locked
Domain Users AD group disappearing from SharePoint security RRS feed

  • Question

  • After applying SharePoint 2010 SP2 and the September 2014 cumulative update (KB 2883103) to our SP2010 farm, we've discovered the system is automatically removing the 'Domain Users' active directory group from SharePoint security.  It's not affecting any other AD groups or users or when Domain Users is a member of a SharePoint group.  Only when Domain Users has been explicitly added to a site, library, list or document.

    For example, we give Domain Users access to the root of most our site collections and then break inheritance for certain libraries or lists that need more security.  Now Domain Users has disappeared from every site.  I can say with 100% confidence that this has not been done by anyone in the organization.  Nothing else changed besides SP2 and Sept2014 CU. 

    Yesterday we fixed a few sites by re-adding Domain Users.  This morning those were missing again, so it must be a timer job or other cleanup process that is causing this.  Again, this does not affect SharePoint groups/membership or any other AD object, only Domain Users.

    Has anyone ran into this issue or have any suggestions on a resolution?  We have enabled audit logging but have not seen any related logs yet. 

    Tuesday, October 21, 2014 4:32 PM

All replies

  • Sometime between noon and 1:00pm this afternoon we lost the Domain Users group again from all sites where we re-added it.  Audit logging is showing this for one particular site:

    {072c340a-42cb-4861-a182-38102b53bc52} {072c340a-42cb-4861-a182-38102b53bc52} Site System Account   <SHAREPOINT\system> 2014-10-21T18:53:52 Security Role Bind Update SharePoint <roleid>-1</roleid><principalid>DOMAIN\domain   users</principalid><scope>67A6138A-CBFA-42BD-87EF-86D558047D63</scope><operation>ensure   removed</operation>
     

    Does anyone know if any additional logging can be enabled to see WHY this is occurring?

    So far our solution has been to setup another AD security group and nest the domain users security group inside.  Not exactly a solution but at least a work around. 

    Tuesday, October 21, 2014 10:08 PM