insi01
asked on
AD Security groups doesn't work in SharePoint 2013 as exspected
Hello,
we have used and granted AD security groups to sites/libraries/lists of our older
SharePoint 2010 environment.
After migration to SharePoint 2013, the AD groups are almost migrated too and
it looks quiet fine, but it seems that these security groups have no affect on
sites/libraries/list etc.
When we put somebody into a security group, no changes to the user, he still
has no access as exspected.
We add a UPS application and the synchronization should work, but we don't
know what we have to check and also don't know where.
Any idea? Anything wrong with the UPS?
insi01
we have used and granted AD security groups to sites/libraries/lists of our older
SharePoint 2010 environment.
After migration to SharePoint 2013, the AD groups are almost migrated too and
it looks quiet fine, but it seems that these security groups have no affect on
sites/libraries/list etc.
When we put somebody into a security group, no changes to the user, he still
has no access as exspected.
We add a UPS application and the synchronization should work, but we don't
know what we have to check and also don't know where.
Any idea? Anything wrong with the UPS?
insi01
ASKER
Yes, we upgraded to claims after migration to 2013.
I will double check tomorrow.
I will double check tomorrow.
Until a user logs into the site and is recorded in the User-info table, check permissions will not be able to enumerate the specific user's permission, even when they arere a member of an AD group that has been added to a SharePoint site.
For security groups configuration, you can get help from here : SharePoint security groups configuration
For security groups configuration, you can get help from here : SharePoint security groups configuration
ASKER
@Ach1illes
Yes, I added a person to the security group which has permission on the site, but it
doesn't seem to work.
Under CA->Application Management->Manage Service Application->Clicked on User Profile Servcie Application->Configure Synchronization Settings and then section Synchronization Options. I see that "Use Sharepoint Profile Synchronization" is checked.
Maybe I have to select "Use SharePoint Active Directory Import"?!
What do you think?
@Michaelaphi
I will read this article.
Thanks insi01
Yes, I added a person to the security group which has permission on the site, but it
doesn't seem to work.
Under CA->Application Management->Manage Service Application->Clicked on User Profile Servcie Application->Configure Synchronization Settings and then section Synchronization Options. I see that "Use Sharepoint Profile Synchronization" is checked.
Maybe I have to select "Use SharePoint Active Directory Import"?!
What do you think?
@Michaelaphi
I will read this article.
Thanks insi01
ASKER
You don't have to have users imported into the Profile App in order for them to log into sites.
Are your cache accounts set properly (super reader and super user) using a claims format?
Are your cache accounts set properly (super reader and super user) using a claims format?
ASKER
Ach1lles
How can I check this?
How can I check this?
http://technet.microsoft.com/en-us/library/ff758656.aspx
When you input the user name in teh PowerShell commands, make sure they are in a claims format. To verify, look at the account name after you add the account to the web app user policy. Copy that into the PShell command.
Also, you don't have to run it as as script if you don't want. You can just type the commands into the SharePoint Mgmt Console.
When you input the user name in teh PowerShell commands, make sure they are in a claims format. To verify, look at the account name after you add the account to the web app user policy. Copy that into the PShell command.
Also, you don't have to run it as as script if you don't want. You can just type the commands into the SharePoint Mgmt Console.
ASKER
Hi Ach1lles,
Please note the attachment. The accounts were already set with claims, so I assume that I don't need to execute the script on technet, right?
policy.JPG
Please note the attachment. The accounts were already set with claims, so I assume that I don't need to execute the script on technet, right?
policy.JPG
I would doublecheck in Powershell.
(Get-SPWebApplication <url>).Properties["portals uperuserac count"]
(Get-SPWebApplication <url>).Properties["portals uperreader account"]
(Get-SPWebApplication <url>).Properties["portals
(Get-SPWebApplication <url>).Properties["portals
ASKER
I will proceed today and let you know. I also opened a Microsoft ticket for that behavior.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found an own solution.
Is it only new users added to the AD groups who have issues? Were the previous users who were already in the group access the site in 2013?