I’d a really, really weird problem with a customer yesterday. We’d set up their SharePoint search. Indexing seemed to be working correctly, and when I logged in as an administrator, I was getting search results correctly. However, logged in as a normal – though very highly privileged – user my search results were missing! This was some thing of a surprise. It felt like security trimming, but the user was a Site Collection admin, and had Full Control throughout the entire main content web application. Also, we were indexing content off the network file share, and we knew he could access both the SharePoint Content.
However, when he ran a search, he didn’t get any search results. That sucked. I tried another user account – and had the same problem.
Eventually, I looked in the logs and found the following message:
AuthzInitializeContextFromSid failed with ERROR_ACCESS_DENIED. This error indicates that the account under which this process is executing may not have read access to the tokenGroupsGlobalAndUniversal attribute on the querying user’s Active Directory object. Query results which require non-Claims Windows authorization will not be returned to this querying user.
Continue reading “SharePoint Search – AuthzInitializeContextFromSid failed”
This was something that I set up in our offices, and was trying to set up for a client – but it turned out that there were a few more components involved than I’d first realised.
We have an AD group of ‘All Staff’ which contains, um, all staff. We also have a ‘Company Announcements’ list, and we wanted to send any announcements added to that list to all our staff. As an administrator, I could add an alert for the ‘All Staff’ group ( on the list click List Settings > Alert Me and then enter the group we want to email)
The ‘All Staff group’ is a Mail enabled security group, with it’s own address – e.g. firstname.lastname@example.org. The puzzle for me (not being an exchange or AD expert) was that in that case, what resolves the addresses? I’d thought that the group being mail enabled meant that you could resolve the email addresses of the users within the group – but what does that? Well, Exchange, as it happens, though I’m not sure how to configure that. The upshot of it is, though, that the AD group you want to mail needs to be mail enabled, and you may need to talk to your exchange guys too.
This is unfortunate, as in a lot of organizations making changes to AD can be a tortuous process. Still, if there is an appropriate group you can email then this is a quick win with things like Announcements lists.