Wednesday, July 1, 2015

SharePoint 2010 User Active Directory Permissions not updating

When you are using Active Directory groups and add those groups into SharePoint groups, you will run into issues while modifying the members of the Active Directory group. It takes 24 hours (by default) to reflect this change to SharePoint.This behavior is controlled by a property called Token-timeout.By default, this value is set to 1440 minutes (24 hours) .
SharePoint fetches user token information from the SharePoint database. If the user has never visited the site or if the user’s token was generated more than 24 hours previously, SharePoint generates a new user token by trying to refresh the list of groups that the user belongs to.(MSDN Reference)

To check which values you currently have, try running the below:
 stsadm –o getproperty –propertyname token-timeout

If you want to minimize this token time out value (time it takes to refresh the token), follow the below instructions.

To set a valid time to 2000 minutes, use the following syntax:
stsadm -o setproperty -pn token-timeout -pv 2000
Note: You can substitute -pn for -propertyname and -pv for -propertyvalue. 
Gets or sets the name of the property.
A valid time interval, in minutes. The default setting is 1440 minutes.

The syntax for the setproperty operation is:
stsadm -o setproperty -propertyname token-timeout –propertyvalue <A valid time interval, in minutes>

- This property applies to the entire farm.

- The use of stsadm will only affect the ContentService Web service property and not the AdministrationService Web service property.

Warning: If you set Token-timeout to zero (0) it can bring the farm down and you get this error message
"The context has expired and can no longer be used. Exception from HRESULT: 0x80090317"

No comments:

Post a Comment