none
New AD users not found on Select People and Groups dialog search RRS feed

  • Question

  •   I’ve been asked to grant site permissions to new users recently added to AD. At the Add Users page there’s an Add Users section with a Users/Group white box. If I search for new users by using the Address book icon (Select People and Groups Dialog box), I don’t get any results. However, if I search for previously added users I will find them as expected. Also, if I use the “Check names” icon to resolve the names it will find the new users. After I add the new users this way, and do a second search for them using the Select People and Groups dialog box, then the search will return the users.

    Steps I follow to reproduce issue:

    1. Go to Site Actions / Site Settings / People and Groups
    2. Select the Site “Members” group from the quick launch
    3. Select from menu bar New / Add users
    4. At the Add users page click on the Address book icon
    5. At the Select People and Groups Dialog box search for first name, last name or Domain\User id of a recently added user in AD
    6. I get the following message in red: No results were found to match your search item.

    My troubleshooting and findings:

    For what is worth, the user profile crawl seems fine. I can find all users, including new users, from Central Admin / Shared Services Administration / SSP / User Profiles and Properties / View user profiles. I’m aware this is a different process though, but this tells me that the application server is properly communicating with AD.

    If I search at the People and Groups Dialog, for existing users (that means, users that already have permissions on the site) they’ll show up in the results.

    Doing some research I found that there’s a hidden user information list at http://site/_catalogs/users/  apparently this list gets populated when a user is given permissions over the site and/or they log into the site for the first time.

    It seems the Select People and Groups Dialog box would first look into this user information list and if the user does not exist, it would then try to find him on AD (it then performs the same mechanism used when searching through the white box and hitting the “Check names” icon at the Add Users page). I think the Select People and Groups search is failing at the latter. I can find every user in the user information list, through Select People and Groups dialog box.

    We have two NLB WFE servers and one application server, I logged into SharePoint straight from the application server and tried to reproduce the issue there. It won’t happen there, I was able to get all users as expected. However, when I tested this from the WFE servers I see the issue there (the same behavior, I and everyone else experience from our computers).

    I believe there’s something off at the Network configuration level that is blocking the search on the Select People and Groups dialog box, given the different experience on the application server vs. the WFE servers.

    I went to our Network team asking for help to troubleshoot this, we followed this article that states which ports we should have open for communication with the AD server. Our Network team said we have the specified ports rules configured in our Firewall.

    http://technet.microsoft.com/en-us/library/cc262849.aspx#PortProtocolService

    What are we missing?

    Have anyone experienced this issue before?

    Any help would be appreciated.

    Thank you.

    -Rob.

    Environment:

    MOSS 2007 SP3

    2 WFE servers, 1 Application server. SQL Server 2005 (Clustered).

    The WFE servers are sitting in the DMZ.

    Friday, March 30, 2012 4:57 PM

Answers

  • We were able to resolve this ourselves, I appreciate all of you for weigh in.

    As I suspected the issue was a series of Network ports that need to be opened so the Select People and Groups Dialog box can talk with the AD.

    We found this by tracing the traffic coming through the firewall at the time I started the User query at the SPAG Dialog box.

    This was fixed by opening ports 80, 3268 and a range of RPC ports.

    • Marked as answer by _Rob_S_ Wednesday, April 11, 2012 1:39 PM
    Wednesday, April 11, 2012 1:38 PM

All replies

  • When you search for users with the Select People and Groups window, it is locating users who already have been added to the site collection, or users who it finds using an Active Directory query.

    The behavior you're experiencing makes sense -- if the query doesn't return any results, and you add the user with the "Check names" field, if you perform the search again, the user will appear.

    How "new" are the users? It's possible their accounts haven't replicated to the domain controller (or global catalog) that the Select Users and Groups window/SharePoint is currently querying.

    When you add the user with the "check names" box, SharePoint is performing a different query to the domain. Instead of "return all users that match this text in popular attributes, it is asking the domain controllers to validate that the user you have specified explicitly exists.


    Jason Warren
    Infrastructure Specialist
    Habañero Consulting Group
    www.habaneros.com/blog

    Monday, April 2, 2012 7:02 PM
  • Hi,

    When you are searching for the users first it will check in Content database then in SSP.

    If you use Check names if it will not find them in above two places it will search them in AD.

    You can go for a full profile import to bring their profiles in sharepoint.

    I hope this will help you out.


    Thanks, Rahul Rashu

    Monday, April 2, 2012 8:11 PM
  •  Thanks all,

    It doesn't seem like an issue with Domain Controller propagation. It would affect other applications across; also, users can be found without issues through Outlook address book (GAL).

    I’m wondering if there’s any kind of filtering in SharePoint that might be affecting the query done from the Select People and Groups and the AD. Or, is the Domain Controller name explicitly configured somewhere in Select People and Groups?

    This issue is not related to User Profile crawling, I’m sure of that since even without a user profile, we should be able to add permissions to the user in SharePoint. For what is worth, the new users exhibiting the problem ARE found in the user profile properties store at the SSP. Crawling is not the problem.

    Wednesday, April 4, 2012 2:25 PM
  • I’m wondering if there’s any kind of filtering in SharePoint that might be affecting the query done from the Select People and Groups and the AD. Or, is the Domain Controller name explicitly configured somewhere in Select People and Groups?

    You know what, scratch out my previous questions... I keep forgetting that the issue happens when accessing SharePoint from the WFE servers, but this doesn't happen from the Application Server (CA). Any "filtering" (if that's the case) would affect SharePoint entirely, not just pieces of it.

    This doesn't happen in our Staging enviroment as well, and the only thing the CA server (in Prod) and Staging server have in common is that they are NOT in the DMZ.

    There's something obstructing the Select People and Groups Dialog Query between the WFE servers and the AD, I just can't put my finger on it. As you can see, I'm going in loops now.

    Wednesday, April 4, 2012 3:20 PM
  • Hi Rob,

    I haven't experienced this before but I would just like to mention to you that the Select People and Groups dialog box is not in any way connecting to AD.

    Once the SSP job for Profile Synchronization finishes its crawl, all information in AD (depending on your import settings ofcourse) will be copied to the users table in the Content Database of your site.

    So I hope, by mentioning this, you can check why the Select People and Groups of the particular site isn't seeing the other users.

    You can do some tests like:

    Depending on your results above, you can continue searching for another solution.

    Regards,
    Jeremy


    Jeremy Ramos | .NET / SharePoint / Dynamics Developer

    Thursday, April 5, 2012 3:54 PM
  • We were able to resolve this ourselves, I appreciate all of you for weigh in.

    As I suspected the issue was a series of Network ports that need to be opened so the Select People and Groups Dialog box can talk with the AD.

    We found this by tracing the traffic coming through the firewall at the time I started the User query at the SPAG Dialog box.

    This was fixed by opening ports 80, 3268 and a range of RPC ports.

    • Marked as answer by _Rob_S_ Wednesday, April 11, 2012 1:39 PM
    Wednesday, April 11, 2012 1:38 PM