User is missing read permission despite being added into an AD group which has read permission on a site collection in SharePoint 2016

Question

Hi all,

1. We had one scenario where we added an AD group into one SharePoint group which has read permission on the site collections level.
2. We added this AD group into all the site collections and read permission was granted through the custom SharePoint group as mentioned in point 1.
3. We added all the domain users into the AD group.
4. We observed that few users had read permission on one site collection and were missing the read permission on another site collection.
   Technically the users are already part of domain users so the read permission should have reflected on all site collections.
5. We could not find anything in ULS which tell us about the missing permission for the few users.

Could you please help us in identify the issue why few users have missing permission on some site collections despite they are already part of AD group which has read permission?

Answer 1

You can temporally set the tokens to expire since the default is 10 hours. And here's details about the windowstokenlifetime setting: https://social.technet.microsoft.com/Forums/ie/en-US/6d5e4d3e-5aa2-4cf1-93b5-03a473df74ee/what-is-difference-between-windowstokenlifetime-and-logontokencacheexpirationwindow?forum=sharepointadmin

Try these links:
https://www.sharepointdiary.com/2014/10/active-directory-group-membership-sync-issue-solution-sharepoint.html
https://www.vioreliftode.com/index.php/active-directory-security-groups-and-sharepoint-claims-based-authentication/