user
You must be a member of the SharePoint Administrators group to perform this task.
In Central Administration Web, on the left navigation pane, click Application Management.
On the Application Management page, in the SharePoint Site Management section, click Site collection list.
On the Site Collection List page, you will see the site collections listed for a specific Web application. If you do not see the site collection that contains the site where you could not add a user, then click the drop-down list next to Web Application to switch to another Web application.
On the left navigation pane, click Application Management.
On the Application Management page, in the SharePoint Application Management section, click Web application list. The name of the Application pool will be to the left of the URL.
In Internet Information Services Manager, expand the server node and then expand the Application Pools node.
Right-click the application pool and click Properties.
In the Properties dialog box, on the Identity tab, the account is shown in the User name box.
Verify
Ensure that a new user can be added to an end-user-accessible site. The action should succeed without error.
You must be a site administrator to perform this task.
To check if a new user can be added to an end-user-accessible site
In the top level page of the site, on the left navigation pane, click People and Groups.
On the Peoples and Groups page, click New, and then click Add users.
On the Add Users page, type the user name in the Users/Groups box.
Click the name-check icon to the right Users/Groups of the box.
If the name resolves (is underlined), the problem has been fixed.
Related Management Information
Active Directory Integration (Health model)