Unable to remove user from SharePoint Farm Administrators group : Error 1387

I ran into this issue last week when trying to clean up individuals ACLed to the Farm Administrators group.  When I attempted to delete this one user, SharePoint threw up the default error page with '1387' on it.  Nothing more to the error message just 1387.  Digging into this I found that the user no longer existed in Active Directory and had been off the project for some time.  My first thought was that the delete through the UI had some checks to make sure that user existed, so I decided to attempt the delete through the OM; same error but I did get a stack trace.  I am sure if I had set callstack, CustomErrors to true, I would have saw the same trace, but I like to code.  The stack trace revealed that the remove user from Farm Administrators process, eventually calls the RemoveMemberFromLocalAdministrationWorkerProcessGroup methof which uses Win32 API calls to remove the user from a local group on the server.  This is what is throwing the error and cannot be cleaned up using the API.  To solve this I needed to add the user back to AD,remove it from the Farm Administrators group and remove it from AD.

Comments

  • Anonymous
    February 24, 2009
    I'm encountering the same error in my environment, and I suspect that it is for the same reason.  However, isn't it a major security issue if a new domain account can be created that has the same user name, as the SID for the account won't match the SID from the original account that was deleted?

  • Anonymous
    June 27, 2010
    I was sceptical as well, but recreated a user then ran delete and the error went away and the user was deleted.  It seems Sharepoint ignores SID and just looks at the username!

  • Anonymous
    October 11, 2011
    Thanks - this is correct and worked in our environment. It is odd that it only looks at the User ID in AD.

  • Anonymous
    March 13, 2012
    I found that if you go into the People and Groups / All People screen on Central Administration that you can delete these people from the Site Collection there without getting the error you get when you try removing the person from Farm Administrators group .

  • Anonymous
    November 01, 2012
    A good find, thanks for blogging this.