I'm seeing a problem with SharePoint 2013 groups that contain Active Directory security groups. When using the Check Permissions feature to see what permissions a specific user has, it does not reflect the correct permissions for a user inside of the AD security group. This occurs when checking permissions on a site, library, list or folder. When a user is added as a direct member of the SharePoint group it lists their proper permissions. I should note that the users ability to access the site or list works properly and coincides with the SP/AD group the user belongs to. It's only the Check Permissions that doesn't work. This does not happen with SharePoint 2010 and the Check Permissions tool is very useful. Any ideas?
I'm going to have to disagree.
1) I have tested this in my SP2013 Environment, and no matter what, if someone is added in a domain group, you can not check their permissions even after they have visited the site.
2) This IS NOT and SHOULD NOT BE expected behavior.
when I check permissions for a specific user -> I don't care if you've EVER been to my site before, I want to know if you can get there now...
Not being able to check permissions based on A/D groups you are in is a HUGE step backward.
when I check permissions for a specific user -> I don't care if you've EVER been to my site before, I want to know if you can get there now...
Not being able to check permissions based on A/D groups you are in is a HUGE step backward.
Completely agree @SharePointMC. A user having to first visit a site for check permissions to work correctly is a ridiculous functionality caveat.
And similar to what you've stated, I still can't get the check permissions to work after visiting the site with the account I'm checking. I've added my farm accounts to Windows Authorization Access Group in AD at the suggestion that this was the issue, but it doesn't fix the issue. From my perspective, check permissions for AD users/groups nested in SharePoint groups is just broken with no apparent fix. Ridiculous.
I am in the same boat, did someone manage to get around it?
And yes I agree this should be changed to Unaswered as the current Answer is totally wrong