Why are user permissions set in AD not updated immediately to SharePoint?

Question

I have a SharePoint 2010 Foundation installation on Windows 2008 R2 and SQL Server 2008 and using Claims and Windows authentication.

Subsites are visible only to members of a certain group. However, when I add a user to the AD group that has access to a given subsite, the permissions for that user in SharePoint is not updated before the next day. So there is a mismatch between the permissions in AD and the ones in SharePoint.

For me, it seems like SharePoint is caching the permissions, and only updating them once every day. Is there a way to force a refresh so new permissions are loaded into SharePoint at once?

All is explained here in detail: http://blog.randomdust.com/index.php/2013/06/sharepoint-2013-claim-expiration-and-ad-sync/ — Manu, Mar 11 '15 at 14:59

score 21 · Accepted Answer · answered Jun 17 '11 at 09:41

21

Configure the Token Cache to a smaller value: http://technet.microsoft.com/en-us/library/cc287917(office.12).aspx. Default is 1440 minutes (24hrs)

answered Jun 17 '11 at 09:41

Wictor Wilen MCA MCM MVP

18,207
40
64

Great tip! I will try that. – azzlack Jun 18 '11 at 17:18
1

I tried this but it doesnt work for me. http://sharepoint.stackexchange.com/questions/70664/sharepoint-2010-ad-user-permission-not-updated-instantly-in-sharepoint – Kannan Karmegam Jun 17 '13 at 07:52
@Wictor, is this applicable to azure AD also? – Mihir Jul 17 '19 at 16:15

Ashish Patel · Answer 2 · 2011-06-16T04:18:30.683

7

Original

This may due to the fact that Sharepoint imports the group membership information from Active Directory on a regular basis. the Frequency depends on configuration of your User Profile Synchronization service in central Admin. Profile synchronization is described nicely here: http://technet.microsoft.com/en-us/library/gg188041.aspx#groups

Updated Looking at comments below and carefully reading the link above, I think that AD Group membership is used for while Sharepoint compiled the target audiences. It is possible that even running profile synchronization does not solve your problem. Try using IISRESET /NOFORCE and see if it immediately detects AD changes (and clears the cache). I came across a long thread related to similar problem and I could not find a proper answer. Please share your experience and findings.

edited Jun 16 '11 at 04:18

answered Jun 15 '11 at 18:49

Ashish Patel

11,385
3
22
29

Great link Ashish! – Neil Richards Jun 15 '11 at 20:20
I answered a similar question a couple days ago about access with AD groups and got downvoted. AD permissions are tied to the profile import. I want my 2 points back Anders! – Eric Alexander Jun 15 '11 at 20:46
1

@PirateEric for once you cannot compare 2007 user profiles with 2010 since the architecture was changed completely with SP 2010 using FIM. Also read the article, it clearly states that groups are only used for Audiences, not authentication :-) – Anders Rask Jun 15 '11 at 21:13
1

gpupdate /force seems to work as well. – Colin Jun 16 '11 at 06:49
User Profile Synchronization is not available in Foundation, only Standard and Enterprise. Will try out the "iisreset /noforce" and "gpupdate /force" though. – azzlack Jun 17 '11 at 06:53
1

I think this has nothing to do with user profile sync. I tried tip suggested by Wictor but it doesnt work in my case – Kannan Karmegam Jun 17 '13 at 07:53
1

This has nothing to do with User profile services. UPS are meant for My sites and social features. – Kannan Karmegam Jun 26 '13 at 15:10
1

iisreset /noforce worked for me on SPS 2013. – NekojiruSou Apr 07 '15 at 03:38
@NekojiruSou you can do it without iis reset or gpupdate so you can solve this problem so immediately applied. by http://sharepoint.stackexchange.com/a/201540/5170 – saber tabatabaee yazdi Dec 05 '16 at 19:08

score 7 · Answer 3 · answered Jun 26 '13 at 15:14

Hope this will help someone because I faced the same issue. The claims based token is refreshed every 10 hours and hence if you make any changes to Active directory group memberships it won't reflect immediately in the token. you need to run the following powershell command to adjust the token life time to a smaller value.

$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime = (New-TimeSpan –minutes 60)
$sts.FormsTokenLifetime = (New-TimeSpan -minutes 60)
$sts.Update()
Iisreset

It is explained in detail here http://www.shillier.com/archive/2010/10/25/authorization-failures-with-claims-based-authentication-in-sharepoint-2010.aspx

We are using SP2010 and not using CLAIMS (we use NTLM). Is the 10 hours frequency still valid? — Mark L, Jan 04 '17 at 02:27

score 0 · Answer 4 · answered Jun 21 '17 at 08:40

Another way of doing this is by using the STSADM executable that is available on the SharePoint server. Please note, that while this works in 2007, 2010 & 2013, it is deprecated in 2010 and 2013.

Set token timeout to 2 minutes :

stsadm.exe -o setproperty -propertyname token-timeout -propertyvalue 2

Return to default setting (24 hours) :

stsadm.exe -o setproperty -propertyname token-timeout -propertyvalue 1440

Why are user permissions set in AD not updated immediately to SharePoint?

4 Answers4

Linked