Wednesday, June 4, 2008

SharePoint security cache AD Group?

There seem to be a funny problem where AD group names are cached by SharePoint. So far I've observed two scenarios

Scenario 1: Unable to set AD group into MOSS security

I’ve created my own AD group and added the some users into the AD group. Then I add the AD group directly into some SharePoint subsite and granting them some permissions. This works out fine. Then I remove the AD group from SharePoint , delete the group from AD, and repeat the process again. I use back the exact same AD group name. This time, the user will not have access, as though the AD group is not added into SharePoint at all.

This problem can be fixed by performing an iisreset before re-adding the newly created AD group (with identical name as the previously deleted one) back into SharePoint. I’ll be performing “iisreset”s in the future when I’m setting up user permissions.

Scenario 2: People picker does not have the AD group

The scenario is like this: from a web part properties page, under Advnaced section, click on the browse button to bring up the people picker. Switch to find under Distribution/Security groups and perform a search. The AD groups that suppose to be around are not.

To fix this problem, just perform a full user profile import from the Shared Service Provider administration. But, there's a catch: you MUST delete all existing user profile, by viewing all existing user profile, and select all to perform the delete. Yes, painful process as there's no option to delete all existing user profile data, and it didn't work if you just perform a full user profile import directly.

Update: I've written a small console application to quickly delete all user profiles:

/*Include the following namespaces*/ using Microsoft.SharePoint; using Microsoft.SharePoint.Administration; using Microsoft.Office.Server.UserProfiles; using Microsoft.Office.Server; /*Here's the quick and dirty method*/ public void PurgeUserProfile(string url_) { using (SPSite site = new SPSite(url_)) { ServerContext context = ServerContext.GetContext(site); UserProfileManager profileManager = new UserProfileManager(context); foreach (UserProfile profile in profileManager) { System.Console.WriteLine("Deleting " + (String)profile[PropertyConstants.AccountName].Value); profileManager.RemoveUserProfile(profile.ID); } } }


Home Sweet Home said...

hi swee ching,
recently I have import user profiles issue too, initial thought are delete all existig user profiles and reimport.

However to proof is the deletion necessary, i start a full import without delete existing user from User Profiles. Finally, it works without the deletion.

Just wondering is the deletion really necessary?

SookYee ^^

Swee Ching said...

Hi Sook Yee,
Lots of things in SharePoint that we just don't know how it works. I just know it worked for me previously, so glad it worked for you without deleting :)