SharePoint Policy For Web Application: Account operates as System


Both in SharePoint 2007 and SharePoint 2010 policies can be defined where you grant or deny permissions to specific users on Web Application level. This overrules any permissions the user may or may not have on a Site Collection, Site, List or Item level.

User Policy

For example: the Search Crawl Account (Content Access Account) will be given Full Read on all Web Applications to ensure all content is indexed.

In this section you have the option to check “Account operates as System”. This effectively hides the real user name and masks it as “System Account”.

Created by System Account

Only for Windows Accounts

During experiments with Forms Based Authentication (in SharePoint 2010 through Claims Based Authentication), I found that while it is possible to give policy permissions to a non-Windows User, it is not possible to make it “operate as System”.

The SharePoint Logs confirmed that the underlying mechanism is really looking at Windows User Account Management to perform the lookup:

System.ComponentModel.Win32Exception: i:0#.f|fbamembershipprovider|demouser1    at Microsoft.SharePoint.Win32.SPAdvApi32.LookupAccountName(String strAccountName, String& strDomainName, SID_NAME_USE& sidUse)     at Microsoft.SharePoint.Administration.SPPolicy.set_IsSystemUser(Boolean value)

 

</TheEnd>

 


Links to this post

Comments

Tuesday, 29 Jan 2013 04:41 by pam degraff
I checked the option to "operate as system account". There is one site where I actually do want my name to appear- so I added myself to the Members group, and also individually on that site- but my changes still show up as "System Account" when I make changes. Any suggestions?

Tuesday, 29 Jan 2013 04:54 by Steven Van de Craen
Hi, these policies overrule anything defined on a lower scope. If you want to use your real username you can't use 'Operates as System Account'.

Tuesday, 5 Mar 2013 02:44 by James
If we set the Search Crawl Account as "Operates as System", will it still be recorded in the "Audit Log"?

Thursday, 7 Mar 2013 08:27 by Steven Van de Craen
Sorry, I don't know if the audit logs filter out System Account.

CAPTCHA Image Validation