SharePoint Pain

[Tested on SharePoint 2016 only] Suppose the following error occurs while creating a new site collection with a farm admin user account: ## Assume all declared variables are correct ## PS C:\FarmAdminUserAccount> New-SPSite -Url $spSite -Name $scName -Description $scDesc -ContentDatabase $cdb -QuotaTemplate $scQuota -Template $scTemplate -Language 1033 -OwnerAlias $scPrimaryAdmin -OwnerEmail $scPrimaryEmail -SecondaryOwnerAlias $scSecondaryAdmin -SecondaryEmail $scSecondaryEmail ********************** PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="Calling extension methods on object Microsoft.SharePoint.Administration.SPContentDatabase+<>c__DisplayClass16 failed with exception(s): The UPDATE permission was denied on the object 'MSP_TVF_WEB_ADMIN', database 'WSS_Content_DbName', schema 'pjpub'." New-SPSite : Calling extension methods on object Microsoft.Sha...

[Applies  to SharePoint 2016; not tested on other versions of SharePoint] While the farm account is in the local admins group (regardless of being present in the  WSS_WPG  group), running the psconfigui.exe (SharePoint Configuration Wizard) or psconfig.exe with the farm account gets stuck at the last step (step 10 of 10). Associated behaviors are: CopySideBySideFiles_*.log showing the endless repetition of: “\16\TEMPLATE\LAYOUTS\accessrequestcontrol.debug.js Access is denied. Waiting 30 seconds… Retrying…”. Unable to close the Config Wizard by hitting the Cancel or X button on the GUI; it has to be killed in Task Manager. The “Upgrade Status” page on Central Admin, however, shows the green status “Succeeded” even though it's not. Diagnosis Microsoft has deployed the security hardening with the 2025 September CU. The farm service account can no longer be used interactively from now on. Previously, this was not a requirement, despite the documentation at  https://lear...

[Applies to SharePoint 2016; not tested on other versions of SharePoint] Sometimes you see this false error on Health Analyzer saying that "Account used by application pools or service identities are in the local machine Administrators group": You have confirmed that the reported servers for the “Failing Servers” don’t have the farm account in their local admins group. Script to verify: Foreach($server in (Get-SPServer| ? {$_.Role-NE "Invalid"})) {     $server = $server.ToString().TrimStart("SPServer Name=")     Invoke-Command -ComputerName $server {      Get-LocalGroupMember -Group Administrators      } | select ObjectClass, Name, PrincipalSource, PSComputerName | sort -Property PSComputerName | ft -GroupBy PSComputerName } And yet, hitting the “Reanalyze Now” button does not clear out the error.  Diagnosis The Health Analyzer does not “see” the absence of the farm account in the local admins group until the reported server’s Share...