Optimizing Active Directory Integration In Sharepoint For Faster Permission Updates

ByThe SharePoint FAQs Team

The Problem: Slow Permission Updates in Large SharePoint Farms

As SharePoint farms grow to accommodate more users, sites, libraries, and permission levels, applying permission changes can take an increasingly long time. Each permission change requires SharePoint to query Active Directory to verify access levels for each affected user. With thousands of permission entries, this can translate to tens of thousands of individual AD checks.

Symptoms of overly slow permission updates include:

  • New users not having access to sites/libraries for hours after being granted access
  • Users retaining access after having permissions revoked due to cached credentials
  • Administrators unable to make emergency permission changes quickly
  • Lengthy delays when applying permission levels or breaking inheritance

By optimizing components that interface between SharePoint and Active Directory, administrators can achieve faster verification for permission changes in large SharePoint deployments.

How SharePoint Checks Permissions Against Active Directory

When applying permission changes in SharePoint, the User Profile Service Application plays a key role in synchronizing identity information from Active Directory. The single sign-on and authentication process validates user credentials against AD, while user profile properties supply additional metadata to enhance the user experience.

Behind the scenes, SharePoint stores a mapping between usernames (SIDs) and credentials (permission groups) in the site collection policy cache. Before displaying any site content or data to a user, SharePoint checks the cache to determine if that user has rights to access the resource. If a match exists in the cache, access is quickly granted or denied. If no match is found, SharePoint initiates a real-time query to Active Directory to validate credentials and cache the result for faster verification next time.

As site collections grow exponentially through collaboration and document storage, the policy cache also scales up substantially. With overextended caches, real-time calls to Active Directory can impose significant latency while SharePoint loads sites and communicates access rights to users.

Optimizing the User Profile Service Application

The primary technique for reducing AD permission checks is to optimize profile synchronization between SharePoint and Active Directory. This provides SharePoint with enhanced metadata in the policy cache to match user credentials against permission sets without contacting AD directly. Fully synchronizing all user properties also offloads authentication burden away from domain controllers.

Follow these steps for optimal User Profile configuration:

  1. Provision a dedicated User Profile Service Application for the SharePoint farm using a fast SQL Server instance and 150-200GB+ storage.
  2. Configure full user profile synchronization instead of minimum mandatory properties only.
  3. Schedule synchronization to run hourly instead of daily to capture AD changes more rapidly.
  4. Perform frequent full synchronization runs rather than incremental updates to keep cache mappings current.
  5. Consider enforcing profile photos and other user properties to personalize SharePoint and populate AD data.
  6. Redirect My Site host and other components consuming profile data to local environment rather than AD.

With enriched and frequent profile synchronization, permission checks can be handled almost entirely within SharePoint rather than incurring active directory latency. Further optimization around reducing policy cache size and integrating authentication protocols can build on this enhanced platform.

Configuring Fast Permission Updates with AD Import

The AD import method bypasses SharePoint’s built-in synchronization channel and directly transmits Active Directory permissions into the SharePoint cache. A service account fetches access control lists from AD domain controllers on a scheduled basis and pushes SID-credential mappings through the SharePoint API.

Setting up the Active Directory import requires several preliminary steps:

  1. Provision a separate Web Application under its own application pool and service account permissions.
  2. Enable Membership Provider feature via Powershell to activate permissions integration components.
  3. Create an access control list mapping AD groups to SharePoint roles and permission levels.
  4. Configure the AD Import timer job under Central Admin > Manage Service Applications.

Once configured, the import component will run on a regular interval to query AD security descriptors and update the SharePoint permission cache. Reducing the synchronization period can help pick up AD permission changes faster. Because access lists are transmitted directly, rather than checking each user, the overall verification process is streamlined.

Example PowerShell Script for Automated AD Import

This PowerShell script illustrates fetching Active Directory group membership information to synchronize with SharePoint permission levels programmatically every minute:

$schedule = New-Object Microsoft.SharePoint.Administration.SPMinuteSchedule
$schedule.BeginMinute = 0  
$schedule.Interval = 1

$jobdef = New-SPTimerJobDefinition -Service Application $(Get-SPServiceApplication | ?{$_.TypeName -eq 'User Profile Service Application'}) -Name "Active Directory Group Import" -Schedule $schedule 

$jobdef.Update()
     
$groupNames = (Get-ADGroup -Filter *).Name 

Write-Host "Updating permissions for user groups: " $groupNames

Foreach ($groupName in $groupNames){

    Update-SPProfileSync -Identity $groupName

    Write-Host "Permissions updated for: " $groupName 
}

This forced synchronization can be added to the full sync runs for validating all users against the latest AD changes without waiting on incremental cycles.

Verifying Faster Permission Update Performance

With Active Directory import components and user profile optimization, administrators should see notable gains in permission change speeds. Some metrics to monitor and log for comparison include:

  • Time to run incremental profile synchronization passes
  • Duration for applying permission levels to large collections of sites
  • Time to activate new sites and libraries after creation
  • Responsiveness of authentication calls against AD domain controllers

If delays are still noticeable even after tuning, further profiling around policy cache tuning, reverse proxies for authentication, and horizontally scaling service applications can uncover additional bottlenecks. Fast permission updates ensure users access the right resources at the right time.

Leave a Reply

Your email address will not be published. Required fields are marked *