Workflow permissions DOMAIN USERS RRS feed

  • Question

  • Hi

    I've got a workflow that every domain users must be able to run, but when I add \DOMAIN USERS and grant Full Control on the list, nobody are able to run the workflow - nor does it work if I add any other AD group.

    It has worked before, and  suspect an update since our SP enviroment was way overdue on updates.


    Tuesday, April 11, 2017 7:42 AM

All replies

  • Hi Michael

    In SP 2013, the workflow functions in a similar fashion as add-in which requires the permissions to be set up.

    Article explains it better if you have not already done it.

    • Activate the feature  "Workflows can use app permissions"  on Site Settings > Site Features 

    • Go to Site Settings > Site App Permissions. Find the app containing the name "Workflow".  Copy the Guid which is the app ID  between "|" and "@"

    • Navigate to <siteurl>/_layouts/15/appinv.aspx. Paste the App Id, click Lookup.  If you want to grant the workflow fullcontrol copy and paste below.

    <AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /> </AppPermissionRequests>

    • Click Create and click Trust It to trust the app.  

    The workflow will run in elevated privileges now.

    Tuesday, April 11, 2017 8:45 AM
  • I've done the app permissions once before, but could the error be a result of a incorrect scope in the request?

    I'll give a try and retur...

    Tuesday, April 11, 2017 8:59 AM
  • That didn't help...

    On the list I've got 3 permissions - IT, FullControl, Admin, FullControl, Domain Users, Edit

    Domain users can create items, and when the workflow runs it returns an 404 error.

    If I as the farm admin, tries to run the workflow it fails with 404.

    THEN, if I add the user that created the item to the list permissions, the work flow runs succesfully!?!? Despite that the user, is a member of domain users.

    Tuesday, April 11, 2017 9:24 AM
  • Hi,

    So your list has unique permission?

    Could you try to debug does this caused by process(actions) or users just can’t start the workflow?


    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, April 12, 2017 5:55 AM
  • Hi Lee

    If the users have permissions via the AD security group, it times-out and i receive a 404 error ->

    Even the farm admin, me, cant kickoff the wf. If i then add the users UPN in list permissions, it works...? I've looked at the ULS, but default logging might not be sufficient, andi don't know what parts of sharepoint that should have logging level tuned!

    RequestorId: 43288bcf-2b68-e02c-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 404 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["20"],"SPRequestGuid":["43288bcf-2b68-e02c-a6d4-e6ca5454c5ce"],"request-id":["43288bcf-2b68-e02c-a6d4-e6ca5454c5ce"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":[""],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Wed, 12 Apr 2017 08:00:56 GMT"],"Server":["Microsoft-IIS\/8.5"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

    Wednesday, April 12, 2017 8:51 AM
  • Hi,

    Could you try to debug your workflow by adding ‘Log to History List’ to check which step/logic(is  there any logic related to user profile or something else) caused this issue as the log seems general?


    This seems not permission issue as it’s not 401 error.


    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, April 12, 2017 9:21 AM
  • The workflow doesn't even get that far. My test WF is a simple "send mail to", end!

    Our production workflow startede with 401 error, and was solved with app steps. Then it turned into the 404 error.

    It's like the workflow is unable to access the Security groups i AD to see if the user is a member..??

    Wednesday, April 12, 2017 9:48 AM
  • In my support case with microsoft, MS told me to look into the ProfilesDB, at the MemberGroup table to ensure that our AD groups where present, and they are. I've then removed the AD groups from UPS sync, Synced (removing them from the table), and added them again to UPS and synced. No luck....

    Thursday, April 27, 2017 12:30 PM
  • Hi Lee

    Thought that I should update you on my issue. If you tjek this post

    I've kinda found a solution - now i'm able to trigger on AD sec groups, but still not on DOMAIN USERS.

    Tuesday, May 9, 2017 12:52 PM