Access denied when deploying a timer Job or activating a feature from SharePoint 2010 content web application


You get Access Denied when you try to activate a feature in code from SharePoint 2010 web application. This error occurs whenever you try to make changes from the content applications (web front ends) to the config application (central admin application). For example web.config changes. The access denied error happens even when you wrap the code in RunWithElevatedPrivileges.


This is due to a new security feature implemented in SharePoint 2010. This feature explicitly blocks any modifications to the objects inheriting from SPPersistedObject in the Microsoft.SharePoint.Administration namespace and does not allow the content web applications to update the configuration database. This new security feature which controls the behavior is the SPWebService.RemoteAdministratorAccessDenied property in the SharePoint API. Though it can be turned off if needed but as with any security feature, you need to be really careful and perform thorough testing before you turn it off.


RemoteAdministratorAccessDenied is a persisted property which can be set to false to disable the feature. You can do this either in a Console app or use Powershell and then perform an IISReset.

//Console app code

SPWebService myService = SPWebService.ContentService; 
myService.RemoteAdministratorAccessDenied = false; 

//PowerShell code

function Set-RemoteAdministratorAccessDenied-False()
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") > $null
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration") > $null

    # get content web service
    $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
    # turn off remote administration security
    $contentService.RemoteAdministratorAccessDenied = $false