Last week we installed a brand new SharePoint 2010 farm for a client. After initial configuration, SharePoint was working perfectly (We used these PowerShell scripts to automate most of the installation and initial configuration). However, on the next day, Central Admin greeted us with the following error:

Service Unavailable – HTTP Error 503

I checked Windows Event Log and it was full of error events like this one:

An exception occurred when trying to issue security token: The HTTP service located at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas is too busy.


The second error message,  although it was in the Event Log, is not the root issue here. You need to focus on issue #1 and the solution is described here by Mark Haverty!

After we applied suggested changes SharePoint was working again. The problem was caused by a group policy that gave Log on as a batch job privilege to a couple of domain accounts used for backup (not SharePoint related), unfortunately this policy revoked privileges from IIS_IUSRS.

We did the following to fix this:

  • Created a new OU in Active Directory
  • Moved all SharePoint servers to new OU
  • Created and applied a new Group Policy that does not change Log on as a batch job setting
  • Gave IIS_IUSRS privilege to logon as batch job
  • Reset

SharePoint was back online!


  1. Arash Aghajani Says

    Great post, Toni!
    This worked very well for me.
    You saved my time to resolve this amazing issue in a production environment!

    Thanks again,

  2. SL Says

    Thanks for the fix. I made the same mistake with a LogOnAsBatch GPO. Of course there was no problem till the SP server was rebooted weeks later. Adding IIS_IUSRS to the GPO cleared it up.

Leave a Reply