Corey Roth [MVP]

We all know that @Harbars wrote the book when it comes to SharePoint 2010 User Profile Synchronization not to mention how to get it working again.  You need to follow the instructions in these guides word for word when setting up UPS  Many issues are caused by incorrect permissions.   I thought I would share the error you receive when you happen to miss one of the required permissions.  You will find this error in the ULS logs during the provisioning process.  I thought this was worth posting because I couldn’t find anything out there on this error at the time.

UpdateILMMA: Failed to update password. Exception: {1}..  Available parameters: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException: Access to the requested resource(s) is denied   
at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.GetResource(UniqueIdentifier identifier, String[] attributeNames, Nullable`1 resourceTime)   
at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(UniqueIdentifier resourceIdentifier, String typeName, String[] attributeNames, CultureInfo locale, Boolean includePermissionHints, TimeZoneInfo localTimeZone)   
at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(UniqueIdentifier resourceIdentifier, String typeName, String[] attributeNames, CultureInfo locale, Boolean includePermissionHints)   
at Microsoft.Office.Server.UserProfiles.Synchronization.MAConfiguration..ctor(Guid resourceIdentifier)   
at Microsoft.Office.Server.UserProfiles.Synchronization.ILMMAConfiguration..ctor(Guid resourceIdentifier)   
at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.UpdateILMMA(String databaseServerIlm, String databaseInstanceIlm, String databaseName, String domain, String userName, SecureString password) .

Obviously from the error message some kind of permissions are required that weren’t present, but which ones?  Well in this particular case, it is the result of the farm account not having log on locally permissions (clearly mentioned in Harbars article).  Here are a couple of things to keep in mind.  First, just because you have administrator access during provisioning does not mean you have log on locally permissions.  Second, even if you add the account to the Allow Log on Locally item in Local Security Policy, does not mean you actually have the permission.  In many cases, organizations have service accounts locked out using Group Policy which overrides any Local Security Policy setting. 

If you suspect you might not have permissions, you can verify it in a number of ways.  Although, it is never recommended to login with a farm account, if things aren’t working, you might as well break the rules and try logging in.  Usually, what I do is  go to the SharePoint Management Shell, hold down Shift, and right click the icon to see the Run as different user menu item.  Type the credentials in for your farm account and see if it works.  If you have the right permissions, the PowerShell prompt will open.  If you don’t, you will get an error saying you are denied the right to login (or something to that effect).  Be careful when attempting this because if you lock out your farm account, you will bring your entire SharePoint farm down.

Anyhow, I hope this helps.  I feel the more information on errors I can post, the more it might help people that receive them later.