Monthly Archives: August 2017

Exception when adding user as SystemUser to SPWebApplication SPPolicy

When providing (Full Contol) access to SharePoint WebApplications using Powershell, it sometimes is a good idea to add the flag ‘System User’ to the account, because otherwise it will show up in the permission views for end-users such as the UserInfoList. In Powershell this can be done by setting the Policy attribute IsSystemUser to $True.

However, when using SAML Claims authentication this doesn’t work. I made a nice function to be able to add all types of users to the WebApplication policy during installion/configuration, but it failed whenever I issued the attribute IsSystemUser to $True for a TrustedIdentityProvider claims account.

The failure didn’t help me a lot.

PS C:\> $Policy.IsSystemUser = $True
Exception setting “IsSystemUser”: “i:05.t|adfs|administrator@wobl.it”
At line:1 char:1
+ $Policy.IsSystemUser = $True
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
+ FullyQualifiedErrorId : ExceptionWhenSetting

The code part I used was fairly simple and failed only when setting the ‘IsSystemUser’ to $True:

It took me a while to figure out it was only happening when using SAML Claims accounts. No help from msdn on this.
The code in the Microsoft SharePoint dll reveals why it fails. It tries to do a SID lookup using the provided username. When a regular Windows claims account is used, it decodes the claims and sets the lookup text to the decoded Windows Account. It sure is a pitty they didn’t include a specific failure message or any documentation on this part. Also there doesn’t seem to be a failure text in the SharePoint code for the stated error ‘PolicyUserCannotSetAsSystem’.