Skip to main content

 none
User added into the AD but not reflecting in SharePoint permission RRS feed

  • Question

  • Hello all,

    I am using SharePoint 2016 hosted in Azure.

    Now a days , i am getting issues that user can not access Intranet portal (based on SharePoint 2016) and all company user should be added into the appropriate AD group so by default they would be able to access Intranet portal.

    All AD groups added into the one SharePoint group called "Visitor " with read access.

    So when i am contacting AD team and giving them user name with AD group name , they are adding that user into the AD group and they are providing Screen shot also on same , as I never work on AD but when i check that user in SharePoint using check permission , zero result :-(


    For Exam :  SharePoint Group : SP_Visitor

                      AD Group :  All_Country_India

                      User Name:   Test_User

    All_Country_India added into the SP_Visitor and  Test_User added into the All_Country_India but when i check Test_user permission using "check permission" it is showing only limited access , it should show "SP_Visitor"

    can tell me user added into the AD but why it is not reflecting into SharePoint?

    why limited access always shows ?

    After adding into the AD , still user does not have access in SharePoint portal ?

    Please help us on this.

    Thanks!


    Abhi14

    Friday, October 18, 2019 6:20 AM

All replies

  • Hiya,

    1'st rule of Active Directory, whenever you apply permissions, user must logoff and logon to apply AD membership permissions to the "local" user Windows Token.

    5'th rule about SharePoint, it actually uses Claims and thus tokens. Tokens have a lifetime. That means if you add or remove permissions using AD groups, it will have this "latency" in applying. It will not renew this token every time a user logs in.

    https://blogs.msdn.microsoft.com/jesusfer/2015/08/27/sharepoint-2013-authentication-lifetime-settings/

    See which rule you fall under :)

    • Proposed as answer by Michael Han6 Monday, October 21, 2019 7:28 AM
    Friday, October 18, 2019 6:31 AM
  • Hello,

    Thank you for reply 

    In 1st rule : user means End user if yes so when ever we are adding user into the AD , they have to logoff and log in again ?

    if end user added into the AD then why it is not reflecting into the SharePoint?


    Abhi14

    Friday, October 18, 2019 6:38 AM
  • 1:
    user = end user yes.
    Yes to reflect any changes to AD membership, the user has to perform a reauthentication. For all Windows integrated applications, this is done at logon and after, for me, an unknown period of time, which is long.

    2:

    This is the scenario:
    End user logs into SharePoint, token is created and has a lifetime of say 10 hours.
    Administrator grants end user additional permissions in AD.
    There are no reauthentications done, because user is authenticated and valid for 10 hours in SharePoint, thus the newly added AD permissions does not reflect for the user before reauthentication or token expiry(Forcing reauthentication)

    3: Are you using SharePoint Online or an SharePoint server hosted in Azure?
    Either way, there is surely also some replication delay here.

    On-Prem domain has up to 15 minutes.

    Azure AD up to 72 hours. (Usually a lot faster)

    • Edited by Jesper Arnecke Friday, October 18, 2019 7:25 AM Added 3 based on question
    • Proposed as answer by Michael Han6 Monday, October 21, 2019 7:28 AM
    Friday, October 18, 2019 7:18 AM
  • Hi,

    If Jesper's reply is helpful to you, you could mark it as an answer. 

    Best Regards,

    Michael Han


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Monday, October 21, 2019 7:30 AM
  • Hi,

    How are things going? Is there any update on your issue?

    Please remeber to mark the reply as an answer if it helps you.

    Thanks for your understanding.

    Best Regards,

    Michael Han

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, October 29, 2019 9:44 AM