HarePoint Active Directory Self Service: configure permissions to avoid “Access denied” error​


First of all, please, don’t work with HarePoint Active Directory Self Service web part as a System Account! The product is not working with System Account from scratch, because of security reasons.

An “Access denied” error means current user account don’t have enough permissions to update one (or more) of the Active Directory fields. In this article we will show how to solve this issue to update the user profile picture, but this solution is suitable for all other cases. Technically in the AD case, it’s a thumbnail picture, and for a User Profile or Sharepoint, it’s a URL of the picture.

If this error appears after the “save” action, just go to Site Settings – HarePoint Active Directory Self Service settings.

Take a look at the Photo settings option. To find the problematic parameter, select the options: Show one photo and Update only Active Directory photo.

Then test uploading a picture. If an error appears, that means the problem is with the AD parameter. In this case, specify a domain admin account in Active Directory Connection Settings and test it again.

If you can upload an AD picture, you’ll need to test the 2 other parameters: Update only SharePoint photo and Update only User Profile Service photo.

Make sure that the current application pool account has been added to the “My Site” site collection administrators.

When the problematic parameter is found, you will get an error screen after the “save” action:

Just copy this correlation ID and find it in ULS logs you have on the current WFE server (usually it’s located in the latest log).

Also, if you want to change the UserProfile picture of another person and you are a SharePoint admin, your account must be located inside Application Management – Manage Service Applications – User Profile Service Application – Administrators; it’s desirable to have Full Control permission.

An Access denied error can also appear when you have just opened a web part without any edit and save actions. In this case, the domain admin account is required in Active Directory Connection Settings. If it is not working, just send us the latest ULS logs that you have.

Learn more about HarePoint Active Directory Self Service for SharePoint web part which allows users to manage and update their Active Directory profile.

How useful was this post?

Click on a star to rate it!

Average rating 3.7 / 5. Vote count: 3

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

(Visited 1,829 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *