4

I just installed Sharepoint Server 2010 RTM and setup a Search Service Application with the Default Content Access Account as DOMAIN\SharepointSearch. I setup a new intranet using the Team Site template. I've created a list and added some items to the list. I've started a full index and that completed successfully with several items being indexed. When I am logged in as a Site Collection Administrator and search, I get correct results.

I've added the Domain Users group to the Site Visitors group and verified that they can browse items in the list. When I try to search when logged in as a user in the Domain Users group, I get no results.

How can I make results show up for members of the Domain Users group?

JapNolt
  • 61
  • 1
  • 5

2 Answers2

2

Have you reindexed since you added the Domain Users Group? The index, until its updated, utilizes the permissions it had when it was created.

MichaelF
  • 1,161
  • 2
  • 15
  • 31
  • Tried a full crawl - no results Tried an index reset and full crawl - no results When I look at the crawl log there are no errors and site collection admins do get results. – JapNolt Dec 10 '10 at 18:11
2

Here's the answer I got from Laura Liu over on the Microsoft partner forums.

http://social.microsoft.com/Forums/en-US/partnerofficesharepoint/thread/b547461a-e47b-4b54-980d-d6b36e244bae

Regarding your issue, you could look in logs and find if there is a below error in ULS log (Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS):

w3wp.exe (0x1594) 0x1064 SharePoint Server Search Query Processor g2j3 High AuthzInitializeContextFromSid failed with ERROR_ACCESS_DENIED.

You could refer to the following article.

Why the tokenGroupsGlobalAndUniversal (TGGAU) attribute matters in SharePoint 2010

Link

In order to call the AuthzInitializeContextFromSid, the caller “service account” needs to able to read the TGGAU attribute. In Windows 2000 and Windows 2003 domain, members of the Pre-Windows 2000 Compatibility Access group are able read the TGGAU attribute. At a minimum, certain service accounts like the search service account need to be a member of this group.

So please try to make sure the Content Access Account has read access to the user objects in AD (Add the Windows account to the Windows Authorization Access group by using the Active Directory Users and Computers snap-in). Or you could try the following steps.

  1. Load the SharePoint 2010 PowerShell environment

  2. Run:  new-spmanagedaccount -Credential USERACCOUNTDOMAIN\USERNAME

  3. Load SharePoint Central Administrator

  4. Go to:  Security | Configure Service Accounts

  5. Select: Service Application Pool – SharePoint Web Services Default

  6. Set the account to the one you just created in Step #2

Please let me know if there is anything misunderstanding or you have any concern. Thanks!

Best regards,

Laura Liu Partner Online Technical Community

Glorfindel
  • 1,050
  • 1
  • 11
  • 17
JapNolt
  • 61
  • 1
  • 5
  • 1
    This fixed it for me on Foundation. I added the app pool account, and my search service account. I think I probably only needed the app pool account. – AdamH Jun 29 '12 at 00:43
  • I know this is very old thread. but I have same prb. I am using SPservice account for search. Please tell me what you did in application pool. Thank you, Deepak –  Jun 04 '14 at 05:44