[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


AD Security groups doesn't work in SharePoint 2013 as exspected

Posted on 2014-01-30
Medium Priority
Last Modified: 2014-02-28

we have used and granted AD security groups to sites/libraries/lists of our older
SharePoint 2010 environment.

After migration to SharePoint 2013, the AD groups are almost migrated too and
it looks quiet fine, but it seems that these security groups have no affect on
sites/libraries/list etc.

When we put somebody into a security group, no changes to the user, he still
has no access as exspected.

We add a UPS application and the synchronization should work, but we don't
know what we have to check and also don't know where.

Any idea? Anything wrong with the UPS?

Question by:insi01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
LVL 38

Expert Comment

by:Justin Smith
ID: 39821883
Was your 2010 web app using classic or claims authentication?  I'm assuming your 2013 is using claims.  That would be an issue if you didn't migrate 2010 to claims prior to taking to 2013.

Is it only new users added to the AD groups who have issues?  Were the previous users who were already in the group access the site in 2013?

Author Comment

ID: 39822199
Yes, we upgraded to claims after migration to 2013.

I will double check tomorrow.

Expert Comment

ID: 39823403
Until a user logs into the site and is recorded in the User-info table, check permissions will not be able to enumerate the specific user's permission, even when they arere a member of an AD group that has been added to a SharePoint site.
For security groups configuration, you can get help from here : SharePoint security groups configuration
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 39823484
Yes, I added a person to the security group which has permission on the site, but it
doesn't seem to work.

Under CA->Application Management->Manage Service Application->Clicked on User Profile Servcie Application->Configure Synchronization Settings and then section Synchronization Options. I see that "Use Sharepoint Profile Synchronization" is checked.
Maybe I have to select "Use SharePoint Active Directory Import"?!

What do you think?

I will read this article.

Thanks insi01
LVL 38

Expert Comment

by:Justin Smith
ID: 39823685
You don't have to have users imported into the Profile App in order for them to log into sites.

Are your cache accounts set properly (super reader and super user) using a claims format?

Author Comment

ID: 39823713

How can I check this?
LVL 38

Expert Comment

by:Justin Smith
ID: 39823862

When you input the user name in teh PowerShell commands, make sure they are in a claims format.  To verify, look at the account name after you add the account to the web app user policy.  Copy that into the PShell command.  

Also, you don't have to run it as as script if you don't want.  You can just type the commands into the SharePoint Mgmt Console.

Author Comment

ID: 39824139
Hi Ach1lles,

Please note the attachment. The accounts were already set with claims, so I assume that I don't need to execute the script on technet, right?
LVL 38

Expert Comment

by:Justin Smith
ID: 39824187
I would doublecheck in Powershell.  

(Get-SPWebApplication <url>).Properties["portalsuperuseraccount"]

(Get-SPWebApplication <url>).Properties["portalsuperreaderaccount"]

Author Comment

ID: 39853818
I will proceed today and let you know. I also opened a Microsoft ticket for that behavior.

Accepted Solution

insi01 earned 0 total points
ID: 39864751

during our investigation we found out that the Home.aspx didn't inherit the permission from the site. So all permission set to the site (e.g. https://company.com/sales) didn't weren't
transfered down to home.aspx.


Author Closing Comment

ID: 39894340
I found an own solution.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question