SP 2019 - no longer able to add AD security group to Sharepoint Group for permissions

Occasional Contributor

We have SP 2019 on premise.  Recently, we attempted to add an AD local security group to a SP group to give permission to a collection.  The name resolves but when I hit the share the group does not show up in the permission list.  No indication of any action at all nor any errors that I could see.  We were able to last Tuesday as I see a group in there with that date added by our developer.  If we attempt to add an AD user to the permission group it works just fine.  This would be painful if we have to add users this way.  I believe there was an update ran over the weekend but need to confirm.  We checked other collections and seems to the same case throughout the entire site.  Is there anything I can check or verify as to why an AD sec group can no longer be added?

7 Replies
Can you check the ULS logs and see what log activity there is? You may need to set the log to verbose, Set-SPLogLevel -TraceSeverity Verbose.

@Trevor Seward Hey Trevor, thanks for the response.  I looked at those logs and it looks like the user profile sync service account is not working. The account is not locked so I'm not sure if its a different issue as the error indicates a failure to decrypt the connection password.  I have not seen this error before.  I rather not change the password yet as I think my old sharepoint admin used it elsewhere which we are identifying.  Would this be related to my inability to add AD security groups to sharepoint permission.

General 7200                Critical   Failed to decrypt connection password for ConnectionForectName 'domain.local', ConnectionSynchronizationOU 'DC=SOG,DC=Local', ConnectionUserName 'domain\account'. Please refresh connection credentials. a77c6a9f-4b17-a0cf-6cd8-e9f87678dff3


Essentially that is saying you need to re-enter the credentials for the Sync account in the AD Import configuration screen.

We ran a full synchronization and it resolved this issue with the user profile sync.  We are still having the issue where we can only ad domain user accounts but not domain security group.  Is there any other way to troubleshoot this? 

We figured it out.  We ran a command for the people picker to our trusted 2nd domain and on sharepoint servers and not just frontends.  Needed to be ran on app server as well but had to find the app cred key from front ends and imported them.  Seems to work now.

Hi @William Phillips 


Whats the command are you referring to?

Are you able to share? I am having the same issue.