AD Group membership not updating in Sharepoint Foundation when adding Active Directory group to Sharepoint group
I have Sharepoint Foundation installed with the latest CU updates. It is running on a VMware box (Windows Server 2008 R2 Standard) with its backend on a SQL Server 2008 R2 vmware box. The farm account is a domain user and has been given all appropriate
replication rights, etc to active directory.
Everything seems to be working fine except for security integrated with AD groups. When I go to edit permissions I can add individual AD users just fine and remove them just fine and their access is taken away right away or given to them right away.
I can also find AD groups in the people picker and add them to the site. When I add new groups to AD, they are found immediately within Sharepoint, and when I delete groups from AD, they are taken out of the people picker right away. Now comes
the weird part. When I add an AD group to the site, all users currently within that AD group are given access to the Sharepoint Site. This works for the first time only. Now when I add or remove users from the AD groups, it does not update
in SharePoint. For example, I have an AD testuser1 in the AD Group "All Users". testuser1 does not have access to SharePoint. So I add the AD group to the Sharepoint group "Visitors". testuser1 now has read access to the sharepoint
site. Now, I remove testuser1 from the AD group, but testuser 1 still has access to the site even though he is not part of the AD group, nor does he have any individual permissions to the site. Now, I add testuser2 to the ad group. testuser2
does not have access to the site, even though he is part of the ad group.
It seems that the only time AD group security is working for me is when I first initially add the AD group to the site. From then on, it's like sharepoint is caching the members of the group and not updating any new adds or deletes from the groups.
Any ideas? I am lost on where to go from here as I have tried everything from clearing cache files, rebooting servers, iisresets....
I think I have at least cornered the problem, but am not 100% sure yet that it is the correct answer. I think it could be 1 of the following 2 scenarios.
Scenario 1: We have 3 web applications setup on our web server ports 80 - Our sharepoint Web app, 2020 - Our My Site Web App, 2040 - Our Search Web app. We are using host headers (http://sharepoint.***.com) instead of a server name. So
we setup our access mappings (Central Admin -> Application Management -> Configure Alternate access mappings) to use the host header (http://sharepoint.***.com) as the default mapping and the server name as the intranet access mapping. By
setting the default access mapping to host headers, i noticed that Sharepoint automatically assumes that all web apps are on port 80. You can see this by going to (Central Admin -> Manage Web Applications). The port listed all 3 web apps on
port 80. So I think when I was doing a profile sync and using mysites, it was messing with my AD security because of this. What I did was the following. I went to Central Admin -> Manage Service Applications -> [Name of your user profile
service] -> Setup my sites. I made sure that my preferred search center had the correct port number on it (mine originally had no port number), that my my site host had a port (again no port number originally), as well as the personal site location.
I then saved this.
Scenario 2: Our user profile sync had 2 BDC connections that were corrupt and throwing errors. I rebuilt the connections, remapped them to the proper user profile property.
I did both of these scenarios above around the same time. I then restarted all my servers, and at last the AD Group security is now functioning appropriately. I have done multiple IIS resets and server restarts. The issue has only reappeared
once. After restarting the machine again, we were back to the AD groups functioning correctly. Because we had the issue reappear once after doing the above, I still do not feel 100% sure that either one of the above corrected the issue completely.
As long as we are up and running currently, I am moving on to other tasks with this project. My only concern that it will break again and I will have to revisit it is when we restart the servers....which is never fun. I will update as I find
a "true" answer to this issue.... Let me know if any of the above helped you or if you find something I may not have thought of.
Similar Messages
-
Catalog group membership not updating
Hi,
I am experiencing a problem with my catalog groups. I have just created a new catalog group and added a user account as a member and also removed that user account from another group by logging in as administrator in answers and using settings - manage presentation catalog groups and users.
If i now log in as that user the membership hasn't updated and when I click on My Account for that user it still shows as a member of the old group and not the new one.
My security for users is done through LDAP and in Tools - Options in Admin console on the repository tab I have the LDAP Cache refresh interval set to 1 minutes.
I know if I restart the presentation services that it will work ok but I don't want to have to do that as I have users using the system.
Any advice would be appreciated.
Thanks
Patriciahi,
you can try to set in the instanceconfig.xml
the tags
--->
<CacheMaxExpireMinutes>2</CacheMaxExpireMinutes>
<CacheMinExpireMinutes>1</CacheMinExpireMinutes>
<CacheMinUserExpireMinutes>1</CacheMinUserExpireMinutes>
<ClientSessionExpireMinutes>10</ClientSessionExpireMinutes>
<SearchIDExpireMinutes>9</SearchIDExpireMinutes>
<---
they control the cache of the browser
check administrator guide for more informations
--check in other pc or check with an other browser at the same
i hope i helped....
http://greekoraclebi.blogspot.com/
Edited by: eejimkos on Jul 15, 2009 4:52 AM
Edited by: eejimkos on Jul 15, 2009 5:01 AM -
Can not update exchange due to error with Active directory
Error:
The following error was generated when "$error.Clear();
Install-CannedRbacRoles -InvocationMode $RoleInstallationMode -DomainController $RoleDomainController
" was run: "Active Directory operation failed . This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031520B2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
I have tried everything I can find on the web. any assistance would be appreciated. Thank you.I see now that you have logged into domain
Another thing, check if Allowed Inheritance is blocked on this account (bmoore)?
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Prepare-Move-Request - membership not updated
Hi,
At executing Prepare Move Request, I get problems with updating security group membership(2 security groups in the following screenshot). Updating distribution group membership is OK(1 distribution group in the following screenshot).
The distribution group and the security groups were previously manually created at target forest.
The question is:
Does "PrepareMoveRequest" update only distribution group membership?
Thanks in advance!Hi Lynn-Li,
The problem remains the same.
The test mailbox account (source forest) is member of 3 security groups (1 universal, 1 global, 1 domain local) and 3 distribution groups (1 universal, 1 global, 1 domain local). The security groups were manually created at target forest with same
name,type and scope. At target forest the distribution groups are universal.
In the following screenshot the membership of distribution groups are updated, but the mermbership of security groups are not updated.
The questions are:
Is the above problem with security groups membership the normal behavior with Prepare-MoveRequest script?
Thanks in advance! -
Planner group is not updated in service notification using BAPI
Hi,
Planner group is not updated in service notification using BAPI BAPI_ALM_ORDER_MAINTAIN.
I have written the below code, but planner group is not updated in the service notification.
Please advice which parameters do i need to pass to update planner group in the service notification.
wa_methods-refnumber = '000001'.
wa_methods-objecttype = 'PARTNER'.
wa_methods-method = 'CREATE'.
wa_methods-objectkey = wa_subscr1-aufnr.
APPEND wa_methods TO i_methods.
wa_methods-refnumber = '000002'.
wa_methods-objecttype = 'HEADER'.
wa_methods-method = 'CREATE'.
wa_methods-objectkey = wa_subscr1-aufnr.
APPEND wa_methods TO i_methods.
wa_methods-refnumber = '000000'.
wa_methods-objecttype = ' '.
wa_methods-method = 'SAVE'.
APPEND wa_methods TO i_methods.
REFRESH i_partner.
CLEAR wa_partner.
wa_partner-orderid = wa_subscr1-aufnr.
wa_partner-partn_role = 'VW'.
wa_partner-partn_role_old = ''.
wa_partner-partner = wa_subscr1-parnr.
wa_partner-partner_old = ''.
APPEND wa_partner TO i_partner.
REFRESH i_planrgrp.
CLEAR wa_planrgrp.
wa_planrgrp-orderid = wa_subscr1-aufnr.
wa_planrgrp-plangroup = wa_subscr1-ingpr.
APPEND wa_planrgrp TO i_planrgrp.
REFRESH i_planrgrp_up.
CLEAR wa_planrgrp_up.
wa_planrgrp_up-orderid = wa_subscr1-aufnr.
wa_planrgrp_up-plangroup = 'X'.
APPEND wa_planrgrp_up TO i_planrgrp_up.
*----Change order details with Technician name
CALL FUNCTION 'BAPI_ALM_ORDER_MAINTAIN'
TABLES
it_methods = i_methods
it_header = i_planrgrp
it_header_up = i_planrgrp_up
it_partner = i_partner
return = i_return.
Thanks & regards,
KrishnaTry this way
CALL FUNCTION 'BAPI_SERVNOT_CREATE'
EXPORTING
* EXTERNAL_NUMBER =
notif_type = 'S3'
notifheader = ls_notif_h
* TASK_DETERMINATION = ' '
* SENDER =
* ORDERID =
IMPORTING
NOTIFHEADER_EXPORT = ls_notif_e
TABLES
* NOTITEM =
* NOTIFCAUS =
* NOTIFACTV =
* NOTIFTASK =
* NOTIFPARTNR =
* LONGTEXTS =
* KEY_RELATIONSHIPS =
return = lt_return
* IF lt_return IS INITIAL. " <<< Comment this lie
read table lt_return into ls_return with key type = 'E'. " << Change
if sy-subrc ne 0. " << Change
COMMIT WORK AND WAIT.
write: / ls_notif_e-NOTIF_NO.
ELSE.
LOOP AT lt_return INTO ls_return.
WRITE:/ 'errors'.
* ls_return.
ENDLOOP.
endif.
a® -
Organization chart with Active directory AD in Sharepoint 2013
Dear All,
I need to create organizational chart with sharepoint 2013 through the Active directory. Is there any opensource webpart for 2013 please confirm me
Regards
RBAny one know about it?
RB -
User and Group information not updated in Sharepoint 2010
Hi,
Recently, our orgnisation has maked update of user and group in the Active Diractory. The information was not update in the site collection. I was try to :
-recreate and synchronize a new service application ( no effect)
- Delete old database synchronisation( stsadm -o sync -deleteolddatabases 5)
- stsadm -o sync -synctiming m:5 and stsadm -o sync -sweeptiming m:5 (No effect)
-I have no error or warning whn i make the synchronisation, all data bases is started.
Anyone can help me please??
ThksIs User Profile to SharePoint Full Synchronization job up and running? Do you see any errors when this job runs? Turn on verbose logging to see details when this job runs.
This post is my own opinion and does not necessarily reflect the opinion or view of Slalom. -
AD security group memberships not coming over to SP2013.
This seems to have coincided with applying a number of updates to our SharePoint server via Windows Update over the weekend. Since then, changes in AD security groups are not being reflected by the appropriate access in SharePoint. If somebody
has been a member of an AD group prior to this weekend, their access is fine. But changes made today aren't seeming to propagate. Any suggestions?
Thanks!Because SharePoint 2013 is based on claims it is normal for users added to AD groups to not gain the permissions for up to 24 hours because the claims tokens are cached.
http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
AD groups membership not working for target Audience
Hiya,
Got a peculiar problem here. Trying to set audience on a link it doesnt work as we want it to. We have the following behavior:
If adding users directly on SharePoint Group no problems. However if adding AD group to SP group, it doesnt work. Member count for AD Group is 0
AD Group is created as Global, however tried placing it in a Domain Local group to see if that changed anything. SP synchs the AD groups fine, however it seems like it doesnt read the members, thus not granting any users access based on AD group membership.
Not sure if this is default behavior or?Hi,
It seems a known issue, but there is no workaround for this.
It worth to reading these threads
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/8ede2f40-2b11-416b-b426-51c1b6479c33
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/586494b9-d259-4abf-a857-26137fa30460
Hope this helps
Thanks!
Stanfford
Everything will be fine. -
Group Memberships not Flowing into Metaverse
Hello,
I'm trying to figure out why the group member attributes in the CS are not flowing into the MV. Here's what I have:
An HR system running on SQL Server
A staging database that extract data from the HR system
The staging database has a table representing person object
The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
The staging database has a table representing group objects
The staging database has a table representing group memberships (mult-valued)
A SQLMA connected to the person and person multi tables
A SQLMA connected to the group and group membership tables
All group memberships are based on job codes and locations. There are no approval process in place. If they have this job code, they get certain groups. That's all calculated in the staging database and the memberships are in the group membership
table
This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense. The flow from the database into the CS works well. No issues there.
But, a search of the metaverse for the group shows an empty member attribute. The sync process is not throwing any errors. At least they're not showing up in the sync service app or the event logs.
Where allowed, I'm using rules extensions for everything. I can't use a rules extension to set the member attribute because it's an rdn.
I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object. Then, I'll modify my existing MA to use that attribute instead of the member attribute.
I'm not sure what kind of issues I'm going to run into when exporting that to AD. I'll cross that bridge when I come to it. I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
group functions and person types (bascially, I don't care about the MV rdn).
Anyway, I'm looking for some real world insight on this. This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
Thanks,
Greg WilkersonHey Cameron,
I have total control of all the DB tables FIM is accessing. I build them up as part of IDM process.
I've read this article, along the many others that address the "manager" scenario. This really doesn't apply in this case as the user and group objects are loaded in separate MAs. Getting reference values to flow with both object live in the
same CS shouldn't be an issue.
I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group). That solution solved the issue of the groups and user being in the same CS. As I grow tired of my daily
FIM beatdown, that solution is growing more attractive. That's a major DB redesign, and seems quite inefficient.
The multi-value table for group memberships already exists in the DB. For FIM purposes, I transferred that data into the user object multi-value table. See screen shot. I can certainly configure the group MA to access that multi-value table
and load the group members as references. But, because the group MA CS will not contain the user objects, I don't see how the references will be set. If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
figured out a way to set the an reference value for an object in the MV - my problem all along.
This whole "setting a reference value" encompasses much more than just group memberships in my implementation. Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system. These objects exist
in our current IDM system and are associated with users based on rules. So, the reference value process is something I need to figure out, if I'm going to use this product.
Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact. I'm not sure that would get me where I want to go, and
it seems like a lot of extra "stuff" to solve what should be a simple problem. Hmmmmmm. Or, connect the ECMA2 directly to my group membership multi-value table in the DB. Hmmmmmm. I'd still have to export the groups and users into that
CS, but the import might be much more straight forward. Hmmmmmm.
The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
EmployeeGroups
GroupName varchar(50) not null,
EmployeeID nvarchar(50) not null,
ID int identity(1,1) not null -
RRM RF Group Leader not updating RF Group Members
We cannot get RRM RF Group Leader to update the RF Group Members. On our group leader controller, it sees our other controllers in the RF group. We have APs assigned to all four of our controllers and the tx power and dynamic channel assignment do not work. When we put all of the APs onto the RF group leader controller, the tx power levels and dynamic channel assignment both work as they are supposed to. All of our settings on our controllers are exactly the same. I guess my question is, is there a set of specific settings that I need to apply before RRM starts to update from the RF group leader?
We have all four of our controllers on the same RF Domain Name. We have verified the status of the Mobility Group using eping and mping. We split up our APs on two of our controllers that are in the same 6500 and it still would not update from the RRM Group Leader. We "tricked" the WLC into moving the group leader onto the other controller that was in the same 6500. The same thing happened, now the 2nd controller won't send updates to the original controller. We moved all the APs onto the group leader and everything worked fine.
-
AD System Group Discovery not updating System OU Name on computer object when computer moves OU
2 related questions.
1. We have noticed that computer objects (active clients) in ConfigMgr are not getting their System OU Name discovery data updated when a computer account is moved from one OU to another, and AD System Group Discovery runs. Since we are basing some of our Software Updates collections on AD OU name, these systems are not falling into their required collections.
2. On a few occasions we are also seeing duplicate computer objects being created. One new record from AD System Discovery, which contains the correct 'new' System OU Name, and one 'old' computer object from before the computer account was moved to a different OU in AD. The heartbeat discovery of this second object is still updating e.g. showing new heartbeats, but the computer object still shows the old System OU Name from before the computer account was moved in AD. If we delete both objects and run a Discovery Data Collection Cycle from the client, and AD System Group Discovery, then we get one new record with the correct 'new' set of System OU names.
This duplicates issue is happening in both our Central Primary Site and our other child Primary site. Both sites are set to create new client records for duplicate hardware IDs, and there is a possibility we're seeing the duplicate records on machines that have been re-imaged and redeployed at some point.
It's my understanding that it is AD System Group Discovery that updates the System OU Name property on client objects. We have this set to run every 4 hours. I'm not seeing any errors in the adsysgrp.log. Any idea why discovery is not updating the System OU Name information when a computer account moves OU? As far as I understand it, nothing additional is required to happen from the client end for this property to get updated.The only thing I can think of would be ad sys group discovery not running at the site where the client is assigned to?
"Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm
HI Everyone..
ANy reply or correct answer to this question???
Same problem even i have. Duplicate machine names created when machine moved to different sites.
And also, AD sys group discovery running on all the sites (i have 4 sites).
System Security analyst at CapG -
OU based Device Collection Membership not updated frequently
Hi,
I have create one OU based device Collection and checked Used incremental updates for this collection under Membership rules but whenever any Computer object moved form this OU to another OU than such Device is not removed
from same OU based Device Collection... the Collection membership change is not happening properly even after i did update membership of that OU based device collection..
My requirement is whenever any Computer object added or removed in/from any OU in AD than the membership of corresponding OU based device collection should up updated within 5-10 minutes how i can do this .
To achieve this I done below configuration but its membership of the collection not updated... please guide..
Shailendra DevTo add to Jorgen, note, there is going to be more to it than just AD discovery.
What exactly does your query look like?
Exactly how often is both your Hardware inventory and Heartbeat discovery set to? Do you have SW inventory enabled?
Just to get thing out there IMO the requirement updated within 5-10 minutes is nuts.
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ -
Available Group Wikis not update after group is removed
I removed group from workgroup manager and directory service. But group wiki is still shown on Groups home page and I can even login with old member's id and password. How I can remove this?
Yep, I'm having a similar issue.
I've deleted the wiki site, created a new one (same domain) and added new groups. When I view the site the old groups and all the old data is all I can see. Obviously Groups bear no resemblance to the data - maybe they just provide authentication?
Anyone know how to delete a Wiki and have it permanently removed?
Any help would be much appreciated.
Cheers -
We unable to display web part. It shows below error web part error:
Error while executing web part: System.Xml.XmlException: Root element is missing. at System.Xml.XmlTextReaderImpl.Throw(Exception e) at System.Xml.XmlTextReaderImpl.ParseDocumentContent() at
Microsoft.SharePoint.WebControls.XmlUrlDataSource.FetchData(String requestUrl) at Microsoft.SharePoint.WebControls.BaseXmlDataSource.Execute(String request) at Microsoft.SharePoint.WebControls.BaseXmlDataSource.GetXmlDocument()
at Microsoft.SharePoint.WebControls.SingleDataSource.GetXPathNavigatorInternal() at Microsoft.SharePoint.WebControls.SingleDataSource.GetXPathNavigator() at Microsoft.SharePoint.WebPartPages.DataFormWebPart.GetXPathNavigator(String
viewPath) at Microsoft.SharePoint.WebPartPages.DataFormWebPart.PrepareAndPerformTransform(Boolean bDeferExecuteTransform)
could any one give me solution on this.
Regards
Ravi kumar
ravi sharepointHI
I got below error in that webpart.
5/28/2014 6:21 AM
w3wp.exe (0x1F04)
10176
SharePoint Foundation
Monitoring
High
Leaving Monitored Scope (EnsureListItemsData). Execution Time=38.95746526444
5/28/2014 7:04 AM
w3wp.exe (0x1F04)
10452
SharePoint Foundation
General
High
The user does not exist or is not unique.
5/28/2014 7:04 AM
w3wp.exe (0x1F04)
10452
SharePoint Foundation
Monitoring
High
Leaving Monitored Scope (DataBinding DataFormWebPart (MCH Projects View Web Part)). Execution Time=1696.60494560063
I got below logs message sharepoint log investigation tool.
Let us know any suggestions on this.
ravi sharepoint
Maybe you are looking for
-
EtreCheck version: 2.2 (132) Report generated 4/24/15, 11:53 AM Download EtreCheck from http://etresoft.com/etrecheck Click the [Click for support] links for help with non-Apple products. Click the [Click for details] links for more information about
-
How to change my resolution to 1080p@120hz?
I have mac mini late 2012 and BenQ XL2420t, connected through minidisplayport -> displayport, but macos settings lets me change resolution to 1080p@100hz maximum. Is there any way to fix this problem?
-
SPAU issues with: Without Modification Assistant: No versions found
Hi, We have upgraded from SAP 4.7 to SAP ECC 6 with Unicode. After the upgradation we have started working with SPAU objects. Currently I am working on SPAU: Without Modification Assistant. I have gone though some docs in those they have asked to com
-
Compatability for Forms-5 and Report-3
Does Forms-5 and Reports-3 connect to Oracle-8i.I get a message Ora-03121 no interface driver connected function not performed when trying to connect. So please suggest
-
HOW DO I DOWNLOAD ENCORE CS6 INTO CC?