Becky Bertram's Blog
Perspectives from a SharePoint developer




This blog has moved. You can find the new blog on Savvy Technical Solution's Web site, at www.savtechsol.com. You will be redirected to the following page in 10 seconds:

Becky Bertram's Blog > Posts > "Access Denied" Error when Creating Publishing Subsites
July 10
"Access Denied" Error when Creating Publishing Subsites

This is a very specific error I ran across, but I only saw two postings online where others encountered this same problem, so I thought I'd post my resolution in case someone else runs into the same problem.

The Scenario

In my server environment, I have two special SharePoint groups, based on requirements by the IT department.

1. The "Manage" Permission set includes all the Permission checkboxes except for two checkboxes related to seeing user permissions and creating groups. Instead of adding users to the "Site Owners" group, that has the "Full Control" permission set, our site owners are called "Managers" and have been granted this permission set. The key thing to note is that these users do have the permission to create subsites.

2. Instead of using the "Resitricted Readers" group, a new group was created (which followed specific naming conventions) and given the "Restricted Read" permission set.

The Problem

After doing this, when a "manager" tried to create a new publishing site inside the site collection, they got the following error:

"Provisioning did not succeed. Details: Failed to initialize some site properties for the Web at Url: '[my url here]' OriginalException: Access is denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Access Denied

When I looked at the log, I saw this:​

A runtime exception was detected. Details follow. Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Technical Details: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.SharePoint.Library.SPRequest.GetListsWithCallback(String bstrUrl, Guid foreignWebId, String bstrListInternalName, Int32 dwBaseType, Int32 dwBaseTypeAlt, Int32 dwServerTemplate, UInt32 dwGetListFlags, UInt32 dwListFilterFlags, Boolean bPrefetchMetaData, Boolean bSecurityTrimmed, Boolean bGetSecurityData, Boolean bPrefetchRelatedFields, ISP2DSafeArrayWriter p2DWriter, Int32& plRecycleBinCount) at Microsoft.SharePoint.SPListCollection.EnsureListsData(Guid webId, String strListName) at Microsoft.SharePoint.SPListCollection.ItemByInternalName(String strInternalName, Boolean bThrowException) at Microsoft.SharePoint.SPWeb.GetItem(String strUrl, Boolean bFile, Boolean cacheRowsetAndId, Boolean bDatesInUtc, String[] fields) at Microsoft.SharePoint.SPFile.get_Item() at Microsoft.SharePoint.Publishing.MasterUrlProperty.SetDirectValue(String value, SPWeb web) at Microsoft.SharePoint.Publishing.InheritableProperty`1.SetInherit(Boolean inherit, Boolean forceAllSubWebInherit, String successUrl, String failureUrl, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.InheritableProperty`1.SetInherit(Boolean inherit, Boolean forceAllSubWebInherit, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.SetMasterPageProperties(PublishingWeb area, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.SetLayoutRelatedProperties(PublishingWeb area, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.InitializePublishingWebDefaults()
Exception (Watson Reporting Cancelled) System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.SharePoint.Library.SPRequest.GetListsWithCallback(String bstrUrl, Guid foreignWebId, String bstrListInternalName, Int32 dwBaseType, Int32 dwBaseTypeAlt, Int32 dwServerTemplate, UInt32 dwGetListFlags, UInt32 dwListFilterFlags, Boolean bPrefetchMetaData, Boolean bSecurityTrimmed, Boolean bGetSecurityData, Boolean bPrefetchRelatedFields, ISP2DSafeArrayWriter p2DWriter, Int32& plRecycleBinCount) at Microsoft.SharePoint.SPListCollection.EnsureListsData(Guid webId, String strListName) at Microsoft.SharePoint.SPListCollection.ItemByInternalName(String strInternalName, Boolean bThrowException) at Microsoft.SharePoint.SPWeb.GetItem(String strUrl, Boolean bFile, Boolean cacheRowsetAndId, Boolean bDatesInUtc, String[] fields) at Microsoft.SharePoint.SPFile.get_Item() at Microsoft.SharePoint.Publishing.MasterUrlProperty.SetDirectValue(String value, SPWeb web) at Microsoft.SharePoint.Publishing.InheritableProperty`1.SetInherit(Boolean inherit, Boolean forceAllSubWebInherit, String successUrl, String failureUrl, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.InheritableProperty`1.SetInherit(Boolean inherit, Boolean forceAllSubWebInherit, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.SetMasterPageProperties(PublishingWeb area, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.SetLayoutRelatedProperties(PublishingWeb ...
...area, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.InitializePublishingWebDefaults() Critical Event log message was: 'Failed to initialize some site properties for Web at Url: '[URL here]''. Exception was: 'System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.SharePoint.Library.SPRequest.GetListsWithCallback(String bstrUrl, Guid foreignWebId, String bstrListInternalName, Int32 dwBaseType, Int32 dwBaseTypeAlt, Int32 dwServerTemplate, UInt32 dwGetListFlags, UInt32 dwListFilterFlags, Boolean bPrefetchMetaData, Boolean bSecurityTrimmed, Boolean bGetSecurityData, Boolean bPrefetchRelatedFields, ISP2DSafeArrayWriter p2DWriter, Int32& plRecycleBinCount) at Microsoft.SharePoint.SPListCollection.EnsureListsData(Guid webId, String strListName) at Microsoft.SharePoint.SPListCollection.ItemByInternalName(String strInternalName, Boolean bThrowException) at Microsoft.SharePoint.SPWeb.GetItem(String strUrl, Boolean bFile, Boolean cacheRowsetAndId, Boolean bDatesInUtc, String[] fields) at Microsoft.SharePoint.SPFile.get_Item() at Microsoft.SharePoint.Publishing.MasterUrlProperty.SetDirectValue(String value, SPWeb web) at Microsoft.SharePoint.Publishing.InheritableProperty`1.SetInherit(Boolean inherit, Boolean forceAllSubWebInherit, String successUrl, String failureUrl, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.InheritableProperty`1.SetInherit(Boolean inherit, Boolean forceAllSubWebInherit, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.SetMasterPageProperties(PublishingWeb area, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.SetLayoutRelatedProperties(PublishingWeb area, Boolean& updateRequired) at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.InitializePublishingWebDefaults()' 6347e312-0edc-4992-a462-42867744bbff

 

Based on the log file, I could tell that an exception was being thrown when it tried to set the Master Page URL in the new subsite.

The Solution

It turns out that the Restricted Readers group is natively assigned permission to several libraries in a Publishing Site Collection, such as the Master Page Gallery, the Site Collection Images, the Style Library, etc. (You can see what permissions the Restricted Readers group has by going to the View Groups page, selecting the Restricted Readers group, then clicking on the Settings item in the toolbar and selecting View Group Permissions.)

Restricted Readers group permissions

To solve the problem, we needed to grant our custom Restricted Readers group the Restricted Read permission set to each of those libraries listed above. (Well, the most important being the Master Page Gallery, which has a URL of /_catalogs/masterpage.)

Once we did that, our managers were able to create their new subsites.

Comments

thanks!

Thanks for posting this - it solved our issue!
 on 1/30/2013 8:50 AM

Similar in SharePoint 2013

Thanks for this - I'd created a separate group with just the 'Create Subsites' site permission, and foolishly assumed that this would be enough. When attempting to create a new site, ULS was reporting:

<nativehr>0x81070211</nativehr><nativestack></nativestack>Cannot open file "_catalogs/masterpage/__DeviceChannelMappings.aspx".

Unexpected error when trying to populate mobile mappings file '_catalogs/masterpage/__DeviceChannelMappings.aspx' in web '/dummy2': Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

SPRequest.GetMetadataForUrl: UserPrincipalName=i:0).w|s-1-5-21-1963773607-3255835143-1045213775-5796, AppPrincipalName= ,bstrUrl=/DeviceChannels ,METADATAFLAGS=59

Event log message was: 'Failed to initialize some site properties for Web
 at Url: <newSiteURL>'. Exception was: 'System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))   

Strangely enough, giving the users 'Full Control' site permissions didn't make any difference either - only adding them to the 'Site Owners' group allowed them to create subsites.

As the article here points out, some of these libraries are set /not/ to inherit permissions so you need to manually add a few yourself. In SharePoint 2013, I found that I had to use SPD to give 'Read' list permissions to the following libraries too:

<siteURL>/_catalogs/masterpage
<siteURL>/DeviceChannels

YMMV, but this allowed me to create a group with (what appears to be) the minimum possible permissions for creating subsites.

Thanks to Becky for putting me on the right track!
 on 1/31/2013 8:00 AM

Thanks on SharePoint 2013

Thanks for the helpful post and comment.
On SharePoint 2013 I had to add the Restricted Users group with Restricted Read permissions on the <siteURL>/DeviceChannels library. After that users were able to create Wiki pages. (I also added NT Authority\Authenticated Users to this group).
 on 5/13/2013 3:30 AM

Same Access Denied issue in SP2013

How did you add the restricted users Group with restricted Read permissions to the <siteURL>/DeviceChannels Library?
 on 8/12/2013 8:37 AM

SP 2013

Thank you, and thank you to folks in comments who pointed to SP 2013.  We ran into the same issue, and giving Restricted Read access in DeviceChannels list and Master Page gallery worked!

For those unsure, to give access to Device Channels list, just go to <yoursite>/DeviceChannels, then click on list settings to get to the permissions.
 on 2/27/2014 11:33 AM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Comment Title *


Body *


Your Name


Your E-mail Address


Your Website

Type the Web address: (Click here to test)  

Type the description: 

Are you spamming my blog? *


This field is here in an attempt to stop spammers from entering comments. Enter a number, any number

Attachments