Solved

AD Security groups doesn't work in SharePoint 2013 as exspected

Posted on 2014-01-30
13
1,384 Views
Last Modified: 2014-02-28
Hello,

we have used and granted AD security groups to sites/libraries/lists of our older
SharePoint 2010 environment.

After migration to SharePoint 2013, the AD groups are almost migrated too and
it looks quiet fine, but it seems that these security groups have no affect on
sites/libraries/list etc.

When we put somebody into a security group, no changes to the user, he still
has no access as exspected.

We add a UPS application and the synchronization should work, but we don't
know what we have to check and also don't know where.

Any idea? Anything wrong with the UPS?

insi01
0
Comment
Question by:insi01
  • 8
  • 4
13 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39821883
Was your 2010 web app using classic or claims authentication?  I'm assuming your 2013 is using claims.  That would be an issue if you didn't migrate 2010 to claims prior to taking to 2013.

Is it only new users added to the AD groups who have issues?  Were the previous users who were already in the group access the site in 2013?
0
 

Author Comment

by:insi01
ID: 39822199
Yes, we upgraded to claims after migration to 2013.

I will double check tomorrow.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39823403
Until a user logs into the site and is recorded in the User-info table, check permissions will not be able to enumerate the specific user's permission, even when they arere a member of an AD group that has been added to a SharePoint site.
For security groups configuration, you can get help from here : SharePoint security groups configuration
0
 

Author Comment

by:insi01
ID: 39823484
@Ach1illes
Yes, I added a person to the security group which has permission on the site, but it
doesn't seem to work.

Under CA->Application Management->Manage Service Application->Clicked on User Profile Servcie Application->Configure Synchronization Settings and then section Synchronization Options. I see that "Use Sharepoint Profile Synchronization" is checked.
Maybe I have to select "Use SharePoint Active Directory Import"?!

What do you think?

@Michaelaphi
I will read this article.

Thanks insi01
0
 

Author Comment

by:insi01
ID: 39823607
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39823685
You don't have to have users imported into the Profile App in order for them to log into sites.

Are your cache accounts set properly (super reader and super user) using a claims format?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:insi01
ID: 39823713
Ach1lles

How can I check this?
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39823862
http://technet.microsoft.com/en-us/library/ff758656.aspx


When you input the user name in teh PowerShell commands, make sure they are in a claims format.  To verify, look at the account name after you add the account to the web app user policy.  Copy that into the PShell command.  

Also, you don't have to run it as as script if you don't want.  You can just type the commands into the SharePoint Mgmt Console.
0
 

Author Comment

by:insi01
ID: 39824139
Hi Ach1lles,

Please note the attachment. The accounts were already set with claims, so I assume that I don't need to execute the script on technet, right?
policy.JPG
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39824187
I would doublecheck in Powershell.  

(Get-SPWebApplication <url>).Properties["portalsuperuseraccount"]

(Get-SPWebApplication <url>).Properties["portalsuperreaderaccount"]
0
 

Author Comment

by:insi01
ID: 39853818
I will proceed today and let you know. I also opened a Microsoft ticket for that behavior.
0
 

Accepted Solution

by:
insi01 earned 0 total points
ID: 39864751
Hi,

during our investigation we found out that the Home.aspx didn't inherit the permission from the site. So all permission set to the site (e.g. https://company.com/sales) didn't weren't
transfered down to home.aspx.

Regards
insi01
0
 

Author Closing Comment

by:insi01
ID: 39894340
I found an own solution.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now