The application pool account cannot add user accounts to Active Directory - Event 3359 (SharePoint 2010 Products)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Alert Name:   The application pool account cannot add user accounts to Active Directory

Event ID:   3359

Summary:   The Internet Information Services (IIS) application pool creates identities based on Active Directory users, and associates these identities by using a set of permissions. This lets users in an Active Directory organizational unit (OU) inherit those permissions.

Symptoms:   One or more of the following symptoms might appear:

  • Account creation mode does not work correctly, which prevents user data from being added or read.

  • User accounts are not automatically created in Active Directory.

  • The event appears in the event log: Event ID: 3359 Description: The application pool account has insufficient permissions to add user accounts to Active Directory.

Cause:   The account that is used by the application pool does not have the appropriate level of permissions that are required to add new user accounts to Active Directory.

Resolution :   Determine the OU in which the application pool account creates new user accounts

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following:

    $wa=Get-SPWebApplication
    $wa.Parent.CreateActiveDirectoryAccounts
    $wa.Parent.ActiveDirectoryDomain
    $wa.Parent.ActiveDirectoryOrganizationalUnit
    

Note

We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Resolution:   Add the correct permissions to the OU

  1. On a server that has the Active Directory tools installed, open the Active Directory Users and Computers snap-in as a user who has sufficient domain permissions, such as domain administrator. To open Active Directory Users and Computers, click Start, click Run, and then type dsa.msc.

  2. In the console tree, right-click the OU for which you want to delegate control.

  3. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.

  4. In the Welcome pane, click Next.

  5. In the Users and Groups pane, click Add.

  6. In the Enter the object names to select box, type the user name that you plan to use for the administration application pool identity, and then click OK.

  7. Click Next.

  8. In the Tasks to Delegate pane, select the Create, delete, and manage user accounts and Read all user information check boxes, and then click Next.

  9. Click Finish.