SharePoint Foundation 2010 not returning results for some users

I'm able to perform a search using SharePoint Foundation 2010 if I am a farm administrator but other users cannot perform searches. I'm seeing the following entry in my ULS logs:

AuthzInitializeContextFromSid failed with ERROR_ACCESS_DENIED. This error indicates that the account under which this process is executing may not have read access to the tokenGroupsGlobalAndUniversal attribute on the querying user's Active Directory object. Query results which require non-Claims Windows authorization will not be returned to this querying user

Based on various mentions I have found on this (such as this one:, this seems to be an issue with the permissions of the SharePoint crawler account. I'm not sure exactly how to change those as much of the guidance I have found seems to be tailored toward full SharePoint 2010 and not SharePoint foundation 2010.

Here are the services I have running and their logon accounts:
SharePoint 2010 administration: local system
SharePoint 2010 timer: network service
SharePoint 2010 tracing: local service
SharePoint 2010 user code host: network service
SharePoint 2010 VSS writer: local system
SharePoint foundation search V4: local service

I'm not sure if I change the account for one of the services using the services manager or make the change using Central Admin somehow. Step-by-step instructions are welcome

Thanks in advance for your help
LVL 12
Who is Participating?
Justin SmithConnect With a Mentor Sr. System EngineerCommented:
Sorry, I told you wrong.  In Central Admin - System - Services on Server, click on the Foundation Search Service.  This is where you set the account.
Justin SmithSr. System EngineerCommented:
99% of the time this is an issue with Windows Server 2003 level domains.  The Search Service account should be changed to a domain account and that account should be added to the pre-Windows 2000 Compatibility AD group.
Julian123Author Commented:
Thanks for that info. Does that mean that I just have to change the account used by one of the SharePoint services to use a domain account that's a member of that group using the services manager?

And just so I'm clear, which of the services above is it? Is it "SharePoint foundation search V4"?

Justin SmithSr. System EngineerCommented:
Yes, Search V4 service.  First register your new account as a Managed Account in Central Admin - Security - Managed Accounts.  Then change it in Central Admin - Security - Service Accounts.
Julian123Author Commented:

Under Central Admin - Security - Configure Service Accounts I see the following options in the drop down:

Farm Account
Windows Service - claims to windows token service
Windows service - Microsoft SharePoint foundation sandboxed code service
Web Application Pool - SharePoint - 19359
Web Application Pool - SharePoint - 41152
Web Application Pool - SharePoint - 80
Service Application Pool - SecurityTokenServiceApplicationPool
Service Application Pool - SharePoint Web Services System

2 questions:
1. Which of the above should I choose to use to the new managed account I created?
2. Also, if I do this does it mean I don't have to change the Search V4 service credentials using the Windows service manager? Or do I also need to do that too?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.