SharePoint / Unable to create new SharePoint Groups with the “SharePoint Directory Management Service”

Summary

After configuring SharePoint with Incoming email and the SharePoint Directory Management Service” to create Distribution Lists in Active Directory, you are unable to create new groups with the following error.

Sorry, something went wrong

The following error has occurred while attempting to contact the Directory Management Service: The request failed with HTTP status 401: Unauthorized.

Server-side error (ULS Logs):

Cause

This issue normally occurs if the App Pool account that is running the Central Admin Site does not have access to the OU where the SharePoint Objects are being created in Active Directory.  However, even after verifying rights on the OU, the error persists.

This is actually failing because the customer may have a separate SharePoint  “Farm Account” and  “Service Account”. In this case, the Service Account does not have access to create DL’s in the Central Admin Site by default. 

 Since the “SharePoint Directory Management Service” executes via Central Admin, the App Pool account that is running the SharePoint Site will need full access to the Central Admin site collection.

Resolution

To resolve this issue elevate the app pool account running the SharePoint Site to a site collection admin in the Central Admin Site.

Steps 1: From Central Admin, go to Settings > “Site Settings”

Step 2: Go to “Site Collection Administrators”

Step 3:  Add the App Pool Account

Now creating Groups in SharePoint should successfully be created in Active Directory.

More Information

Configure incoming email for a SharePoint Server farm

https://docs.microsoft.com/en-us/sharepoint/administration/incoming-email-configuration

Leave a Reply