While troubleshooting a Records Center Routing Rule Event Receiver issue recently, I ran into a problem whereby ULS was apparently erroring when trying to log errors to the Application event log on the server.  (So this error ended up masking the “real”\underlying error).  The error ULS was throwing was “The Records Center refused the submission. There was an error routing the file: The source was not found, but some or all event logs could not be searched.  Inaccessible logs: Security.”  Turns out, this issue arises when you configure SharePoint to run in a “least privileged” type scenario whereby the service account and/or IIS app pool account isn’t a member of the local Administrators group.

The resolution, the steps of which I’ve added to my standard SharePoint Installation Guide, is below:

There are a zillion and one posts and how-tos out there amongst the Interwebs detailing the supposed “correct” way to use STSADMIN to copy or promote SharePoint Content Databases between different environments (i.e. Dev<->Stage<->Prod).  The problem with the typical STSADMIN approach is that it forces you to create a new Web Application within the target environment.  Well what if you’re dealing with a pre-existing target environment with complex IIS Bindings and or Alternate Access Mappings, etc (i.e. things that make you not want to hassle with having to re-set them all up.)  So in these circumstances, the easiest thing to do is just to grab the content database from the source environment and copy/bind it to the target environment.  The instructions to follow outline the steps needed in order to successfully perform such a promotion:

Pre-Move

SharePoint won’t automatically update all the links in your site to match the target environment’s host address, especially if you’ve added your own links to places within the site structure.  So, to make sure links work once the site has been moved, you need to go through any links you’ve created and make sure they are relative URLs and not fully-qualified.  It’s also a good idea to navigate to the internal site list for the Site Directory entries (http://<your host>/SiteDirectory/SitesList/AllItems.aspx) and modify them to be relative.

Performing the Copy/Promotion

First - Copying Content Databases Between Environments

Same Database Name:
If the target database has the same name as the source database

1. Backup the source database (full backup).
2. Copy the backup to the target database server.
3. Stop the target IIS Website on all target front-end-web servers.
4. Perform a full restore to the target database using the backup.
5. Start the target IIS Website on all target front-end-web servers.

If the target database has a different name than the source database

1. Stop IIS on each of the target front-end-web servers.
2. On the target database server:
   a.  Note the name of the applicable content database.
   b.  Document the security applied to the applicable content database
        (Specifically, what logins have what access to the database).
   c.  Document any backup/maintenance plans for the applicable content database.
   d.  Detach the applicable content database.
   e.  Backup the corresponding database data (.MDF) and log (.LDF) files to another location.
3. Stop IIS on Website on all source front-end-web servers.
4. Stop the source content database on the source database server.
   a.  Copy the corresponding .MDF and .LDF files to the target database server
         (usually C:\SQL\MSSQL10.MSSQLSERVER\MSSQL\DATA\) .
        i.   Rename the copied database files to match the names of the files in 2.e.
   b.  Re-Start the applicable source database on the source server.
5. Re-Start IIS on the source server.
6. On the target database server:
   a.  Open the Attach Database dialog:
        i.   Select the renamed MDF file from 4.a.i.
        ii.  In the upper “Databases to attach:” area, change the “Attach As” value to match 2.a.
        iii. In the lower “’<database name>’ database details” area, change the “Current File Path” values for both rows to match the paths and filenames in 4.a.i
   b.  Modify the security of the newly attached database to match 2.b.
   c.  Re-Apply any backup/maintenance plans from 2.c.
7. Do not yet start IIS on each of the target web front end servers as we’ll do that later.

Second – Reconfiguring the Content for its New Home

At this point, were you to try to load the restored site, you’d most likely receive a “400 BAD REQUEST” error when browsing “/” and a “File Not Found.” error when browsing the default “/Pages/Default.aspx” path.  This is because SharePoint has gotten a little confused about what has just been done to it.  To resolve the confusion, we need to essentially force SharePoint to reconfigure the newly promoted content database.  The easiest non-STSADMIN way to do this is to use Central Administration web UI to remove the content database and re-add it:

1. Navigate to the Central Administration Website for the target SharePoint instance.
2. Within the Application Management tab, find the SharePoint Web Application Management section and open the Content Databases link.
3. Change the Web Application to match the applicable application we’ve just updated.
4. Click the Content Database name item to open its property page:
   a.  Document the following settings for use later:
        --   Database server
        --   SQL Server database name
        --   Number of sites before a warning event is generated
        --   Maximum number of sites that can be created in this database
        --   Windows SharePoint Services search server
   b.  Place a check mark in the Remove content database box
        (and click OK in the resulting prompt)
   c.  Click the OK button to perform the removal of the content database.
        (The database itself will not be deleted, it is just no longer associated with this site)
5. You should now be back at the Content Databases Application Management screen.
6. Verify the Web Application is still the applicable application .
   (change it if necessary)
7. Click the Add a content database menu item to open the Ad Content Database page:
   a.  Verify the selected Web Application is correct.
   b.  Using the information documented in 4.a. fill in the properties for each to match exactly.
   c.  Click the OK button to add the existing content database.
        (SharePoint will now update the promoted Content Database to work with its new home)
8. Start IIS on each of the target web front end servers.
9. Test the target site.
   (Sometimes the first load will result in an error. It should work if you refresh the page)

This is mostly for my own reference, but I'm sure others on the Interwebs might find this useful as well.

If, per chance, you find yourself pasting a large amount of code into Visual Studio that, for whatever reason, has line numbers included in the copied data, one can easily remove the line number's using Visual Studio's Find & Replace with the "Use Regular Expressions" option...

The trick, obviously is the RegEx, which is: ^ *:d+\:

Make sure the Match case and Match whole word options are disabled and that the Replace with text box is empty, and you're good to go!

Recently, a colleague of mine was working on a SharePoint event handler to automatically apply security to an item on insert into a list.  In performing my own research on the topic, I came to realize there wasn’t a lot of concise or really usable information out there on the Interwebs about programmatically modifying the security and roles for a list item.  An additional constraint was that the list of users and groups to be added were contained in SharePoint “Users or Groups” column in another list. 

After a lot of research and some time spent stubbing out a test harness, I came upon the solution and created a helper method with overloads that allows you to programmatically add security to a list item with a number of different options for how the user or group is passed in, including support for passing in a list of SPRoleDefinition items to grant to the security item:

• SPFieldUserValue - Useful if you're iterating through the values of a SharePoint User or Group column
• String – Useful for passing in an ActiveDirectory group or user account name (If the user or group don’t already have access to the site itself, they will be automatically added)
• SPPrincipal – Useful if you have an SPPrincipal, SPGroup, or SPUser object (since the latter two inherit from SPPrincipal).

#region addPermissionToListItem Overloads

/// <summary>
/// Applies role-based security to a user or group for a particular list item.
/// This overload is useful if you're iterating through the values of a SharePoint User or Group column.
/// </summary>
/// <param name="SharePointWeb">The SharePoint Web the List belongs to.</param>
/// <param name="ListItemToAddTo">The particular List Item to apply the security to.</param>
/// <param name="UserOrGroupToAdd">The SPFieldUserValue type from a SharePoint User or Group column.</param>
/// <param name="RolesToGrant">SPRoleDefinition items to apply to the user or group being added.</param>
private void addPermissionToListItem(SPWeb SharePointWeb, SPListItem ListItemToAddTo, SPFieldUserValue UserOrGroupToAdd, params SPRoleDefinition[] RolesToGrant)
{
    if (SharePointWeb != null && ListItemToAddTo != null && UserOrGroupToAdd != null && RolesToGrant != null && RolesToGrant.Length > 0)
    {
        // Get SPPrincipal from the UserOrGroupToAdd parameter
        SPPrincipal newItemToAdd;
        if (UserOrGroupToAdd.User != null)
        {
            // We have a user
            newItemToAdd = UserOrGroupToAdd.User as SPPrincipal;
        }
        else
        {
            // We have a group
            newItemToAdd = SharePointWeb.SiteGroups.GetByID(UserOrGroupToAdd.LookupId) as SPPrincipal;
        }

        // Call the overload that accepts an SPPrincipal object to add to the list
        addPermissionToListItem(ListItemToAddTo, newItemToAdd, RolesToGrant);
    }
}

/// <summary>
/// Applies role-based security to a user or group for a particular list item.
/// This overload is useful if you only have the windows login id of a user or a group name.
/// If the user or group doesn't belong to the site, they will be automatically added.
/// </summary>
/// <param name="SharePointWeb">The SharePoint Web the List belongs to.</param>
/// <param name="ListItemToAddTo">The particular List Item to apply the security to.</param>
/// <param name="WindowsUserIdOrGroupToAdd">The SPFieldUserValue type from a SharePoint User or Group column.</param>
/// <param name="RolesToGrant">SPRoleDefinition items to apply to the user or group being added.</param>
private void addPermissionToListItem(SPWeb SharePointWeb, SPListItem ListItemToAddTo, string WindowsUserIdOrGroupToAdd, params SPRoleDefinition[] RolesToGrant)
{
    if (SharePointWeb != null && ListItemToAddTo != null && WindowsUserIdOrGroupToAdd != null && RolesToGrant != null && RolesToGrant.Length > 0)
    {
        // Get SPPrincipal from the UserOrGroupToAdd parameter
        SPPrincipal newItemToAdd;
        if (Microsoft.SharePoint.Utilities.SPUtility.IsLoginValid(SharePointWeb.Site, WindowsUserIdOrGroupToAdd))
        {
            // We have a user
            newItemToAdd = SharePointWeb.EnsureUser(WindowsUserIdOrGroupToAdd) as SPPrincipal;
        }
        else
        {
            // We have a group

            SPGroup groupToAdd = SharePointWeb.SiteGroups[WindowsUserIdOrGroupToAdd];
            if (groupToAdd != null)
            {
                // The group exists, so get it
                newItemToAdd = groupToAdd as SPPrincipal;
            }
            else
            {
                // The group didn't exist so we need to create it:
                //	Create it:
                SharePointWeb.SiteGroups.Add(WindowsUserIdOrGroupToAdd, SharePointWeb.Site.Owner, SharePointWeb.Site.Owner, string.Empty);
                //	Get it:
                newItemToAdd = SharePointWeb.SiteGroups[WindowsUserIdOrGroupToAdd] as SPPrincipal;
            }
        }

        // Call the overload that accepts an SPPrincipal object to add to the list
        addPermissionToListItem(ListItemToAddTo, newItemToAdd, RolesToGrant);
    }
}

/// <summary>
/// Applies role-based security to a user or group for a particular list item.
/// </summary>
/// <param name="ListItemToAddTo">The particular List Item to apply the security to.</param>
/// <param name="UserOrGroupToAdd">The SPFieldUserValue type from a SharePoint User or Group column.</param>
/// <param name="RolesToGrant">SPRoleDefinition items to apply to the user or group being added.</param>
/// <remarks>This overload is called by the other overloads to actually set the the security.</remarks>
private void addPermissionToListItem(SPListItem ListItemToAddTo, SPPrincipal UserOrGroupToAdd, params SPRoleDefinition[] RolesToGrant)
{
    if (ListItemToAddTo != null && UserOrGroupToAdd != null && RolesToGrant != null && RolesToGrant.Length > 0)
    {
        // Create a new role assignment for the principal
        SPRoleAssignment newRoleAssignmentToAdd = new SPRoleAssignment(UserOrGroupToAdd);

        // Bind the role definitionss to the  new role assignment
        foreach (SPRoleDefinition roleDefinition in RolesToGrant)
        {
            if (roleDefinition != null)
            {
                newRoleAssignmentToAdd.RoleDefinitionBindings.Add(roleDefinition);
            }
        }

        // Add the new role assignment to the list item
        ListItemToAddTo.RoleAssignments.Add(newRoleAssignmentToAdd);
    }
}

#endregion

I wrapped the overloads (titled addPermissionToListItem) in a winform test harness that linked below.  The test harness will pull groups and users from a SharePoint “Users and Groups” column in a separate list, and use those items to replace any existing permissions on a specified list item (breaking inheritance along the way).

Test Harness Screenshot:
Test Harness and referenced code: