Active Directory Groups Not Working in Sharepoint

Similar Messages

• Alert to group not working on Sharepoint 2010!

  Hello,
  We have a SharePoint 2010 Server which on the front page we have a news list. We have migrated to 365 and since then the alerts are not working properly. We have a local SMTP server that we use to rely to 365 since SharePoint does not support TLS by itself.
  The SMTP server is working because we can set up alerts on individuals and the emails are coming. The issue is with the group. I have tried several groups but still the same issue. On some groups we receive the initial email about the creation of the alert,
  but no mails after that. I have checked also the Immediate Alert service and is successful. I have checked in the  mail flow on 365 and I can see the initial creation of the alert mail sent to all in the group, but the alerts on changing anything on the
  list does not come into 365, so it must be a SharePoint issue which I can`t determine since the immediate alert service is running...
  Can you please provide a feasible solution for this issue?
  Thank you very much.
  DOVC
  Best Regards, Valentin Doru System Administrator

  Hi Valentin,
  please also open a thread at o365 community, because seems this issue happened at o365.
  to try, perhaps you can re-add the group also, because it may refresh the properties from the AD group to o365.
  and you may check these workaround for testing:
  Option 1: Use a Redirection User
  created a user in Office 365. This user is licensed to use SharePoint Online and Exchange Online.
  In Exchange Online, create Distribution Groups, which are standard Distribution Group that allows however in Delivery Management also Senders outside of organization, as the SharePoint Sender is not part of the Exchange Org.
  In Exchange Online for the User Exchange Forwarder, created Inbox Rules. The rule is checking the Subject for a keyword and as action redirect the E-Mail to the DG and deletes it right away.
  repeat this for other DGs as well.
  In SharePoint Online grant the user Exchange Forwarder access to the Site to access the List
  Now there are two important steps:
  1)      The Alert Title needs to include the token we look for in the Exchange rule
  2)      The “Send Alerts To” needs to be our “Exchange Forwarder”
  When everything is set up an Alert will be received by Exchange Forwarder and then forwarded to the DG.
  Option 2: Use a custom Workflow with the Send E-Mail To Activity
  In Exchange Online creat a Distribution Groups, which are standard Distribution Group that allows however in Delivery Management also Senders outside of my organization, as the SharePoint Sender is not part of the Exchange Org.
  Using SharePoint Designer create a custom Workflow like the one below. In the Send E-Mail activity I specified the external SMTP Address of the DG as To-Address.
  When the Workflow is executed an E-Mail is sent directly to the DG:
  Background:
  When sending an Alert, SharePoint is doing a Security Trimming. So SharePoint wants to be sure the recipient of the Alert has permissions to see the List Content the Alert is about. Therefore we cannot enter an SMTP-Address for an Alert but need to specify
  a Security Principal known to SharePoint.
  In a Workflow we don’t need to do this kind of Security Trimming. The creator / designer of the Workflow need to take care whom to send what information.
  Side note: Alerts and Workflow Send E-Mail To Activities are the only possibilities in SharePoint Online to send E-Mails. Custom solutions (Sandboxed Solutions) will not work.
  Regards,
  Aries
  Microsoft Online Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Active Directory binding not working

  Hi
  I'm trying to bind to my active directory at work.
  On tiger I used the following settings
  serverdomain.ad
  the servers name is machine
  Which worked fine.
  On leopard when I use either serverdomain.ad or machine.serverdomain.ad I get the following error message
  (loosely translated from swedish)
  An unknown combination of domain and treecollection was used. You should use a complete DNS-name for the domain and tree collection (i.e something.company.se)
  Does anyone know what I should use..the FQDN is machine.serverdomain.ad - shouldnt that work?

  The answer was dns.. my client was using the correct nameserver.
  The binding worked after that..although I'm not sure its autenticating as it should

• Active Directory groups not being managed when added to an OD group?

  Hi all,
  Hopefully someone out there might be able to help with this. I have a magic triangle of authentication working and when I add an AD group to an OD group, some work and some don't.
  For example if I add a AD User to an OD group it works. If I add the "Domain Users" AD group to my OD group, it works - everyone on our network is managed (because everyone is in the Domain Users AD group). But if I remove "Domain Users" and add the "Students" AD security group, they are not managed. If I add "Staff' AD group, some staff are managed and some are not (I have confirmed that they are added to the group).
  Is there a trick to having AD security groups work in OD groups every time. (Note they are not distribution groups)
  Thanks,
  Gavin

  If the group was added to SharePoint and then users were added to the group try waiting a day.  The claims token in SharePoint lifetime is fairly long.  So when new users are added to an existing AD group SharePoint will not recognize the new membership
  in the Claims token for 12 -24 hours.  If you add a user today they should be able to log in tomorrow.  Take a look at the following Blog post.  I think this is your issue.
  http://www.andrewjbillings.com/sharepoint-2013-claims-authentication-ad-group-changes-not-reflected/
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

  Hi
  I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
  The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have  access to the library and list, except for
  a few additional folk who I have made individual members. 
  My PROBLEM:
  I  have created a SharePoint 2013 Workflow using SPD 2013 associated with the  Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
  the form and go to different Stages depending on that status.
  The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
  with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
  Here's a print of the info from the Workflow Status page (I don't have access to server logs):
  RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
  The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
  instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor 
  Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
  user who started the workflow, unlike 2010 which used System Account).
  All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
  I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
  and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
  Does anyone have any ideas why this is happening and what I can try to fix it?
  Mark

  Hi Lars,
  I'm afraid not so far but we are trying a few things today so I will post back with results.
  First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
  versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
  This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
  "If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
  the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
  intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
  You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
  I'll update when we try these ideas. If you have any luck please do the same.
  Mark
  (sorry about formatting - using my phone....)
  Mark

• Lion Server not reading Active Directory Groups reliably

  I am trying to upgrade one of our XServes from Snow Leopard Server to Lion Server and am running into a strange issue with our Active Directory based users and Groups.
  The current Snow Leopard Server serving files from a XSan volume is running fine, though we find a very long Lag time for Windows users to connect. Once a few users have connected the lag seems to go away, but it is still not nearly as fast as Mac users connecting or Windows connecting to a PC server.
  So I have connected a second Xserve to the SAN and performed a clean install of Lion Server. Initially while it would find my Active Directory Groups it would not import any of the users, so obvioulsly no one could connect. In a last ditch effort I installed the beta of 10.7.4, which seemed to resolve the issue for a small group of test users. However as I expanded the test I found that some users would get a message that the were no resources available to them, or they didn't have the correct permissions. This is very strange as everyone is in the same group so should have the same permissions. As a test I took one of the user accounts and created a new share and gave him R/W permission to that share and suddenly all of the shares that he should have had permission to in the first place popped up.
  The only thing that I can think of is that we have such a large Active Directory structure that the authentication is timing out or reaching some user limit and stops looking. (we have over 50,000 users and thousands of groups spread through multiple OUs in the AD structure)
  The new Server.app in Lion looks nice, but it does not seem to have nearly the robustness of the previous Server Admin tools. For instance, I never needed or wanted to setup a "Golden Triangle" but with Lion it is required. Perviously I could search for AD users or groups and drag them from the search window to the share to assign permission, now even though I've imported the groups and users it needs to search the entire directory when assigning permissions - why can't it see the groups that are already there? Why can I run a dscl search and find a user or group instantly, but the Server.app hangs for 5 minutes and shows 0 results?
  Has anyone found a way to make Lion Server work in an enterprise environment?

  Yesterday morning I bound a 10.7.4 server to our AD, and in the afternoon I eventually saw all the AD users, groups, etc show in Workgroup Manager. Now, with dscl, I can see all the AD user and group records, and with Workgroup Manager, I can search the groups, users, and computers, but with the Server.app, when trying to create new group of the type "Imported group from another directory", the searches returned nothing. Directory Utility can show all the AD information also. Our AD has thousands of user record, and so it is reasonable that it may take some time for the Mac server to get all the info. But from the add users or groups interface, I just could not get any search results. What could be wrong then? 

• SharePoint 2013 Active Directory Groups represented as c:0+.w| SID in UserInformation list instead of c:0+.w|Domain\Groupname

  Hi
  We are running on SharePoint Server 2013.When we add AD groups as permissions, we see that the group name is being displayed properly in the permissions. Whereas when I click on the groupname I see the SID with the Sharepoint specific claims characters,
  instead of domain\groupname. I understand that the claims characters are because of claims mode. But I expected domain\groupname instead of SID. Is this the right behaviour.
  When I call SiteData.GetContent web service, I get the SID of the group name instead of the domain\groupname.
  Can someone please clarify?
  Thanks
  Naga

  Hi,
  Yes, the identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections:
  c:0+.w|<SID>
  •"c" for a claim other than identity
  •"+" for a group SID
  •"." for a string
  •"w" for a Windows claim
  More information:
  http://www.sharepointfire.com/MyBlog/2013/11/get-ad-group-identity-claim-in-sharepoint-2013/
  Thanks,
  Dennis Guo
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Dennis Guo
  TechNet Community Support

• FCS 1.5 Not all Active Directory groups visible in list

  Hi,
  We just upgraded Final Cut Server to 1.5 and want to make use of Active Directory groups to set permissions in FCS. I've created a few groups in AD which do not appear in the list when I want to add these to Group Permissions. I do see many AD groups but some are not in the list. I can find the group in the Directory application and also with dscl (dscl /Active Directory/domain.tld -read /Groups/fcs-editor).
  Please advice.
  Thanks in advance,
  Martin

  I found a solution, though it might be still temporary. See if you can narrow down your Directory Search Policy. In your AD forest, you might need just one domain for your department, location, etc.
  So, in Directory Utility, click on Search Policy, delete "/Active Directory/All Domains", don't apply yet, but click on the plus sign, and see what specific domains you can choose from there. Do the same to contacts.
  Though still I can see now 1.592 records of groups or users when I run dscl but at least I know that AD administrators can really clean up our groups listings ( some of those groups are not being used) , and try to keep the number under 2,000.
  It has to be a way to increase the default number of 2,000 in Search Policy, but I haven't had time to do that

• Send Email to group not working

  Using MOSS 2007 SP1, I am creating a SPD workflow and one of the actions is a Email action.
  If I have it send the e-mail to my email address, it works.
  I created an Active Directory security group and put myself in the group.
  If I have it send the email to the Active Directory group, which appears in the lookup list for the To: field, I do not get the e-mail.  There are no errors in the logs.
  I created a Sharepoint Group and put myself in the group.
  if I have it send the email to the Sharepoint Group, which appears in the lookup list for the To: field, I do not get the e-mail.  There are no errors in the logs.
  Why wouldn't the e-mails to the groups work?  Both of those methods should work, shouldn't they?

   
  Hello,
             If you are integrating your MOSS with Exchange server 2007 to send out-going email then please try the following steps to fix your problem:
  1.       Go to Exchange Management Console -> Recipient Configuration -> Distribution group.
  2.       Right-click on the problem group and choose properties.
  3.       On the Mail Flow Settings tab, double click on Message Delivery Restrictions.
  4.       Uncheck the check box "Require that all senders are authenticated".
           Have a try and see the effect.
           Hope it can help you,
           Jerry
  Xing-Bing Yu

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• Response Groups not working

  Hi there
  My environment is a single Lync 2013 Front End Server installed on Server 2012.
  It works since a year and now we want to use some response groups. I created 2 of them and everything seems fine but i cant call these groups. Not from internal and also not from external.
  The clients shows an 500 internal server error with ID 26017.
  So i traced the whole thing on the Front End Server. It seems the Response Group Service cant work with the local SQL Server. I see three error messages.
  1. TL_ERROR(TF_COMPONENT) [2]0B90.37A8::07/23/2014-06:38:39.119.000002fb (RgsClientsLib,MatchMakingLocator.GetActiveInstanceFromDB:683.idx(479))
  (0000000000150BA8)No instance registered as the active instance!
  2. TL_ERROR(TF_COMPONENT) [1]1E08.2910::07/23/2014-06:38:42.462.00000a34 (RgsHostingFramework,CallControlManager.HandleAudioVideoCall:2049.idx(619))
  (000000000362D054)Call is declined because Call Control is not started.
  3. TL_WARN(TF_COMPONENT) [1]0B90.0B7C::07/23/2014-06:38:48.053.00000f2d (RgsClientsLib,MatchMakingLocator.GetActiveMatchMakingInstance:683.idx(301))
  (0000000000150BA8)There is currently no active MatchMaking instance in the pool.
  The Lync Server Event Log shows this error when the Response Group Service starts:
  LS Response Group Service ID 31067
  Lync Server 2013, Response Group Service Match Making could not find the Contact object used for subscribing to agents' presence.
  Cause: The application has not been properly activated or the Contact object was deleted.
  Resolution:
  Deactivate and then activate the application for this pool.
  Is there a way to reinstall / reconfigure the whole response group service incl. the active directory objects?
  I hope somebody could help
  Regards
  Andreas

  Have you seen this thread:
  http://social.technet.microsoft.com/Forums/lync/en-US/cd25ddec-6e1e-4d58-9a9a-a530abfa82e3/response-groups-not-working?forum=ocsclients ?
  He ran Get-CsApplicationEndpoint and received a warning that let him to a resolution.
  Short of that, I'd rerun step 2 in the deployment wizard and restart services when you can to see if I could jog anything loose.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Windows Active directory group policy objects

  Like many small to medium businesses, we use Firefox in addition to Internet Explorer. The Windows Active Directory group policy objects we have for IE works nicely in all versions of IE. Firefox on the other hand has stopped playing ball. Any policy files I have found on the Internet simply does not fire when used in Windows Group Policy. We have Windows 2008 R2 servers with Windows 7 clients.
  Does Mozilla have official group policy objects that will work with Windows Active Directory group policy and is supported in Firefox versions 27 onwards? A lot of the material on the Internet are simply workarounds to achieve something simple.
  I believe this may have been asked several times already, but no definitive answer has been supplied to
  resolve the issue to my knowledge.
  Thanks and regards

  To my knowledge, Firefox historically has not had integration with group policy, and third party tools have been required to bridge the gap. You may have found templates that work in one of those tools.
  These threads have links to third party tools, articles, mailing lists, and other resources:
  * [https://support.mozilla.org/questions/980567 i need to include the Firefox Browser Configuration in my Group Policy and Control Proxy and Browsing Settings]
  * [https://support.mozilla.org/questions/978874 Is it possible to configure firefox using group policy]
  Please report back if you find a solution. Thanks.

• Syncing Active Directory Groups for Unity Distribution Groups

  We have multiple remote stores with managers that move around quite a bit. This poses an administration nightmare when trying to keep voicemail distribution lists up to date. Is there a way to syncronize an active directory group to a Unity voicemail distribution group? Therefore when we move a manager around in ADS the user automatically moves in Unity.

  Unfortunately this feature has not been re-implemented in Unity Connection. This is one of the few things from Unity that I miss. I suggest voicing your desire for this as a feature enhancement with your Cisco AM.
  If you are doing that many changes you may want to consider going through the Cisco Unity Connection Provisioning Interface. At least you could script the changes there using code that checked AD group membership and replicated the changes into CUC.

• Add a mac to an active directory group using a script?

  I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
  Thanks in advance...

  I think I misunderstood your question.  If you are trying to add the computer record to a location other than the Computers container, then just change your binding script to target the folder you want.  Remember that the user account you are using to bind must have access rights to this folder.
  For example, the sample command from the man page shows you how.  Say you have a subfolder inside Computers called Macs.  You would do this in your binding script.  Note the notation of an organizational unit within the Computers container.
  dsconfigad -a ThisComputer -u "administrator"
  - ou "CN=Computers,OU=Macs,DC=ads,DC=demo,DC=com" -domain domain.ads.apple.com
  Is that what you are looking to do?

• Search for single member in an Active Directory Group

  Hello all,
  I'm attempting to find a better method to search if a user is a member of a group in Active Directory. I currently retrieve the entire member attribute of the group.
  I need to reduce the time of the query. I would like to be able to search for a specific member (user) of the group instead of retrieving the entire member list of the group.
  I can post my current code if that would help.
  I believe the default Active Directory group object is the ldap group. I know that there are posixGroup and groupOfUniqueNames ldap classes available, but I'm not sure if Active Directory has access to those classes.
  Is my request possible using the group ldap object?

  Thanks for the reply.
  I have read the first post you gave, but not the second. I'm off to read that now.
  My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
  (&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
  If that's correct and I require a DN, is there any way around this?
  I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
  If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
  I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
  I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
  Thanks again.