Managing Sharepoint Permission Caching To Reflect Ad Changes Immediately

ByThe SharePoint FAQs Team

Clearing SharePoint’s Permission Cache

SharePoint utilizes a permission cache to store access control lists and permission settings for sites, lists, libraries, items, and users. This cache exists to optimize performance when checking permissions. However, a consequence is that changes made to permissions and security groups in Active Directory are not immediately reflected in SharePoint.

Explaining Permission Caching in SharePoint

The SharePoint permission cache contains Access Control Lists (ACLs), permission policies, and user and group identifiers mapped to permissions. When a user attempts to access a SharePoint resource like a site, document, or list, SharePoint refers to the cache to evaluate if the user has the necessary permissions instead of querying the database. This significantly reduces load on the database and allows much faster permission checks.

The cache is populated on first request and then refreshed periodically by timer jobs. The default cache refresh interval is every 60 minutes. This means changes to permissions through Active Directory or direct SharePoint administration may not take effect for up to an hour.

Why Permission Changes May Not Reflect Immediately

Delays in permission changes reflecting in SharePoint can directly be attributed to the caching mechanisms. When changes are made in Active Directory, SharePoint is not aware of them immediately. It relies on its synchronization connections to import updates from AD, which then need to propagate through its own permission caches.

Examples of permission-related changes which may not reflect immediately:
* Adding or removing users from AD groups
* Modifying AD security groups
* Changing AD group scope from Global to Universal
* Newly created AD groups and users
* Direct SharePoint permission changes

This caching while beneficial for performance, introduces confusion for administrators when expected permission changes do not happen instantly. Knowledge of the caching behavior can help explain what is happening.

When to Clear the Permission Cache

In most cases waiting up to an hour for the cache to refresh is acceptable. However, sometimes changes need to reflect much sooner. Clearing the permission cache forcibly synchronizes the current AD state into SharePoint’s memory and clears stored ACLs.

Scenarios where manually clearing cache may be desired:
* Immediately revoke access after termination
* Allow new employee access on first day
* Group scope changes need to take effect urgently
* Troubleshooting permission issues
* Avoiding confusion when expecting instant permissions changes

Manually clearing cache comes with minor drawbacks of temporary performance loss as the cache rebuilds. But for urgent permission changes, it is a useful technique.

How to Clear Permission Caches

SharePoint provides PowerShell cmdlets to clear its permission caches and force reload the latest AD security state. This will reflect new changes instantly.

PowerShell to Flush Cache for a Site

Use the Reset-SPsite cmdlet to flush the permission cache of a specific site collection. This clears caches for all sites, lists, libraries and content contained in the site.

Reset-SPsite http://intranet.contoso.com

PowerShell to Flush Cache for Specific Users

To flush cache for only specific users, get the user profiles with Get-SPUser and pass to Reset-SPUser:

 
Get-SPUser -Identity "CONTOSO\jsmith" | Reset-SPUser

This clears permissions only for specified users, while keeping other caches intact.

Timer Job to Periodically Clear Cache

For larger farms, run the following to set cache to clear automatically every 30 minutes:

  
$cache = (Get-SPSiteManager).userpermissioncachettl 
$cache.TotalMinutes = 30
$cache.Update()

This avoids having to manually clear after permission changes.

Verifying Permission Changes Took Effect

After flushing the permission cache, verify updated user permissions or group memberships are now accurately reflected in SharePoint sites:

Get-SPSite http://site | Get-SPUser -Limit All | Select Identity, Groups, Permissions

Check user profile for group membership with:

  
$user = Get-SPUser -Identity CONTOSO\jsmith 
$user.Groups

Permissions will now show latest changes.

Troubleshooting Remaining Permission Issues

If after cache reset, permission issues still persist, further troubleshooting is required:
* Confirm AD group change has fully replicated
* Check user profile synchronization connection
* Disable and re-enable user in SharePoint
* Compare SharePoint permissions to latest AD state
* Retry cache clear after 15 minutes in case of latency

Audit permission changes and synchronization configure to identify source of issues.

Example Scripts

PowerShell to Retrieve Current Cache

See what is currently stored in permission cache:

$cache = (Get-SPSiteManager).userpermissioncache
$cache

PowerShell to Enumerate Site Caches

List all sites cached:

  
$manager = Get-SPSiteManager
$manager.UserPermissionCache.CachedObjects | Group Target -NoElement | Select Count, Name

PowerShell to Flush Cache for All Sites

Reset cache for all sites in farm:

Get-SPSite -Limit All | Reset-SPsite

This will synchronize latest AD permissions across the entire farm after permission changes.

Leave a Reply

Your email address will not be published. Required fields are marked *