Users cant access sharepoint if permission is granted via AD groups RRS feed

  • Question

  • Hi,

    Users cant access SharePoint if permission is granted via AD groups


    IF they are added directly into a SharePoint group then they can


    IF the AD group is in the SharePoint group and the user is in the AD group then they can not...

    I've never seen this before - please help/suggest an idea to resolve?

    Wednesday, April 24, 2019 2:08 PM

All replies

  • If you've got the user profile service working, then it could just be that SharePoint is taking a while to recognise that the group membership has changed, due to security token lifetime ?

    Have a look at :


    • Edited by Technought Wednesday, April 24, 2019 4:40 PM
    • Proposed as answer by Dennis Guo Monday, April 29, 2019 2:21 AM
    Wednesday, April 24, 2019 4:40 PM
  • Hello,

    Firstly, are you using ADImport for the User Profile Sync ? if you are using ADImport Connection make sure that LDAP Query is placed in the top of the Container was placed Group in the Syntax Query. to make sure ADGroups are displaying are not, you can try to verify in two places.

    1) Go to any of your site and go to Site Settings -> Navigation in the Navigation on Add Link Section in the Audience: Section place any AD Group and try to verify the groups are working just fine or not if it was not able to add groups which means AD Groups are not syncing. the other way to look was in the SQL Section

    2) Go to SQL Insatnce and then go to User Profile Database and then go to Tables Section and expand the tables in that check for uso.membergroup/uso.memgroup (I am not quite exactly sure with the name i gave but it should be something like this for sure. if u couldn't find let me know i can pull out for you & also we can write SQL Query to get AD Groups) and right click on that table and go for Select TOP 1000 Rows and see you were able to get groups are not.

    Thanks & Regards,

    Sharath Aluri

    sharath aluri

    Wednesday, April 24, 2019 10:58 PM
  • Hi,

    I agreed with Technought's point of view,and you can run the following code to adjust the Claims expiration values, so that changes on group membership could be recognized by SharePoint in a maximum of 30 minutes:

     $sts = Get-SPSecurityTokenServiceConfig 
    $sts.WindowsTokenLifetime = (New-TimeSpan –minutes 30) 
    $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 5) 

    Best Regards,


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    • Proposed as answer by Dennis Guo Monday, April 29, 2019 2:21 AM
    Thursday, April 25, 2019 10:15 AM