• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4026
  • Last Modified:

SharePoint 2013: Active Directory Groups not providing site permission.

Product: SharePoint 2013

I am trying to manage SharePoint permissions with Active Directory groups.   When I add an AD group to the SharePoint Members group on the site, the members of the AD Group do not get permissions to the site.

If I add the member directly to the SharePoint group and skip the AD Group, the member gets permissions quickly.

Any Clue why?
0
TerryZumwalt
Asked:
TerryZumwalt
  • 4
  • 3
1 Solution
 
Jayaraja JayaramanCommented:
did you add the add the users after the AD group is added to sharepoint ? if yes did you run a rull crawl with UPS ?
0
 
TerryZumwaltAuthor Commented:
I started and completed a Crawl from with in the Search Application.  When it was done all permissions were the same as before.   I am not sure what UPS is referring to.
0
 
Jayaraja JayaramanCommented:
am not talking about search full crawl. am refereing to User Profile Sync.
Go to CA- > Service applications -> user profile Service -> start profile sync(under sync) -> start full sync
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
TerryZumwaltAuthor Commented:
After running the UPS as suggested  there was still no change to the permissions. I Added the Group to a sub site as well and no change.
0
 
Jayaraja JayaramanCommented:
ok please try running IISReset and then
SharePoint will cache this group membership info for about 24 hours.

The time out can be configure to a lower value:

$sptokensvc= Get-SPSecurityTokenServiceConfig
$sptokensvc.FormsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
$sptokensvc.Update()
iisreset

This script will tell the token service that the claims will be valid for 1 minute and after that it will get the latest membership information from the Active Directory.
0
 
Walter CurtisSharePoint AEDCommented:
Here are a few basic questions -
Are SharePoint servers in the same AD Domain as the users AD Domain?
Any issues when you add an AD group to a SharePoint group with the AD group name resolving through People Picker?
Are you using AD security groups and not AD Distribution Groups?

Keep in mind that User Profile Sync has nothing to do with adding AD groups to SharePoint groups.

Hope that helps
0
 
TerryZumwaltAuthor Commented:
I just ran the Token script- I will test the result.

1. Yes they are in the same AD.
2. NO Issues adding the group.
3. We are using AD Security Groups.
0
 
TerryZumwaltAuthor Commented:
I just tested and the user in the AD Group is allowed to access the site.  Thanks for you assistance.  The last change I made was my Jayaraja above.  (Copied below.)



ok please try running IISReset and then
 SharePoint will cache this group membership info for about 24 hours.

 The time out can be configure to a lower value:

 $sptokensvc= Get-SPSecurityTokenServiceConfig
 $sptokensvc.FormsTokenLifetime = (New-TimeSpan -minutes 2)
 $sptokensvc.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
 $sptokensvc.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
 $sptokensvc.Update()
 iisreset

 This script will tell the token service that the claims will be valid for 1 minute and after that it will get the latest membership information from the Active Directory.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now