Monday, April 29, 2013

Nested AD group support issues in Sharepoint 2010

Our company is implementing nested AD groups and we found some strange behavior how SharePoint support the nested groups. Here are the nested groups we have.

  • parentGroup includes childGroup and some users
  • childGroup includes childofchildGroup and some users
  • childofchildGroup includes childofchildofchildGroup and some users
  • childofchildofchildGroup includes some users

After we added the parent group like parentGroup to owner group for a site, we could search permissions for any individual users from the nested groups like user2 from childGroup. However, we are not able to display permissions for any nested groups.

We tried to use the following powershell to display the users but could not display any nested groups except leaf nested groups childofchildofchildGroup.

$urlWeb = "http://server/sites/n2ktest/"

Get-SPUser -Web $urlWeb | select UserLogin, @{name="Exlicit given roles";expression={$_.Roles}}, @{name="Roles given via groups";expression={$_.Groups | %{$_.Roles}}},Groups | format-Table -auto

Based on the Microsoft resource, the nested AD group is supported for SharePoint. You could verify our testing result that all the individual users in the nested groups will be granted the correct permissions.

However, After looking at other blogs and discussions, it seems like SharePoint 2010 has some limitations to supported nested AD groups. Some Microsoft team especially MPS team does not recommend using nested groups.

  • Assign permission levels directly to Active Directory groups.
  • Adding security groups that contain nested security groups, contacts, or distribution lists. 
The following functions might have issues if using nested groups and you might follow the suggestions to set up the permissions.
  • Resources sync performance issues in Project server 2010
  • When a security group is added to a SharePoint group for a specific site, the site will not appear in the users’ My Sites. The User Information List will not show individual users until they have contributed to the site
  • Security groups with deep nested structure might break SharePoint sites
  • We will have issue to list all the users who have access the site  
  • Performance
It look to me nested AD group is supported for SharePoint 2010/2013, however it is not recommended by some Microsoft groups.

Tips to resolve SharePoint 2010 Ribbon stuck at “Loading…” issue

Recently, we have run into SharePoint 2010 Ribbon stuck at “Loading…” issue when we click Document tab for any document library as in the following screen shot. 

This issue seems to be common for many SharePoint environment and we are able to resolve this finally. Here are the steps you could follow to track down the root cause and fix it.  

1. First you should verify the some of the test cases and identify the scope of the issue.

a. Whether this in consistent for ALL sites on the physical server. If the answer is yes, this might be related to server configuration.
b. Whether other functions like "Site Actions" and "Add Documents" are working. If not, since these functions are related to javascripts, it might be the script issues.

2. Second you should verify "DisableLoopbackCheck" that could cause this issue. This is particular important if you are using SharePoint web service. See here for more information.

The loopback check functionality is stored in the following registry subkey:

3. Third is to check “Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries”. This problem is actually caused by a new concept called DNS Devolution that Microsoft introduced in Windows 7 and Windows 2008 R2. Here is the procedure posted by Wilson Leung that could help.

Check Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client.  Enable “Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries”.  Then flush the DNS by running a ipconfig /flushdns in command prompt.

4. The forth step you should check the permissions of the application pool account to the folder of the java scripts /_Layouts folder. You could verify other permissions on 14 hive folders. If the application pool account does not have permission to read the java script, it might cause such issue.

5. The final try before additional debugging is to if everything is fine at this point just like we had this time, you would need a developer to debug the java script and identify the breaking point. You could use either Web Developer on Firefox or IE developer tools. You could also use Fiddler to track the calls.

We are getting the following error when we debugging the code through Firefox Web Developer

You should verify whether core.js has been corrupted and replace it with OoB one. If you are adding some customized java script, the toll will indicate whether it is and you should fix the java script.

At this time, you should be able to fix SharePoint 2010 Ribbon stuck at “Loading…” issue.