AD Security groups doesn't work in SharePoint 2013 as exspected

Posted on 2014-01-30
Medium Priority
Last Modified: 2014-02-28

we have used and granted AD security groups to sites/libraries/lists of our older
SharePoint 2010 environment.

After migration to SharePoint 2013, the AD groups are almost migrated too and
it looks quiet fine, but it seems that these security groups have no affect on
sites/libraries/list etc.

When we put somebody into a security group, no changes to the user, he still
has no access as exspected.

We add a UPS application and the synchronization should work, but we don't
know what we have to check and also don't know where.

Any idea? Anything wrong with the UPS?

Question by:insi01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
LVL 38

Expert Comment

by:Justin Smith
ID: 39821883
Was your 2010 web app using classic or claims authentication?  I'm assuming your 2013 is using claims.  That would be an issue if you didn't migrate 2010 to claims prior to taking to 2013.

Is it only new users added to the AD groups who have issues?  Were the previous users who were already in the group access the site in 2013?

Author Comment

ID: 39822199
Yes, we upgraded to claims after migration to 2013.

I will double check tomorrow.

Expert Comment

ID: 39823403
Until a user logs into the site and is recorded in the User-info table, check permissions will not be able to enumerate the specific user's permission, even when they arere a member of an AD group that has been added to a SharePoint site.
For security groups configuration, you can get help from here : SharePoint security groups configuration
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 39823484
Yes, I added a person to the security group which has permission on the site, but it
doesn't seem to work.

Under CA->Application Management->Manage Service Application->Clicked on User Profile Servcie Application->Configure Synchronization Settings and then section Synchronization Options. I see that "Use Sharepoint Profile Synchronization" is checked.
Maybe I have to select "Use SharePoint Active Directory Import"?!

What do you think?

I will read this article.

Thanks insi01
LVL 38

Expert Comment

by:Justin Smith
ID: 39823685
You don't have to have users imported into the Profile App in order for them to log into sites.

Are your cache accounts set properly (super reader and super user) using a claims format?

Author Comment

ID: 39823713

How can I check this?
LVL 38

Expert Comment

by:Justin Smith
ID: 39823862

When you input the user name in teh PowerShell commands, make sure they are in a claims format.  To verify, look at the account name after you add the account to the web app user policy.  Copy that into the PShell command.  

Also, you don't have to run it as as script if you don't want.  You can just type the commands into the SharePoint Mgmt Console.

Author Comment

ID: 39824139
Hi Ach1lles,

Please note the attachment. The accounts were already set with claims, so I assume that I don't need to execute the script on technet, right?
LVL 38

Expert Comment

by:Justin Smith
ID: 39824187
I would doublecheck in Powershell.  

(Get-SPWebApplication <url>).Properties["portalsuperuseraccount"]

(Get-SPWebApplication <url>).Properties["portalsuperreaderaccount"]

Author Comment

ID: 39853818
I will proceed today and let you know. I also opened a Microsoft ticket for that behavior.

Accepted Solution

insi01 earned 0 total points
ID: 39864751

during our investigation we found out that the Home.aspx didn't inherit the permission from the site. So all permission set to the site (e.g. https://company.com/sales) didn't weren't
transfered down to home.aspx.


Author Closing Comment

ID: 39894340
I found an own solution.

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question