Using AD groups for setting security in Sharepoint

%3CLINGO-SUB%20id%3D%22lingo-sub-79830%22%20slang%3D%22en-US%22%3EUsing%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-79830%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20we%20experience%20issues%20with%20SharePoint%20security%20set%20using%20AD%20groups%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMembers%20of%20these%20groups%26nbsp%3Bare%20intermittently%20getting%20access%20denied.%26nbsp%3BA%20few%20hours%26nbsp%3Blater%20they%20are%20able%20to%20access%20the%26nbsp%3Bresource%20(eg%20site)%20without%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20strange%20thing%20is%20that%20if%20the%20AD%20group%20is%20encapsulated%20in%20a%20SharePoint%20security%20group%2C%20the%20issue%20is%20not%20present.%20Members%20of%20the%20AD%20group%20when%20encapsulated%20are%20not%20getting%20this%20erroneous%20behaviour.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-79830%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-79833%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-79833%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1158%22%20target%3D%22_blank%22%3E%40Bart%20Vermeersch%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5B..%5D%3C%2FP%3E%3CP%3EThe%20strange%20thing%20is%20that%20if%20the%20AD%20group%20is%20encapsulated%20in%20a%20SharePoint%20security%20group%2C%20the%20issue%20is%20not%20present.%20Members%20of%20the%20AD%20group%20when%20encapsulated%20are%20not%20getting%20this%20erroneous%20behaviour.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EWould%20need%20more%20clarification%20on%20this%20last%20paragraph%20of%20yours%2C%20specifically%26nbsp%3Bwhat%20do%20you%20mean%20by%20%22%3CEM%3Eencapsulation%3C%2FEM%3E%22%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20sure%20about%20the%20error%2C%20however%20for%20the%20other%20part%26nbsp%3B-%20from%20what%20I%20can%20understand%2C%20this%20is%20actually%20a%20best%20practice.%20For%20any%20given%20site%20(or%20collection)%2C%20there%20are%20by%20default%20at%20least%20three%20SP%20Groups%20-%20Site%20Visitor%2C%20Site%20Members%2C%20and%20Site%20Owners.%20You%20would%20typically%20add%20AD%20Security%20Groups%20to%20one%20of%20these%20default%20groups%20and%20are%20good%20to%20go.%20Should%20you%20need%20any%20specific%20access%20control%2C%20you%20create%20an%20SP%20Group%26nbsp%3Band%20add%20the%20relevant%20AD%20Security%20Group%20there.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80267%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80267%22%20slang%3D%22en-US%22%3EWhile%20AD%20groups%20may%20be%20'best%20practice'%20from%20a%20Search%20performance%20perspective%2C%20they%20hamper%20end%20user%20control%20over%20permissions%20on%20a%20site%20and%20increase%20soft%20costs%20for%20IT.%20I%20think%20there's%20a%20good%20hybrid%20approach%2C%20where%20security%20groups%20are%20used%20for%20primary%20divisional%2Fportal%20sites%2C%20but%20let%20users%20manage%20security%20on%20team-focused%20sites.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80359%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80359%22%20slang%3D%22en-US%22%3E%3CP%3EFrom%20the%20Search%20perspective%20you%20to%20take%20a%20hit%20when%20individual%20permissions%20are%20used%20as%20opposed%20to%20AD.%20When%20you%20add%20individuals%20to%20a%20SP%20group%20a%20full%20crawl%20will%20be%20launched%20at%20the%20next%20pass%20of%20content%20in%20order%20to%20calculate%20the%20ACLs%20for%20each%20individual.%20So%20-%20if%20you%20add%20100%20individuals%20you%20will%20have%20100%20ACLs%20calculated%20for%20every%20piece%20of%20content.%20If%20you%20have%201%20AD%20group%20with%20100%20users%20you%20only%20have%26nbsp%3B1%25%20of%20the%20hit%20in%20the%20crawl.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPrecisely%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130%22%20target%3D%22_blank%22%3E%40Trevor%20Seward%3C%2FA%3E%26nbsp%3Bstated%20the%20general%20guidance%20from%20Technet%20is%20this%20%3A%3C%2FP%3E%3CP%3EConsidering%20the%20previous%20advantages%20and%20disadvantages%2C%20here%20are%20the%20recommendations%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EFor%20intranet%20sites%20that%20are%20broadly%20accessed%20by%20your%20users%2C%20use%20security%20groups%20because%20you%20do%20not%20care%20about%20the%20individual%20users%20who%20accessed%20the%20intranet%20site%20home%20page.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EFor%20collaboration%20sites%20that%20are%20accessed%20by%20a%20small%20group%20of%20users%2C%20add%20users%20directly%20to%20SharePoint%20groups.%20In%20this%20case%2C%20there%20is%20more%20of%20a%20need%20to%20know%20who%20is%20a%20member%20so%20the%20group%20members%20know%20each%20other%E2%80%99s%20e-mail%20addresses%20and%20how%20to%20contact%20one%20another.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80514%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80514%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20go%20back%20to%20my%20initial%20issue%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20found%20there%20are%20two%20seperate%20issues%2C%20the%20one%20we%20figured%20out%20properly%20goes%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETarget%20audiences%20set%20on%20navigation%20menu%20(I%20know%20it's%20not%20best%20practice%20from%20perfomance%20point%20of%20view).%3C%2FP%3E%3CP%3EIf%20the%20target%20audience%20contains%26nbsp%3Ba%20(synced)%20AD%20group%2C%20it%20sometimes%20fails%20(members%20of%20the%20AD%20group%20don't%20see%20the%20menu%20item).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%26nbsp%3Ba%20SharePoint%20groups%20is%20created%20with%20the%20AD%20group%20as%20only%20member%2C%20and%20this%20SharePoint%20group%20is%20put%20in%20the%20target%20audience%2C%20we%20don't%20experience%20any%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20we%20are%20creating%20SharePoint%20groups%20(for%20every%20AD%20groups)%20and%20use%20these%20for%20target%20audience.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80861%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80861%22%20slang%3D%22en-US%22%3EWas%20the%20audience%20being%20compiled%20after%20a%20member%20was%20added%2Fremoved%20from%20the%20AD%20group%3F%20Compilation%20only%20occurs%20on%20Sunday%20in%20the%20early%20AM%20hours%20(enforced%20Online%2C%20adjustable%20on-prem).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-147191%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147191%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Trevor%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewe%20have%20a%20issue%20when%20we%20add%20'AD%20Security%20group'%20added%20to%20SharePoint%20(2016)%20.%20groups.%20the%20users%20able%20to%20login%20to%20the%20site%2C%20but%20they%20can't%20see%20any%20search%20results%20till%20we%20added%20them%20as%20individual.%20we%20got%204000%2B%20users%20who%20need%20readonly%20access%20to%20the%20Intranet%20home%20pages.%20I%20have%20added%20the%20AD%20domain%20security%20group%20to%20the%20SharePoint%20groups.%3C%2FP%3E%0A%3CP%3Elet%20us%20know%20where%20to%20check%20to%20resolve%20the%20issue.%20The%20ULS%20logs%20only%20says%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft.Office.Server.Search.Query.Ims.ImsQueryInternal%20%3A%20Number%20of%20tables%20in%20Result%3A%203%2C%20Relevant%20Results%3A%200%20(Total%3A%200%2C%20Total%20including%20duplicates%3A%200)%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ehow%20a%20member%20of%20AD%20security%20group%20can%20see%20the%20search%20results.%20we%20are%20using%20Cloud%20Search%20service%20application.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093514%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20groups%20for%20setting%20security%20in%20Sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093514%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130%22%20target%3D%22_blank%22%3E%40Trevor%20Seward%3C%2FA%3E%26nbsp%3Binteresting%20discussion%20that%20reveals%20a%20lot.%20Where%20is%20this%20knowledge%20documented%3A%20%22%3CSPAN%3ECompilation%20only%20occurs%20on%20Sunday%20in%20the%20early%20AM%20hours%22%20for%20SharePoint%20Online%3F%20Is%20that%20still%20the%20case%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

Recently we experience issues with SharePoint security set using AD groups:

 

Members of these groups are intermittently getting access denied. A few hours later they are able to access the resource (eg site) without error.

 

The strange thing is that if the AD group is encapsulated in a SharePoint security group, the issue is not present. Members of the AD group when encapsulated are not getting this erroneous behaviour.

7 Replies

@Bart Vermeersch wrote:

 

[..]

The strange thing is that if the AD group is encapsulated in a SharePoint security group, the issue is not present. Members of the AD group when encapsulated are not getting this erroneous behaviour.


Would need more clarification on this last paragraph of yours, specifically what do you mean by "encapsulation"? 

 

I am not sure about the error, however for the other part - from what I can understand, this is actually a best practice. For any given site (or collection), there are by default at least three SP Groups - Site Visitor, Site Members, and Site Owners. You would typically add AD Security Groups to one of these default groups and are good to go. Should you need any specific access control, you create an SP Group and add the relevant AD Security Group there. 

 

While AD groups may be 'best practice' from a Search performance perspective, they hamper end user control over permissions on a site and increase soft costs for IT. I think there's a good hybrid approach, where security groups are used for primary divisional/portal sites, but let users manage security on team-focused sites.

From the Search perspective you to take a hit when individual permissions are used as opposed to AD. When you add individuals to a SP group a full crawl will be launched at the next pass of content in order to calculate the ACLs for each individual. So - if you add 100 individuals you will have 100 ACLs calculated for every piece of content. If you have 1 AD group with 100 users you only have 1% of the hit in the crawl.

 

Precisely as @Trevor Seward stated the general guidance from Technet is this :

Considering the previous advantages and disadvantages, here are the recommendations:

  • For intranet sites that are broadly accessed by your users, use security groups because you do not care about the individual users who accessed the intranet site home page.
  • For collaboration sites that are accessed by a small group of users, add users directly to SharePoint groups. In this case, there is more of a need to know who is a member so the group members know each other’s e-mail addresses and how to contact one another.

To go back to my initial issue ;)

 

We found there are two seperate issues, the one we figured out properly goes as follows:

 

Target audiences set on navigation menu (I know it's not best practice from perfomance point of view).

If the target audience contains a (synced) AD group, it sometimes fails (members of the AD group don't see the menu item).

 

If a SharePoint groups is created with the AD group as only member, and this SharePoint group is put in the target audience, we don't experience any issues.

 

So we are creating SharePoint groups (for every AD groups) and use these for target audience.

 

Was the audience being compiled after a member was added/removed from the AD group? Compilation only occurs on Sunday in the early AM hours (enforced Online, adjustable on-prem).

Hi Trevor

 

we have a issue when we add 'AD Security group' added to SharePoint (2016) . groups. the users able to login to the site, but they can't see any search results till we added them as individual. we got 4000+ users who need readonly access to the Intranet home pages. I have added the AD domain security group to the SharePoint groups.

let us know where to check to resolve the issue. The ULS logs only says

 

Microsoft.Office.Server.Search.Query.Ims.ImsQueryInternal : Number of tables in Result: 3, Relevant Results: 0 (Total: 0, Total including duplicates: 0),

 

how a member of AD security group can see the search results. we are using Cloud Search service application.

@Trevor Seward interesting discussion that reveals a lot. Where is this knowledge documented: "Compilation only occurs on Sunday in the early AM hours" for SharePoint Online? Is that still the case?