SharePoint User Policy and Domain Groups


You have to operate a SharePoint web application and you would like to delegate Full Control permissions to your operating team.

You create a new security group in your domain (let’s say “SharePoint Operators”) and you want to let this group operate as SharePoint\system.

You create a new user policy and add your “SharePoint Operators” domain group as user, set Full Control and “Account operates as System”


The you get the following error:

Only user accounts belonging to the "All" zone can be designated as System.


This error is misleading here, it want’s to tell you: This does not work with domain security groups, only with single domain users. So you have to add every user of your domain group “SharePoint Operators” separately.


This will work but creates a separate policy for every single user you add here.


About binoeder

SharePoint and Project Server Consultant
This entry was posted in SharePoint and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s