Solved

AD Security groups doesn't work in SharePoint 2013 as exspected

Posted on 2014-01-30
13
1,435 Views
Last Modified: 2014-02-28
Hello,

we have used and granted AD security groups to sites/libraries/lists of our older
SharePoint 2010 environment.

After migration to SharePoint 2013, the AD groups are almost migrated too and
it looks quiet fine, but it seems that these security groups have no affect on
sites/libraries/list etc.

When we put somebody into a security group, no changes to the user, he still
has no access as exspected.

We add a UPS application and the synchronization should work, but we don't
know what we have to check and also don't know where.

Any idea? Anything wrong with the UPS?

insi01
0
Comment
Question by:insi01
  • 8
  • 4
13 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39821883
Was your 2010 web app using classic or claims authentication?  I'm assuming your 2013 is using claims.  That would be an issue if you didn't migrate 2010 to claims prior to taking to 2013.

Is it only new users added to the AD groups who have issues?  Were the previous users who were already in the group access the site in 2013?
0
 

Author Comment

by:insi01
ID: 39822199
Yes, we upgraded to claims after migration to 2013.

I will double check tomorrow.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39823403
Until a user logs into the site and is recorded in the User-info table, check permissions will not be able to enumerate the specific user's permission, even when they arere a member of an AD group that has been added to a SharePoint site.
For security groups configuration, you can get help from here : SharePoint security groups configuration
0
 

Author Comment

by:insi01
ID: 39823484
@Ach1illes
Yes, I added a person to the security group which has permission on the site, but it
doesn't seem to work.

Under CA->Application Management->Manage Service Application->Clicked on User Profile Servcie Application->Configure Synchronization Settings and then section Synchronization Options. I see that "Use Sharepoint Profile Synchronization" is checked.
Maybe I have to select "Use SharePoint Active Directory Import"?!

What do you think?

@Michaelaphi
I will read this article.

Thanks insi01
0
 

Author Comment

by:insi01
ID: 39823607
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39823685
You don't have to have users imported into the Profile App in order for them to log into sites.

Are your cache accounts set properly (super reader and super user) using a claims format?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:insi01
ID: 39823713
Ach1lles

How can I check this?
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39823862
http://technet.microsoft.com/en-us/library/ff758656.aspx


When you input the user name in teh PowerShell commands, make sure they are in a claims format.  To verify, look at the account name after you add the account to the web app user policy.  Copy that into the PShell command.  

Also, you don't have to run it as as script if you don't want.  You can just type the commands into the SharePoint Mgmt Console.
0
 

Author Comment

by:insi01
ID: 39824139
Hi Ach1lles,

Please note the attachment. The accounts were already set with claims, so I assume that I don't need to execute the script on technet, right?
policy.JPG
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39824187
I would doublecheck in Powershell.  

(Get-SPWebApplication <url>).Properties["portalsuperuseraccount"]

(Get-SPWebApplication <url>).Properties["portalsuperreaderaccount"]
0
 

Author Comment

by:insi01
ID: 39853818
I will proceed today and let you know. I also opened a Microsoft ticket for that behavior.
0
 

Accepted Solution

by:
insi01 earned 0 total points
ID: 39864751
Hi,

during our investigation we found out that the Home.aspx didn't inherit the permission from the site. So all permission set to the site (e.g. https://company.com/sales) didn't weren't
transfered down to home.aspx.

Regards
insi01
0
 

Author Closing Comment

by:insi01
ID: 39894340
I found an own solution.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now