The user does not exist or is not unique
October 28, 2009 Leave a comment
Many times in the last couple of years I have come across the message "The user does not exist or is not unique." It is usually on its own, with no other error messages or clues to deciphering its cryptic text. Generally I have had only limited success in getting past this error, usually getting around it via chance or a rebuild / restore.
Today when trying to move a Site Collection from a Dev to a Production server we came across this message, it was occuring on just about every stsadm command I ran. To make matters worse in Central Administration I could not even select the Site Collection. Obviously at this point a rebuild / restore (my usual methods for dealing with this kind of thing) would not be very helpful being a brand new server, and I was trying to restore a backup anyway.
Even using stsadm I could not set myself as the Site Collection Owner.
C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12BIN>stsadm -o siteowner -url http://www.site.com -ownerlogin domainadmin
The user does not exist or is not unique.
It turns out that the cause of this was not something unique to production server like I would expect, it was something from the development server that I definitely did not expect. In this case the Site Collection had been restricted to a specific Active Directory Organizational Unit. I would not have expected this to be done on a production server, let alone on a development server, and did not go looking for it.
Even if I had gone looking for it, where would I find it? It can be found with the following command :
stsadm -o getsiteuseraccountdirectorypath
The "GetSiteUserAccountDirectoryPath" command allows you to lock down a Site Collection to only add new members that are inside the Organization Unit specified when running the command.
What was fairly unique about this scenario was that in this case, as almost every time I ran any command that referenced the Site Collection I would receive "the user does not exist or is not unique".
To check to see if this property was even set, I ran the command as the Application Pool account for the Web Application.
C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12BIN>runas /noprofile /user:DOMAINapp-pool-acct cmd
Enter the password for DOMAINapp-pool-acct:
Attempting to start cmd as user "DOMAINapp-pool-acct" …
Using this user I was able to successfully confirm that the Site Collection was definitely locked down to a specific OU, which did not even exist in this environment :
C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12BIN>stsadm -o getsiteuseraccountdirectorypath -url http://www.site.com
I was then able to unlock the Site Collection from the OU by issuing the following command :
C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12BIN>stsadm -o setsiteuseraccountdirectorypath -url http://www.site.com -path ""
Operation completed successfully.
A quick retry of the previous operation was successful and I could once again make myself a Site Collection Administrator.
C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12BIN>stsadm -o siteowner -url http://www.site.com -ownerlogin DOMAINadmin
Operation completed successfully.
At this point the Operation completed successfully message was a very welcome message.
While I do not expect that this will be the cause for every instance of this error message, it is a helpful marker that tends to indicate when this error is occuring the Site Collection is unable to find a user object in Active Directory. If this error occurs I strong recommend looking at anything that may help or hinder access to Active Directory.
It is also possible this issue could have been resolved by the peoplepicker-serviceaccountdirectorypaths property, however I did not have a chance to try this out. For more information on that one : http://technet.microsoft.com/en-us/library/cc263012.aspx