To Manage SharePoint Security using active directory security group couple of configuration setting needs to be configured.
- SharePoint default setting for caching AD Security Group membership is 24 hours or 1440 minutes. When testing how the AD Security works in share point 24 hours is to long. Set it to 2 minutes at share point admin power shell.
stsadm.exe -o setproperty -propertyname token-timeout -propertyvalue 2
- The next setting deals with users who have already logged in before the above setting change is made. These setting relate to the security token life time setting and security token cache expiration. The default setting is 10 hours, again it to long for testing how security works – set it to 2 minutes at share point admin power shell.
sts = Get-SPSecurityTokenServiceConfig $sts.FormsTokenLifetime = (New-TimeSpan -minutes 2) $sts.WindowsTokenLifetime = (New-TimeSpan -minutes 2) $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1) $sts.Update()
- Note the Cache expiration time should be less than token life time! Revert back to default setting once the effects of group membership setting are studied!!
With these setting SharePoint permission based on active directory security groups will sync with group membership changes in 2 minutes.