Forcing Sharepoint Permission Refresh With Iisreset To Solve Ad Sync Delays

What Causes SharePoint Permission Delays?

Delays in SharePoint permission synchronization are often caused by two key factors – Lightweight Directory Access Protocol (LDAP) cache expiration settings and Active Directory (AD) replication latency. SharePoint maintains a local LDAP cache to improve performance when evaluating user and group permissions. However, the cached credentials can become outdated if the expiration period is too long. Additionally, updates made to AD security groups rely on replication across domain controllers. Delays in this process also result in outdated group membership information in SharePoint.

LDAP Cache Expiration Timers

The SharePoint timer service controls the expiration time for LDAP cache credentials. The default setting is 10 hours. Once the timer expires, SharePoint will refresh the credentials in the cache from AD. However, if changes occur in AD user or group membership before the 10 hour mark, they will not sync until the next expiration cycle. Reducing the LDAP cache expiration allows SharePoint permission information to more closely mirror recent updates in AD.

AD Replication Latency

SharePoint queries AD when evaluating user permissions, therefore any latency in replicating changes across DCs can prevent SharePoint from having updated data. This is most noticeable when security groups are modified or group nesting is altered. The changes may apply instantly on the DC handling the modification but can take time to reach other DCs. Configuring replication triggers and topology for efficiency can improve this latency.

Table of Contents

Symptoms of Permission Delays

Delays between AD updates and SharePoint permission refreshes manifest in two common issues – inheritance failure and erroneous access denied errors when users attempt to access sites and content.

Files/Folders Not Inheriting Permissions

When permissions are not syncing properly, SharePoint sites, libraries, folders, and files can fail to inherit the security settings from their parent containers. The inherited permissions option may still be enabled but the effective access does not align until synchronization occurs. This leaves content and features wide open or restricted incorrectly, depending on the specifics of the outdated permissions.

Access Denied Errors

Users often receive access denied errors or unexpectedly find content to be unavailable when SharePoint holds outdated credential information. The account may have access within AD but still be blocked in SharePoint if the identity changes have not yet propagated via replication delays and LDAP cache refreshes. The result is frustration and lost productivity while waiting for permissions to align.

Manually Force a Permission Sync

Manually initiating a synchronization can force SharePoint pick up recent AD updates related to security groups and permissions ahead of the configured cache expiration delay. This allows admin to remediate permission issues without waiting on timers and replication.

Open an Admin PowerShell Window

On the SharePoint application server, open PowerShell as administrator to execute IIS configuration and service commands. Be sure to use an account that has admin privileges in SharePoint as well as local system rights to stop and start IIS services.

Run “iisreset /noforce” Command

The iisreset command with the /noforce parameter initiates a graceful flush of all IIS application pools. This causes SharePoint’s IIS worker processes to restart, clearing the credential cache and forcing an immediate re-sync when connections re-establish. The /noforce option prevents abruptly terminating active user connections to the web services.

Permissions Will Sync After IIS Reset

Following the IIS reset command, SharePoint’s permission information will update within a few minutes as the timer and application pools reset. Then any outstanding issues from delayed replication or cached data begin resolving as SharePoint reloads the latest AD security changes while re-initializing.

Configure Automatic Sync Settings

If permissions delays are occurring frequently, the default LDAP expiration times and AD replication topology can be adjusted to improve synchronization proactively instead of relying manual IIS resets.

Reduce LDAP Cache Expiration Time

Decreasing the LDAP cache credential timer in SharePoint allows AD group and user membership changes to refresh more rapidly. However, balancing performance with smaller expiration times may require testing. Starting with a reduced interval of 5 minutes can provide more frequent AD synchronization.

Adjust AD Replication Triggers

Tuning AD to replicate security changes faster prevents latency in transmitting updated group and user data that SharePoint requires evaluating permissions accurately. Increasing the frequency of periodic replication and configuring flexible replication based on change volume can help reduce permission refresh delays.

Troubleshooting Issues with Permission Sync

If permission delays persist after manual or configured synchronization improvements, further troubleshooting helps pinpoint any underlying issues for resolution.

Check Event Viewer Logs

Logs on both SharePoint and AD servers provide detailed diagnostic timelines of permission and authentication activity. Errors highlighting connectivity, account lockouts, or access check failures will indicate specifics areas to investigate.

Test Inheritance on Libraries/Sites

Actively testing permission inheritance and functionality after changes by deliberately denying and re-enabling inheritance verifies proper synchronization. Issues remaining after an IIS reset indicate deeper configuration problems.

Validate AD Replication Health

Using AD diagnostic utilities to monitor replication latency provides metrics to analyze for delays or topology mismatches that can slow transferring group changes to all DCs. Resolving bottlenecks ensures SharePoint sees timely updates.