On a fine Friday morning, just a couple of days before production release a watchful IT manager deleted AD account of one of administrators no longer with the company. The account had permissions to multiple BDC objects. We found out about it a little later, by chance, but first we saw our SharePoint 2010 application built on Business Data Connectivity and InfoPath completely fall apart.
Instead of any meaningful data all External Lists, administrator pages, SharePoint Designer, and thousands of lines of SharePoint logs showed the same dreadful message: “The specified user or domain group was not found”. Worse, trying to set object permissions in Central Administration resulted in Null reference exception. SharePoint Designer did not even show any External Content Types, as if they did not exist!
Online search did not uncover any easy solutions, with possibility of reconfiguring a production farm. Rebuilding the application from scratch normally took us a couple of days. The weekend was beginning look very grim.
But with a few hours left in the day and a full admin access to the server we just had to try finding an easy way out. Armed with SQL Server Profiler and a test farm to experiment on, we reproduced the error and watched queries against the SharePoint database server. We reviewed data in the BDC database. We also tried recreating BDC Service Application and re-attaching existing BDC database. Turned out that settings in the BDC database caused the error.
So in the end, (after backing up the database!) we had to remove references to the deleted AD account from AR_MetadataObjectSecurity table. Sample query:
delete from [AR_MetadataObjectSecurity]
where IdentityName like ‘%username%’
We got the application back, but learned our lesson: do not to give individual user account permissions to the ECTs directly, but rather through AD groups.