Question
Why are my nested AD groups not resolving?
Answer
This is a question asked by many and the answer is not always simple. But i always try to go through the following steps to make sure that i've checked everything:
1. Refresh the Identity cache
As many of you know, we have an Identity Refresh Tool in the community that you can run to refresh the [Identity].[Identity] table.
It's basically a script that goes and resolves the following:
update [K2].[Identity].[Identity]
set ExpireOn = getdate(),
Resolved = 0,
ContainersResolved = 0,
ContainersExpireOn = getdate(),
MembersResolved = 0,
MembersExpireOn = getdate()
where Name = 'DomainGroup_Name'
Note that "Syncronize Groups" in SharePoint does not do the same thing. It does not go through the containers and members-- it will just check to make sure that group exists, and go on with it's day. So usually, this misses Nested Groups.
2. Run UMUser
Similar to manually refreshing the Identity Cache, i always check to make sure that K2 sees this user, it's cached properly, and it's identified as a member of that group.
Running "Get Users" and "Get Group Users" methods will tell you what K2 sees.
---Potential Workarounds---
1. Enable "ResolveNestedGroups" in the [HostServer].[SecurityLabel] table, "RoleInit" XML.
By default, this is set to false. It will look something like this:
<roleprovider>
<init>ADCache=0;LDAPPath=LDAP://DC=DENALLIX,DC=COM;ResolveNestedGroups=False;IgnoreForeignPrincipals=False;IgnoreUserGroups=False;MultiDomain=False;OnlyUseSecurityGroups=False;LogLevel=Error;LogSize=0;DataSources=<DataSources><DataSource Path="LDAP://DC=DENALLIX,DC=COM" NetBiosName="DENALLIX" /></DataSources>;;</init>
<login />
<implementation assembly="ADUM, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d" type="ADUM.K2UserManager2" />
<properties>
<user>
<property name="Name" type="System.String" />
<property name="Description" type="System.String" />
<property name="Email" type="System.String" />
<property name="Manager" type="System.String" />
<property name="SipAccount" type="System.String" />
<property name="ObjectSID" type="System.String" />
<property name="DisplayName" type="System.String" />
<property name="CommonName" type="System.String" />
<property name="UserPrincipalName" type="System.String" />
</user>
<group>
<property name="Name" type="System.String" />
<property name="Description" type="System.String" />
<property name="Email" type="System.String" />
</group>
</properties>
</roleprovider>
Please go ahead and update this XML with a script, to set this to "True".
Then restart the K2 server.
2. Use the AD group directly
Sometimes, this is not possible, but whenever you can, please use the AD group directly. Especially if the group is recognized in K2-- it's definitely less hassle this way.
3. Add the AD users directly
Similarly, i know that sometimes, your AD group is HUGE so this might not be probable, but you can always just add the AD users directly.
This is very useful when you are using SP groups.
DISCLAIMER: K2 will not accept any liability for any issues arising from actions taken in respect of the information provided by any forum member.
