Wednesday 5 January 2011

SBS 2011 – SharePoint Foundation Event ID 6398 – Access Denied Every 30 Minutes

We applied the following update via WSUS on one of our production hosted SBS 2011 VMs:

Since doing so we have seen a lot of the following errors in the Event Logs:

image

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:          1/5/2011 12:30:17 PM
Event ID:      6398
Task Category: Timer
Level:         Critical
Keywords:     
User:          DOMAIN\spfarm
Computer:      SBS.DOMAIN.local
Description:
The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID xxxx-xxxx) threw an exception. More information is included below.

Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS' is denied.

To fix the error we need to reset the permissions on that folder as the KB sets the following permissions:

image

  1. Check Include inheritable permissions …
    • image
  2. Add Network Service and set FULL permissions.
    • image
  3. WSS_ADMIN_WPG (DOMAIN\WSS_ADMIN_WPG) has Modify
    • image
  4. WSS_RESTRICTED_WPG_V4 (DOMAIN\WSS_RESTRICTED_WPG_V4) has Modify.
    1. image

The errors should clear up after the above changes are made.

Thanks to Microsoft’s SBS PSS Wayne McIntyre for the fix.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

14 comments:

Seanpt said...

Thank you for the heads up

David Moisan said...

I saw that on my SBS 2011 box and fixed it by giving the spfarm account modify permission to the LOGS folder. The error went away, but of course, I'm going to redo this fix in the canonical way that PSS suggests.

Ross said...

Ahhh, this was a good find. Thank you and The Outspoken Wookie for linking to you.

The new SBS 2011 box will be much happier.

Anonymous said...

Thanks!

Jeff said...

when you say to set the permission as modify, could you clarify as this is not an option when allowing permissions. Or is modify meant as a set (including all except full control, change permission and take ownership)?

Could you be explicit about which permissions to allow, since modify isn't listed?

Philip Elder Cluster MVP said...

Jeff,

In the screenshots shown in the blog post Modify is shown in the check boxes of permissions listed under the user's list.

When checking Modify all permissions that get checked with it are a part of that setting.

Thanks for the comments,

Philip

Jeff said...

ok, modify is only available via edit, not advanced edit.

Thanks for the help.

Anonymous said...

Thanks a lot - This fixed my problem!

Anonymous said...

Thanks a lot - This fixed my problem!

Johannes said...

Hi,
thanks for your post. The provided solution does not adress all issues. I just found out, that it is required to use PSEXEC to configure your Sharepoint SP1 (the SP1 is the reason for the errors...)

Here you find a short blog post: http://www.security-blog.eu/2011/07/12/sbs-2011-ereignis-8224-8230-6398-volumeschattenkopie-dienstfehler-beim-auflsten-des-kontos-spsearch-mit-dem-status-1376/ its in German but should be easy to be followed :-)

BM said...

Thank you! This resolves the Problem!

Anonymous said...

Thanks a lot. Helped me out with this error.

Colin said...

This fixed it. The restricted one was missing Modify permissions.

By the way, I've got about 2 GB of logs in this folder. Are they safe to delete?

@David Moisan - The ACL for NETWORK SERVICE also covers the DOMAIN\spfarm account, but it won't hurt to explicitly give it permission.

Anonymous said...

Thanks for sharing.