SharePoint Pain

[SharePoint 2016, 16.0.5530.1000]  Suppose you have a site collection in read-only mode and want to remove that status. Normally this is achieved by selecting the " Not locked " option on the " Site Collection Quota and Locks " page in Central Admin or by running one of the following PowerShell commands: (Get-SPSite "<https://siteCollectionUrl>").ReadOnly = $false or Set-SPSite "<https://siteCollectionUrl>" -LockState Unlock There is also the LockState parameter of the Set-SPSiteAdministration command that can be utilized, but I did not try it in this particular case. Nonetheless, there is a rare case where neither of these PowerShell commands works. They do not output any errors in PowerShell or even in verbose-enabled ULS logs when they fail to run, and the interface in Central Admin is grayed out as follows: The site collection is truly locked for read-only access, as site collection admins do not see the full site menu. Additiona...

[Occurred on SharePoint 2016] When you delete a web application in SharePoint, whether through PowerShell or Central Admin, you can instruct SharePoint to remove the associated IIS site with it. However, if the web application is running on port 443, the SSL certificate binding may need to be cleaned up manually. At first glance, one might assume that deleting the IIS site would automatically remove the SSL binding, as the site would no longer be available. Unfortunately, this is not always the case. This can be verified by checking the Windows System event logs, which would become flooded with Event ID 15021 errors if the binding is not cleaned up: "An error occurred while using SSL configuration for endpoint <webAppIP>:443.  The error status code is contained within the returned data." Diagnosis Use the netsh http   command to diagnose and fix the error. You can include the reported IP address from the System event logs in the command to verify the existence of the c...

[Tested on SharePoint 2016 only] Applying the September 2025 SharePoint Cumulative Updates to SharePoint On-Prem was a bit chaotic as it introduced a number of bugs. It would have been better if I had the option to skip it and go straight to the October CU. Stefan, Sr. SharePoint Escalation Engineer at Microsoft, has summarized the issues very well on  his blog . While many of the issues have been fixed in the October CU release, the fix for the "installation of this package failed" error  was not included for those who had already applied the September CU before the fix was made. That is, the System and Local Service accounts have to be manually removed from the WSS_WPG and IIS_IUSRS groups before applying the October CU. Without this step, I encountered a new popup error that said: Error 2349. An internal error has occurred. ( ) Contact Microsoft Product Support Services (PSS) for assistance. For information about how to contact PSS, see PSS10R.CHM. Remedy Remove the...

[Tested on SharePoint 2016 only] Suppose the following error occurs while creating a new site collection with a farm admin user account: ## Assume all declared variables are correct ## PS C:\FarmAdminUserAccount> New-SPSite -Url $spSite -Name $scName -Description $scDesc -ContentDatabase $cdb -QuotaTemplate $scQuota -Template $scTemplate -Language 1033 -OwnerAlias $scPrimaryAdmin -OwnerEmail $scPrimaryEmail -SecondaryOwnerAlias $scSecondaryAdmin -SecondaryEmail $scSecondaryEmail ********************** PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="Calling extension methods on object Microsoft.SharePoint.Administration.SPContentDatabase+<>c__DisplayClass16 failed with exception(s): The UPDATE permission was denied on the object 'MSP_TVF_WEB_ADMIN', database 'WSS_Content_DbName', schema 'pjpub'." New-SPSite : Calling extension methods on object Microsoft.Sha...

[Applies  to SharePoint 2016; not tested on other versions of SharePoint] While the farm account is in the local admins group (regardless of being present in the  WSS_WPG  group), running the psconfigui.exe (SharePoint Configuration Wizard) or psconfig.exe with the farm account gets stuck at the last step (step 10 of 10). Associated behaviors are: CopySideBySideFiles_*.log showing the endless repetition of: “\16\TEMPLATE\LAYOUTS\accessrequestcontrol.debug.js Access is denied. Waiting 30 seconds… Retrying…”. Unable to close the Config Wizard by hitting the Cancel or X button on the GUI; it has to be killed in Task Manager. The “Upgrade Status” page on Central Admin, however, shows the green status “Succeeded” even though it's not. Diagnosis Microsoft has deployed the security hardening with the 2025 September CU. The farm service account can no longer be used interactively from now on. Previously, this was not a requirement, despite the documentation at  https://lear...

[Applies to SharePoint 2016; not tested on other versions of SharePoint] Sometimes you see this false error on Health Analyzer saying that "Account used by application pools or service identities are in the local machine Administrators group": You have confirmed that the reported servers for the “Failing Servers” don’t have the farm account in their local admins group. Script to verify: Foreach($server in (Get-SPServer| ? {$_.Role-NE "Invalid"})) {     $server = $server.ToString().TrimStart("SPServer Name=")     Invoke-Command -ComputerName $server {      Get-LocalGroupMember -Group Administrators      } | select ObjectClass, Name, PrincipalSource, PSComputerName | sort -Property PSComputerName | ft -GroupBy PSComputerName } And yet, hitting the “Reanalyze Now” button does not clear out the error.  Diagnosis The Health Analyzer does not “see” the absence of the farm account in the local admins group until the reported server’s Share...