Add-SPShellAdmin and SPWebApplication.GrantAccessToProcessIdentity. What’s the difference?

TLDR – The Add-SPShellAdmin and SPWebApplication.GrantAccessToProcessIdentity are very similar in what they do, but there are a few key differences:

  1. Add-SPShellAdmin: Should be used for granting admin accounts access to run PowerShell commands against the farm. This grants the account 2 database roles (SharePoint_Shell_Access and SPDataAccess) to the specified content database.
  2. SPWebApplication.GrantAccessToProcessIdentity: Should be used for granting service accounts access to the content database. This grants Full Control User Policy to the Web Application and adds the account to the SPDataAccess role for the specified content database.

OK, if you’re still reading…here’s the longer version:

      • SharePoint_Shell_Access Role:
        • Members of the SharePoint_SHELL_ACCESS role have the execute permission for all stored procedures for the database. In addition, members of this role have the read and write permissions on all of the database tables.
      • SPDataAccess Role:
        • The SPDataAccess role will have the following permissions (SPDataAccess should be used for all object model level access to databases):
        • Note: The SP_DATA_ACCESS role replaces the db_owner role in SharePoint 2013. (From
          • Grant EXECUTE or SELECT on all SharePoint stored procedures and functions
          • Grant SELECT on all SharePoint tables
          • Grant EXECUTE on User-defined type where schema is dbo
          • Grant INSERT on AllUserDataJunctions table
          • Grant UPDATE on Sites view
          • Grant UPDATE on UserData view
          • Grant UPDATE on AllUserData table
          • Grant INSERT and DELETE on NameValuePair tables
          • Grant create table permission
  • SPWebApplication.GrantAccessToProcessIdentity (
    • Used for service accounts requiring elevated access to the content database(s)
    • Most Common Use – Needs to be set for service accounts (If using least privileged) running Excel, PerformancePoint, SSRS, etc.
    • First, this sets a full control User Policy for the Web Application:
    • clip_image004
    • Then, this adds the user to the SPDataAccess role for the specified database(s) for the Web Application:
    • clip_image005


Long Live SSRS SharePoint Integrated Mode

On 11/17/16 the SQL Server Reporting Services Product Team announced that starting with SQL Server v.Next, there’ll be only one installation mode for Reporting Services: “Native” mode. Check out the blog here –

I’ve blogged about SSRS a little bit here and there so making sure everyone is aware of this as you look into future deployments of SSRS!


SharePoint Patching 101 – Don’t forget to save all those CAB files in the same folder as the EXE!

Hey All – I’ve seen people run into this issue a few times now so I figured it’d be worth a quick post. A lot of the SharePoint 2013 Cumulative Updates include 3 files – 2 CAB’s and an EXE. These used to be included in the same self-extracting executable file, but now are 3 separate downloads. Make sure to select ALL 3 from the Microsoft Download Center and then make sure they are all in the same folder when you go to run the EXE and patch that beautiful SharePoint farm of yours.

These guys…



SharePoint SSRS – Orphaned SQL Agent Jobs Causing Subscriptions to Fail

Weird/crazy issue recently. Subscriptions were getting bogged down/failing in a SSRS SharePoint Integrated Mode environment. This issue seemed sporadic..some days subscriptions would fire off at the scheduled times and sometimes they’d get stuck processing for a few hours before users would receive the subscriptions. After some troubleshooting/digging into this issue we noticed something off. We ran a query in SQL to compare the SSRS Subscriptions with the SQL Agent Jobs on the server. These numbers did not match..There were around 70 additional SQL Agent Jobs on the server..and they were not attached to a subscription. Opening one of them up shows that it was a SQL Agent Job created by SSRS for a subscription..but no subscription was associated. Disabling these jobs fixed the issues.

Here’s the SQL script (This renames all SQL Agent Jobs to have a prefix of ZZZZ_ and disables the job):

SharePoint 2013 InfoPath Form: Object doesn’t support this property or method ‘addeventlistener’ in IE 11

During an upgrade project we noticed that one of the pages that displays an InfoPath Form was throwing the error:

Object doesn’t support property or method ‘addEventLister’

InfoPath Error

This error wasn’t appearing anywhere else, so it was isolated to this specific page and also it worked in Chrome (The user was on IE 11). This led me to believe it was an IE 11 issue. I found the following post:

Adding the site to compatibility mode for IE 11 users fixed the issue..


SharePoint 2010/2013 Content Query Web Part..Please Open in Office Web Apps..Ugh, I loathe you right now

First off, thank you very much Ben Prins for getting me moving in the right direction on this one –

Here’s the scenario: A client was looking into rolling out Office Web Apps as the default open behavior for documents in a recently upgraded SharePoint 2013 farm (Started as a 2007 farm and upgraded to 2010 and 2013 throughout the years). Cool right? Follow this document ( and turn off OpenInClient and you should be rocking and rolling in the deep with those web apps..

Everything was looking great except throughout the site they were using content query web parts #CQWPFail. Content query web parts have their place and this client did not want to revamp a ton of pages and replace them with the shiny new SharePoint 2013 search web parts (The CSWP can span site collections like a boss, but the CQWP is pretty simple/easy to configure if you’re just looking at one site collection..unless XSLT is involved. Keep reading..). The content query web parts had no honor..they refused to acknowledge the OpenInClient setting. Not cool CQWP…

Since this was an upgraded SharePoint site as a troubleshooting step we create a brand new “Vanilla” SharePoint 2013 site collection and did a quick test. These CQWP’s seemed to have a little more honor..If the query was set to a specific list/library it would open in the web app. If the query was set to a site collection/site would try to open in client. Unfortunately that was the entire reason the client wanted to use CQWP’s back when they set it up in cross sites and surface documents using custom content types.

I think you know where this is going…time to brush up on those XSLT skills. After some research I found this page which states the files used for the CQWP: I did a (insert favorite file comparison tool here..I used WinMerge) against these 2 files (Comparing the 2010 upgraded site to the vanilla 2013 site):

  • /Style Library/XSL Style Sheets/ContentQueryMain.xsl
  • /Style Library/XSL Style Sheets/ItemStyle.xsl

What do you know??…there were differences. We updated the 2010 upgraded site’s ContentQueryMain.xsl and ItemStyle.xsl files and now at least queries directly to lists/libraries started working.

After this I found Ben’s awesome blog post and ran through the steps on there (I did have to make a few changes so I’ll post my detailed steps and I posted comments on his blog):

  1. Crack open that ItemStyle.xsl file (I checked it out first and then opened with NotePad)
  2. Right underneath this line (Since we’re editing the default style…you could create you’re own, but we wanted to update all existing web parts without too many changes)

<xsl:template name=”Default” match=”*” mode=”itemstyle”>

Paste the following lines:

  • Some things to note about this:
    • ?web=1 is what forces the document to open in Office Web Apps. Pretty nifty..instead of using a hard-coded link to WopiFrame.aspx and trying to parse the LinkUrl field..which I tried and failed because the URL passed to WopiFrame.aspx must contain be in this format: http://webappurl/sites/sitecollectionurl/siteurl/_layouts/WopiFrame.aspx?sourcedoc=/relative path to file
    • Feel free to add additional entries for doc/xsl/ppt
  1. After this I found the <div class=”link-item”> and updated it with this code:

Check these guys out:

2010 Fails on ALL Queries:


2013 is a little better..but falls short when a query is set at the “site level”


Here’s the site collection with the updated XSLT (Check out that sexy hyperlink at the bottom!)


Cool Stuff. Also another plug for Ben Prin’s blog…check out this post:

The XSLT snippet from this post allows you to see all fields and values that are available..which was super useful in troubleshooting.

SharePoint 2010/Server 2012 R2: Config Wizard Fails with Error “Value Does Not Fall Within The Expected Range”

Ran into an interesting installation error – SharePoint was failing to create the Configuration Database..or so it appeared. Running New-SPConfigurationDatabase and running the SharePoint Products Configuration Wizard were both failing with the error “Value does not fall within expected range.” We were able to track down this issue in the ULS Logs and noticed all sorts of IIS-related errors:

Creating new application pool ‘SecurityTokenServiceApplicationPool’.

Adding DOMAIN\spfarmacct to local group IIS_WPG.

Adding DOMAIN\spfarmacct to local group WSS_WPG.

Adding DOMAIN\spfarmacct to local group PerformanceMonitorUsers.

Attempting to give SE_ASSIGNPRIMARYTOKEN_NAME privilege to application pool user DOMAIN\spfarmacct

Attempting to give SE_INCREASE_QUOTA_NAME privilege to application pool user DOMAIN\spfarmacct

An exception occurred while committing IIS configuration changes: Value does not fall within the expected range.

Unable to unprovision metabase object IIS://localhost/w3svc/AppPools/SharePoint Central Administration v4: System.Runtime.InteropServices.COMException (0x80070003): The system cannot find the path specified.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

at System.DirectoryServices.DirectoryEntry.Bind()

at System.DirectoryServices.DirectoryEntry.get_AdsObject()

at System.DirectoryServices.DirectoryEntry.DeleteTree()

at Microsoft.SharePoint.Administration.SPMetabaseObject.Unprovision()

Removing the Web Server (IIS) Role Service and letting the prerequisite installer configure IIS was the ticket to get “past” the SharePoint Products Configuration Wizard. It looked like something was up with the client’s Windows Server 2012 R2 image which caused IIS to get a little out of whack. Some other items to watch out for in this configuration (SP10/Svr 2012 R2):


SSRS Migration – Do not change ReportServer database names

IMPORTANT: Do not rename the ReportServer database. This is unsupported according to Microsoft per:

This is the “official” SSRS migration for SharePoint document (Doesn’t say anything about database renaming..I’m writing this article for the people who probably didn’t see the links above):

This is why we run always recommend “dry runs” for all migrations! 🙂 There’s a few reasons why it’s unsupported, but I was able to do some digging and found where is hard-coded and how to fix it if needed. In the end your best bet is to revert back to the original database name (ReportServer most likely), but it’s always nice to know and could potentially help someone if they have their heart set on a rename and understand it is unsupported.

  1. This is because the ReportServerTempDB database is referenced in dbo.schedules >Triggers > Schedule_UpdateExpiration
  2. There are 83 stored procedures that reference the ReportServerTempDB database 
    • NOTE: As part of the SharePoint service application creation process (Only when you are upgrading the ReportServer database), SharePoint actually goes through and updates all of these stored procedures. This wasn’t needed in this case, but good to know!
  3. Whenever you create a new subscription it creates a SQL agent job. Most SQL Agent jobs (Existing ones. New ones will be fine) have an entry pointing to the original reporting services database name. You could use the following script to update. Or just keep the database name and save yourself some work. I’m showing you this in case the damage is already done. Here’s a sweet SQL script to fix this:

SharePoint Open With Explorer Not Working – Check those managed paths

Try searching the internet for “SharePoint Open With Explorer Issues” and you will be busy for hours searching through all of the different forums, blogs, etc. Some of the most common recurring issues I found in my searching:

  • No “Root” site collection
  • Web Client service not started/not configured correctly on the client PC
  • Hot fixes need to be applied
  • The SharePoint site URL’s are not added to Trusted Sites/Local Intranet Zone

There are many more out there, but these were the most common I found..Now on to this SharePoint troubleshooting tale:

The client just went through a SharePoint 2010 to 2013 upgrade and Explorer View was working for some site collections and not others. This was reproducible on a Windows 7 Client with IE 10 or IE 11. We also did a test on Windows 10 and everything seemed to work there (Web Client must act different in the new OS). The open with explorer would work for 1-2 times after restarting the Web Client service. Then it would start prompting to add the site to Trusted Sites. Then after restarting Web Client this process would start all over again.

After some investigating I noticed something interesting in the Fiddler Traces..

Working Site Collection:

PROPFIND http://sitesp13ent01.ajb.loc/
207 MULTI-STATUS (text/xml)

PROPFIND http://sitesp13ent01.ajb.loc/sites
207 MULTI-STATUS (text/xml)

Non-Working Site Collection (It will give the error “We’re having a problem opening this location in File Explorer. Add this web site to your Trusted Sites list and try again”):

PROPFIND http://sitesp13ent01.ajb.loc/
207 MULTI-STATUS (text/xml)

PROPFIND http://sitesp13ent01.ajb.loc/depts
404 NOT FOUND ()

PROPFIND http://sitesp13ent01.ajb.loc/depts/it/Shared%20Documents
207 MULTI-STATUS (text/xml)

Notice anything weird?? There is a 404 Not Found for the /depts path. Let’s take a look at SharePoint Central Admin for the managed paths config for this web app:


Any site collection under the /sites/ wildcard managed path was working correctly and any of the depts site collections were not. WebDav is smart enough to honor wildcard managed paths, but does not work with “nested” explicit inclusions as it tries to hit each level of the URL..

Fixing the issue:

  1. Option A – Create an explicit managed path at depts and create site collection at depts URL
  2. Option B
    • Add depts as managed path (wildcard inclusion)
    • Deleted all depts/* explicit inclusions
    • If there is a site collection at depts this will need to be deleted
    • Note: Only tested 1 level deep (For example: depts/it). Did not test a scenario where there is more than 1 level (For example: depts/it/projects)