SharePoint group containing AD security group - Check Permissions does not show correct information

I'm seeing a problem with SharePoint 2013 groups that contain Active Directory security groups. When using the Check Permissions feature to see what permissions a specific user has, it does not reflect the correct permissions for a user inside of the AD security group. This occurs when checking permissions on a site, library, list or folder. When a user is added as a direct member of the SharePoint group it lists their proper permissions. I should note that the users ability to access the site or list works properly and coincides with the SP/AD group the user belongs to. It's only the Check Permissions that doesn't work. This does not happen with SharePoint 2010 and the Check Permissions tool is very useful. Any ideas?

April 4th, 2013 5:06am

This is expected behavior.  Until a user logs into the site and is recorded in the UserInfo table, check permissions will not be able to enumerate the specific user's permission, even when they're a member of an AD group that has been added to a SharePoint site.
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2013 3:43pm

How quickly is the UserInfo table updated? Because even when I browse to the library as the user and upload a document, modify and delete. Check Permissions still only shows they should have Read access.
April 4th, 2013 4:51pm

I'm going to have to disagree. 

1) I have tested this in my SP2013 Environment, and no matter what, if someone is added in a domain group, you can not check their permissions even after they have visited the site. 

2) This IS NOT and SHOULD NOT BE expected behavior. 

           when I check permissions for a specific user -> I don't care if you've EVER been to my site before, I want to know if you can get there now... 

Not being able to check permissions based on A/D groups you are in is a HUGE step backward. 

Free Windows Admin Tool Kit Click here and download it now
May 14th, 2014 6:55pm

It has always been the case with SharePoint.
May 14th, 2014 6:56pm

I have added a user to the AD group, the user has hit the site and it is still not showing in "Check Permissions" the same as above.  Will it ever?  Is it a Timer Job that updates the "Check Permissions" ?
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2014 3:58pm

when I check permissions for a specific user -> I don't care if you've EVER been to my site before, I want to know if you can get there now...

Not being able to check permissions based on A/D groups you are in is a HUGE step backward.

Completely agree @SharePointMC.  A user having to first visit a site for check permissions to work correctly is a ridiculous functionality caveat. 

And similar to what you've stated, I still can't get the check permissions to work after visiting the site with the account I'm checking.  I've added my farm accounts to Windows Authorization Access Group in AD at the suggestion that this was the issue, but it doesn't fix the issue.  From my perspective, check permissions for AD users/groups nested in SharePoint groups is just broken with no apparent fix.  Ridiculous.
November 7th, 2014 5:12pm

I am also experiencing same thing..as Trevor stated..even after users have logged into the SharePoint,check permission still shows wrong information. When will it update itself and if not how to make it updated. My end users are calling me regarding this and i have no answer.
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2014 5:22am

I am in the same boat, did someone manage to get around it?

And yes I agree this should be changed to Unaswered as the current Answer is totally wrong

April 14th, 2015 1:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics