I recently came across an issue where I was unable to manage the SharePoint Service Applications within Central Administration. The error I received was as follows:

“The specified user or domain group was not found”

This symptom was caused by a user account which was removed from Active Directory, that was assigned to a Managed Metadata Service Application. The account in question was assigned administrator rights in the service application. I worked woth Microsoft to remedy the issue in my case after performing some initial steps to determine which service application was causing the problem.

To determine the problem, I first had to find out which service application was causing the message to appear. I followed these steps:

1 – Opened IIS Manager

2 – Navigated to Sites -> SharePoint Web Services

3 – Each Service application has a guid and in the basic properties, you can review the path of the web service to identify the service.

4 – The SharePoint diagnostic logs should correlate to the application ID with the error in question, and so should the application event logs.

5 – When you determine which service application is causing the issue, you can run the following SQL statement against your SharePoint configuration database (I used %Metadata%, as I was aware it was the Metadata Service application):

SELECT [Name], [Version], CAST([Properties] as xml)

From [SharePoint_Config].[dbo].[Objects] with (nolock)

Where [Name] LIKE ‘%Metadata%’

6) Click the properties column XML result and review the following sections:

<sFld type=”String” name=“m_SerializedAcl“>

7 – There should be some identities associated with the service application.

8 – Check each Identity Name in Active Directory to determine which one was removed.

8 – In some cases you should be able to re-create the account in Active Directory, since the service application is looking for a principle name, and not a SID. Ensure you synchronize your Active Directory Domain.

9) You should now be able to navigate to the service applications (providing the particular service application is looking for a principle name in Active Directory), and then remove the account from the service application permissions.

10) If the above solution does not work, you can create a new account, with a different name, and try the following stsadm command:

stsadm -o migrateuser -oldlogin {the domain\old users login name that was removed} -newlogin {the domain\new AD account} -ignoresidhistory

e.g. stsadm -o migrateuser -oldlogin corp\deleteduser -newlogin corp\newuser -ignoresidhistory

You can also use the SharePoint Management Shell if you prefer and use the Move-SPUser command.

Should the above remedy not work in your situation, I highly recommend logging your particular case with Microsoft Premier Support to resolve your issue.

I also highly recommend not to make any direct changes to the SharePoint configuration database via custom code or SQL statements, in order to keep a  supported SharePoint environment.