SharePoint Policy For Web Application: Account operates as System

February 12, 2011 - 10:58, by Steven Van de Craen - 4 Comments

Both in SharePoint 2007 and SharePoint 2010 policies can be defined where you grant or deny permissions to specific users on Web Application level. This overrules any permissions the user may or may not have on a Site Collection, Site, List or Item level.

User Policy

For example: the Search Crawl Account (Content Access Account) will be given Full Read on all Web Applications to ensure all content is indexed.

In this section you have the option to check “Account operates as System”. This effectively hides the real user name and masks it as “System Account”.

Created by System Account

Only for Windows Accounts

During experiments with Forms Based Authentication (in SharePoint 2010 through Claims Based Authentication), I found that while it is possible to give policy permissions to a non-Windows User, it is not possible to make it “operate as System”.

The SharePoint Logs confirmed that the underlying mechanism is really looking at Windows User Account Management to perform the lookup:

System.ComponentModel.Win32Exception: i:0#.f|fbamembershipprovider|demouser1    at Microsoft.SharePoint.Win32.SPAdvApi32.LookupAccountName(String strAccountName, String& strDomainName, SID_NAME_USE& sidUse)     at Microsoft.SharePoint.Administration.SPPolicy.set_IsSystemUser(Boolean value)