?
Solved

AD Security groups doesn't work in SharePoint 2013 as exspected

Posted on 2014-01-30
13
Medium Priority
?
1,785 Views
Last Modified: 2014-02-28
Hello,

we have used and granted AD security groups to sites/libraries/lists of our older
SharePoint 2010 environment.

After migration to SharePoint 2013, the AD groups are almost migrated too and
it looks quiet fine, but it seems that these security groups have no affect on
sites/libraries/list etc.

When we put somebody into a security group, no changes to the user, he still
has no access as exspected.

We add a UPS application and the synchronization should work, but we don't
know what we have to check and also don't know where.

Any idea? Anything wrong with the UPS?

insi01
0
Comment
Question by:insi01
  • 8
  • 4
13 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39821883
Was your 2010 web app using classic or claims authentication?  I'm assuming your 2013 is using claims.  That would be an issue if you didn't migrate 2010 to claims prior to taking to 2013.

Is it only new users added to the AD groups who have issues?  Were the previous users who were already in the group access the site in 2013?
0
 

Author Comment

by:insi01
ID: 39822199
Yes, we upgraded to claims after migration to 2013.

I will double check tomorrow.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39823403
Until a user logs into the site and is recorded in the User-info table, check permissions will not be able to enumerate the specific user's permission, even when they arere a member of an AD group that has been added to a SharePoint site.
For security groups configuration, you can get help from here : SharePoint security groups configuration
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:insi01
ID: 39823484
@Ach1illes
Yes, I added a person to the security group which has permission on the site, but it
doesn't seem to work.

Under CA->Application Management->Manage Service Application->Clicked on User Profile Servcie Application->Configure Synchronization Settings and then section Synchronization Options. I see that "Use Sharepoint Profile Synchronization" is checked.
Maybe I have to select "Use SharePoint Active Directory Import"?!

What do you think?

@Michaelaphi
I will read this article.

Thanks insi01
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39823685
You don't have to have users imported into the Profile App in order for them to log into sites.

Are your cache accounts set properly (super reader and super user) using a claims format?
0
 

Author Comment

by:insi01
ID: 39823713
Ach1lles

How can I check this?
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39823862
http://technet.microsoft.com/en-us/library/ff758656.aspx


When you input the user name in teh PowerShell commands, make sure they are in a claims format.  To verify, look at the account name after you add the account to the web app user policy.  Copy that into the PShell command.  

Also, you don't have to run it as as script if you don't want.  You can just type the commands into the SharePoint Mgmt Console.
0
 

Author Comment

by:insi01
ID: 39824139
Hi Ach1lles,

Please note the attachment. The accounts were already set with claims, so I assume that I don't need to execute the script on technet, right?
policy.JPG
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39824187
I would doublecheck in Powershell.  

(Get-SPWebApplication <url>).Properties["portalsuperuseraccount"]

(Get-SPWebApplication <url>).Properties["portalsuperreaderaccount"]
0
 

Author Comment

by:insi01
ID: 39853818
I will proceed today and let you know. I also opened a Microsoft ticket for that behavior.
0
 

Accepted Solution

by:
insi01 earned 0 total points
ID: 39864751
Hi,

during our investigation we found out that the Home.aspx didn't inherit the permission from the site. So all permission set to the site (e.g. https://company.com/sales) didn't weren't
transfered down to home.aspx.

Regards
insi01
0
 

Author Closing Comment

by:insi01
ID: 39894340
I found an own solution.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question