none
Target Audience > Not recognizing AD Groups???

    Question

  • Hi, I use SharePoint 2010.

    I set up User Profiles,
    Synchronization did not show any failures; shows a lot additions and updates.

    1. Now when I add a target audience and try to add a rule where user is member of :Sales" then Sales group shows up with 0 members while there are 100's of users in AD under Sales group. If I go ahead and add this then I get this error:

    Non-existent Membership group (3611DC50-CDFD-4F06-8132-3A84322D7D1D)

    2. Many of the AD groups are not recognized at all.

    Event log and ULS logs do not have any relevant errors.

    Any clue what might be going wrong? 

    Thanks so much folks.


    • Edited by ran009 Friday, January 25, 2013 2:32 AM
    Friday, January 25, 2013 2:02 AM

Answers

  • It so turned out that we had two entries in AD with exactly same name and by default it always brought up the wrong one. When I typed initial 3 letters of the group in Audience rule > Picker window I got both of the groups listed and then was able to select the right Group.

    Sorry to have wasted everyone's time (including my own).

    Thanking everyone.

    • Marked as answer by ran009 Friday, February 01, 2013 11:49 PM
    Friday, February 01, 2013 11:49 PM

All replies

  • Is this a Distribution or Security group?

    SharePoint - Nauplius Applications
    Microsoft SharePoint Server MVP
    MCITP: SharePoint Administrator 2010

    -----------------------
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, January 25, 2013 4:38 AM
    Moderator
  • If it is a security group, is it universal or global? SharePoint has problems when using the Universal group, always use the global when setting up AD groups for SharePoint access. As far as I can tell, somewhere along the way SharePoint has problems trying to iterate through a named universal group when not nested inside a global group . Also, in your groups, is it a straight list of users or are you nesting groups? Nested security groups can have problems when they are either too deep, or what I've found to be more likely will contain a distribution list somewhere inside. General rule is always use global and check your nesting groups for DLs (which is why you don't want to go too deep with nesting as it's often like following the white rabbit...) If using nested groups, what order are you following? The overall picture of group and user nesting is designed to be as follows: Users go into Global Groups, Global Groups go into Domain Local Groups, and Domain Local Groups are listed on the Access Control List (ACL) of the resource. Avoid using server local groups anywhere anymore minus the built in administrator group.

    ieDaddy
    Blog: http://iedaddy.com
    Twit: @iedaddy

    Friday, January 25, 2013 5:31 AM
  • SharePoint has no issues with group scope, only group type (in other words, the group has to have a SID, which DLs do not).

    Exchange 2007 and 2010 depreciated the use of non-Universal groups for mail purposes, so it is encouraged to use Universal groups for this purpose.


    SharePoint - Nauplius Applications
    Microsoft SharePoint Server MVP
    MCITP: SharePoint Administrator 2010

    -----------------------
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, January 25, 2013 5:40 AM
    Moderator
  • It is Security Group (Universal). I have other Universal security groups that show up fine in my Target Audience.

    Any more thoughts?

    Thanks so much folks, your help is appreciated.

    Friday, January 25, 2013 6:05 PM
  • I can confirm the the group has an SID as well.

    Please do let me know if I can provide any more information.

    Thanks so much.

    Friday, January 25, 2013 8:59 PM
  • The issue here is you're confusing what a security group is for and what a target audience is for.  As Trevor correctly points out "SharePoint" does not have a problem with group scopes per-se.

    HOWEVER, as with all things SharePoint, being able to actually use a universal group interchangably with a global group gets into a big "it depends"

    You're looking to compile an audience, so SID is not important, what is important is what SharePoint thinks are the members of the group, for that you need to make sure that your user profile import is including "People and Groups" because sharepoint has to know who the members of the group are.

    In addition, audiences are compiled as a list of individuals (not permissions) because you can create various rules that are subsets of people who just happen to be in an AD group, which means that depending on how you've got your AD configured sometimes it's the whole group and sometimes it isn't (This is why we compile audiences on a schedule, it is can be very intensive to query and build out these audience member lists).

    And this is where we get into the issue of using Universal Groups inside of sharepoint, because now we have a situation where you are using Universal groups and trying to use the same group that we base permissions off of for targeted audience compilation as well and SharePoint may or may not be able to enumerate the members inside the group.

    As SharePoint admins, we may or may not have the abilty to establish the rights to enumerate, deal with the global catalog, GC caching, and all that other fun stuff, best just not to deal with it.

    In addition UGs by best practice design should only contain global groups, since you mentioned there are 100's in the Sales group, I hope what you meant was 100's in global groups nested inside of the UG, otherwise you're generating a ton of replication traffic whenever you add an account to the UG as you are changing its membership (but if you just have GG in the UG then membership technically does not change when you add an account to the nested GG).

    Added benefit of nesting only GGs inside of a UG is you can also just compile your audience targeting the GGs in AD that are nested in the UG.

    Basically, depending on how well your AD stucture is built out, how the UGs are nested and other fun things a sharepoint admin may not have control over, using a universal group ends up being a crap-shoot; sometimes it works and sometimes it doesn't.

    Hence, rule of thumb here, don't use Universal Groups in SharePoint.

    As a test - have your AD admin create a global group for you of the Sales group members, perform the sync, and then see if the GG works for your audience compile.


    ieDaddy
    Blog: http://iedaddy.com
    Twit: @iedaddy

    Friday, January 25, 2013 9:49 PM
  • Thanks so much ieDaddy,

    I have quite many of Universal security groups that were synchronized without any problem when I ran synchronization. If these can be synchronized then I would assume that Sales should also be synchronized.

    Though what you suggest may work, still our network guys may not be ready to make that change. Any more thoughts will be really appreciated.

    Thanks so much.

    Friday, January 25, 2013 10:05 PM
  • I would suggest something simple -- validate that the permissions on the group with AD are the same as the groups that are importing properly.

    Also, is your domain a single domain or multiple domains?


    SharePoint - Nauplius Applications
    Microsoft SharePoint Server MVP
    MCITP: SharePoint Administrator 2010

    -----------------------
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, January 25, 2013 10:16 PM
    Moderator
  • That was one of the first things I checked. The permissions for this group are exactly same as other groups.

    Please do let me know if I can try any more things or provide any more information.

    Thanks so much Trevor, your time is appreciated.


    Friday, January 25, 2013 10:18 PM
  • Hi there, I use SharePoint 2010.

    In target audience how to import the AD Security Groups of type ****Universal****?

    Any help will be appreciated.

    Thanks.
    Saturday, January 26, 2013 2:04 AM
  • Folks, sorry you were right all the AD groups that cannot be imported are Universal. Global ones seem to be working fine.

    Any idea on how to get Universal group from AD in target audience?

    Thanks so much.

    Saturday, January 26, 2013 2:05 AM
  • SharePoint has no issues using a Universal Security Group that is part of the same domain as the SharePoint Server in audience targeting.

    SharePoint - Nauplius Applications
    Microsoft SharePoint Server MVP
    MCITP: SharePoint Administrator 2010

    -----------------------
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Saturday, January 26, 2013 2:57 AM
    Moderator
  • It so turned out that we had two entries in AD with exactly same name and by default it always brought up the wrong one. When I typed initial 3 letters of the group in Audience rule > Picker window I got both of the groups listed and then was able to select the right Group.

    Sorry to have wasted everyone's time (including my own).

    Thanking everyone.

    • Marked as answer by ran009 Friday, February 01, 2013 11:49 PM
    Friday, February 01, 2013 11:49 PM