Skip to content

Access Denied When Accessing Search Service Application With Search Server Express 2010

Search Server Express is an excellent alternative to straight up SharePoint Foundation. It’s also free, but it gives you the fundamental underpinnings of the full SharePoint search infrastructure, plus a few other goodies. I’ve written about this previously here and here.

If you follow best practices for SharePoint deployment, and use a separate account for installing the bits and for the Farm account, you may run into a very odd little error. After everything is set up and you try to access the search administration application, you receive an access denied error. This happens even though the account that you’re logged in as is a Farm administrator, and a site collection administrator for the Central Administration site collection. If you log in as the farm account, all is well, but the actual administrator account is denied access.

To the best of my knowledge, this happens because of some oddness related to claims authentication. SharePoint properly applies the rights of the farm account, but not the setup account.

The fix for this is to properly add the NTLM authentication account for the required user into the User Policy for the Central Administration application. Unfortunately, unlike all other applications, you cannot change the User Policy for the Central Administration application through Central Administration itself.

You can, as with many other things however, do this through PowerShell.

I have shamelessly lifted the PowerShell script below from Tore Kristiansen at the Code Project.


$site = new-Object Microsoft.SharePoint.SPSite("")

$wa = $site.WebApplication

$user = "domainuser"

$policy = $wa.Policies.Add($user, $user)





In the above script, replace “” with the URL of your Central Administration site, and “domainuser” with your setup user account (or any other). After using this script, your service applications should become available.


  1. Charlesdg Charlesdg


    Doesn’t work with me…
    Il created a local “Administrator2” Account on my SharePoint server, then added it as administrator of the Search Service, then ran your script, and verified that the rights were added (I could see a log in the event viewer) but the problem was still there.
    Any idea?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.