
This works as local administrator only, but I'm trying to figure out how I can make it work with NT AUTHORITY\SYSTEM.

It starts spitting out group members but fails with access denied on a specific group on a site collection.

I've tried adding NT AUTHORITY\SYSTEM to local administrators and WSS_ADMIN_WPG groups and to the SharePoint Farm Administrators group and the site collection admins group for the site giving the access denied error.

Update 2/25/2014: Tried granting db_owner to the content DB but that didn't work either.

USE [SharePoint - 33220]
EXEC dbo.sp_addrolemember N'db_owner', N'NT AUTHORITY\SYSTEM'

Here's the error -

Unhandled Exception: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESS
   at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
   at Microsoft.SharePoint.Library.SPRequest.GetUsersDataAsSafeArray(String bstrUrl, UInt32 dwUsersScope, String bstrVal
ue, UInt32 dwValue, UInt32& pdwColCount, UInt32& pdwRowCount, Object& pvarDataSet)
   at Microsoft.SharePoint.SPUserCollection.InitUsers(Boolean fCustomUsers, String[] strIdentifiers)
   at Microsoft.SharePoint.SPUserCollection.InitUsers()
   at Microsoft.SharePoint.SPUserCollection.Undirty()
   at Microsoft.SharePoint.SPBaseCollection.System.Collections.IEnumerable.GetEnumerator()
   at ConsoleApplication1.Program.c__DisplayClass2.b__0()
   at Microsoft.SharePoint.SPSecurity.CodeToRunElevatedWrapper(Object state)
   at Microsoft.SharePoint.SPSecurity.c__DisplayClass4.b__2()
   at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
   at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
   at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
   at ConsoleApplication1.Program.Main(String[] args)

Here's the code -

using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.SharePoint;
using Microsoft.SharePoint.Administration;

namespace ConsoleApplication1
    class Program
        static void Main(string[] args)

            SPWebServiceCollection spWebServiceCollection = new SPWebServiceCollection(SPFarm.Local);
            foreach (SPWebService spWebService in spWebServiceCollection)
                foreach (SPWebApplication webApplication in spWebService.WebApplications)
                    foreach (SPSite spSite in webApplication.Sites) 
                            SPWeb spWeb = spSite.OpenWeb();
                            foreach (SPGroup group in spWeb.Groups)
                                foreach (SPUser user in group.Users)
Was it helpful?

Solution 3

Adding it to the site collection admins worked

enter image description here


So you want to know the least permissions needed for this? My guess is that you will need equivalent permissions to the Server farm account (

Server farm account

The server farm account is also referred to as the database access account and is used as the application pool identity for Central Administration, and as the process account for the Windows SharePoint Services 3.0 Timer service. The server farm account requires the following permissions:

  • It must have domain user account permissions.

  • If the server farm is a child farm with Web applications that consume shared services from a parent farm, the server farm account must be a member of the db_owner fixed database role associated with the configuration database of the parent farm.

Additional permissions are automatically granted to the server farm account on Web servers and application servers that are joined to a server farm.

After you run the PSC tool, machine-level permissions include:

  • Membership in the WSS_ADMIN_WPG Windows security group for the Windows SharePoint Services 3.0 Timer service.

  • Membership in IIS_RESTRICTED_WPG for the Central Administration application pool.

  • Membership in IIS_WPG for the Central Administration application pool.

After you run the PSC tool, SQL Server and database permissions include:

  • Dbcreator fixed server role.

  • Securityadmin fixed server role.

  • db_owner for all Office SharePoint Server 2007 databases.

  • Membership in the WSS_CONTENT_APPLICATION_POOLS role for the Office SharePoint Server 2007 server farm configuration database.

  • Membership in the WSS_CONTENT_APPLICATION_POOLS role for the Office SharePoint Server 2007 SharePoint_Admin content database.

I would start with the above permissions, check that it is working and then start to remove the permissions one by one until the application stops working again.

So to really find the minimum permissions you would have to use this list as a base, and then do some trial-and-error work.


has no effect when you run it from console application. It only works from SharePoint context like in event receiver code web part code etc.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top