Managing Sharepoint Permission Caching To Reflect Ad Changes Immediately
Clearing SharePoint’s Permission Cache
SharePoint utilizes a permission cache to store access control lists and permission settings for sites, lists, libraries, items, and users. This cache exists to optimize performance when checking permissions. However, a consequence is that changes made to permissions and security groups in Active Directory are not immediately reflected in SharePoint.
Explaining Permission Caching in SharePoint
The SharePoint permission cache contains Access Control Lists (ACLs), permission policies, and user and group identifiers mapped to permissions. When a user attempts to access a SharePoint resource like a site, document, or list, SharePoint refers to the cache to evaluate if the user has the necessary permissions instead of querying the database. This significantly reduces load on the database and allows much faster permission checks.
The cache is populated on first request and then refreshed periodically by timer jobs. The default cache refresh interval is every 60 minutes. This means changes to permissions through Active Directory or direct SharePoint administration may not take effect for up to an hour.
Why Permission Changes May Not Reflect Immediately
Delays in permission changes reflecting in SharePoint can directly be attributed to the caching mechanisms. When changes are made in Active Directory, SharePoint is not aware of them immediately. It relies on its synchronization connections to import updates from AD, which then need to propagate through its own permission caches.
Examples of permission-related changes which may not reflect immediately:
* Adding or removing users from AD groups
* Modifying AD security groups
* Changing AD group scope from Global to Universal
* Newly created AD groups and users
* Direct SharePoint permission changes
This caching while beneficial for performance, introduces confusion for administrators when expected permission changes do not happen instantly. Knowledge of the caching behavior can help explain what is happening.
When to Clear the Permission Cache
In most cases waiting up to an hour for the cache to refresh is acceptable. However, sometimes changes need to reflect much sooner. Clearing the permission cache forcibly synchronizes the current AD state into SharePoint’s memory and clears stored ACLs.
Scenarios where manually clearing cache may be desired:
* Immediately revoke access after termination
* Allow new employee access on first day
* Group scope changes need to take effect urgently
* Troubleshooting permission issues
* Avoiding confusion when expecting instant permissions changes
Manually clearing cache comes with minor drawbacks of temporary performance loss as the cache rebuilds. But for urgent permission changes, it is a useful technique.
How to Clear Permission Caches
SharePoint provides PowerShell cmdlets to clear its permission caches and force reload the latest AD security state. This will reflect new changes instantly.
PowerShell to Flush Cache for a Site
Use the Reset-SPsite cmdlet to flush the permission cache of a specific site collection. This clears caches for all sites, lists, libraries and content contained in the site.
Reset-SPsite http://intranet.contoso.com
PowerShell to Flush Cache for Specific Users
To flush cache for only specific users, get the user profiles with Get-SPUser and pass to Reset-SPUser:
Get-SPUser -Identity "CONTOSO\jsmith" | Reset-SPUser
This clears permissions only for specified users, while keeping other caches intact.
Timer Job to Periodically Clear Cache
For larger farms, run the following to set cache to clear automatically every 30 minutes:
$cache = (Get-SPSiteManager).userpermissioncachettl $cache.TotalMinutes = 30 $cache.Update()
This avoids having to manually clear after permission changes.
Verifying Permission Changes Took Effect
After flushing the permission cache, verify updated user permissions or group memberships are now accurately reflected in SharePoint sites:
Get-SPSite http://site | Get-SPUser -Limit All | Select Identity, Groups, Permissions
Check user profile for group membership with:
$user = Get-SPUser -Identity CONTOSO\jsmith $user.Groups
Permissions will now show latest changes.
Troubleshooting Remaining Permission Issues
If after cache reset, permission issues still persist, further troubleshooting is required:
* Confirm AD group change has fully replicated
* Check user profile synchronization connection
* Disable and re-enable user in SharePoint
* Compare SharePoint permissions to latest AD state
* Retry cache clear after 15 minutes in case of latency
Audit permission changes and synchronization configure to identify source of issues.
Example Scripts
PowerShell to Retrieve Current Cache
See what is currently stored in permission cache:
$cache = (Get-SPSiteManager).userpermissioncache $cache
PowerShell to Enumerate Site Caches
List all sites cached:
$manager = Get-SPSiteManager $manager.UserPermissionCache.CachedObjects | Group Target -NoElement | Select Count, Name
PowerShell to Flush Cache for All Sites
Reset cache for all sites in farm:
Get-SPSite -Limit All | Reset-SPsite
This will synchronize latest AD permissions across the entire farm after permission changes.