How Does Renaming an Active Directory Group Impact User Access, People Picker, and Audience Targeting in SharePoint 2010?

  • Article

I've done some research and testing to determine how rename of a Group in Active Directory impacts SharePoint 2010, and my best understanding provided below.  I believe much of this would be applicable for SharePoint 2013, too.

About Active Directory (AD) Groups

Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

There are two types of groups in Active Directory:

  • Distribution groups: Used to create email distribution lists (DLs).  Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs).  Distribution groups cannot be used to secure access to SharePoint.
  • Security groups: Used to assign permissions to shared resources.   A security group can also be used as an e-mail entity.

From…Overview of security groups in SharePoint 2013

What is Meant by "Rename" an Active Directory Group?

AD groups have many "name" attributes.  A Distinguished Name (DN) is used to uniquely name an Active Directory Object. All objects can be referenced using a Distinguished Name. A DN has following components:

  • DC - Domain Component
  • O - Organization
  • OU - Organizational Unit
  • CN - Common Name

Changing the CN (common name) of a group in AD effectively renames it. That same name change also appears to be reflected in both the “name” and “samAccountName” properties of the AD group.  The membership property (i.e., user account members) of the group is unaffected by rename.  By renaming an AD group you are actually giving it a new ADsPath, and effectively changing the Distinguished Name (DN).

In addition to Common Name (CN), an AD group object will also have additional “name” properties which typically reflect the same value as CN after a rename:

  • name   (a.k.a., Display Name)
  • samAccountName    (a.k.a., login name)

How Are AD Security Groups Used Within SharePoint 2010?

  • People Picker:   The People Picker control is used to search/find and select groups (as well as people and claims) when a site, list, or library owner assigns permissions in SharePoint
  • Authorization/Permissions:  You can use security groups to control permissions for your site by adding AD security groups to SharePoint groups and granting permissions to the SharePoint groups.  An AD security group can be listed in the DACLs for securable objects within a SharePoint site.
  • Email Entity:   An AD security group (or a distribution list) can be used as an email entity.
  • Group Profile Synchronization:  By default, SharePoint’s User Profile Services Application synchronizes groups (security groups & distribution lists) when it synchronizes user profiles.
    • SharePoint does not import AD security groups. It imports AD group memberships only. This is by Design. 
    • Imported groups are only used to create audiences and to display which memberships a visitor has in common with the person whose My Site the person is visiting.
    • SharePoint’s sync database uses the DN property (Distinguished Name) as the unique key for finding objects when storing them in its database. It doesn’t update/change that key subsequently even when the values that make up that key originally change (it does update their “values” etc.).

 What is the User Information List in SharePoint?

The User Information List (“/_catalogs/users/simple.aspx” or “_catalogs/users/detail.aspx”) is a hidden list in each site collection that is only visible and accessible to Site Collection Administrators.  The User Information List stores metadata information about a user. Some metadata examples are Display Name (name), Login Name (samAccountName), Picture, Email, SID (determines authorization rights) etc.

When an AD Security Group is granted access to a site, a new item will be created in the User Information List storing some metadata information about that AD group.

How Does AD Security Group Rename Affect People Picker & Permissions in SharePoint 2010?

LAB TEST SCENARIO:  Rename AD Security group “MarjGroupABC” to “MarjGroupDEF”

1) Created a new AD security group in AD directory service.

cn:   MarjGroupABC
distinguishedName:   CN=MarjGroupABC,CN=Users,DC=dev,DC=sp14a,DC=mapalm,DC=com
name:   MarjGroupABC
samAccountName:   MarjGroupABC

2) Using People Picker, searched for “MarjGroup” and see the “dev\MarjGroupABC” AD security group.  Selected and added the AD Security group “dev\MarjGroupABC” to the “Members” SharePoint group in root site of a site collection.

3) Existing domain user account “dev\TestUser1” has not been granted access to that root site of the site collection.  Therefore, User gets an Access Denied when trying to login to site.

4) In Active Directory, added existing domain user account “dev\TestUser1” to membership of “dev\MarjGroupABC”

5) Now in SharePoint, that user “dev/TestUser1” is able to successfully login to that root site of site collection.  User’s membership in AD group “dev\MarjGroupABC” caused it to inherit Contribute permissions for the site because the AD group was mapped to the Members group in SharePoint,

6) The “dev\MarjGroupABC” group appears as an item in the hidden User Information List of the site collection (/_catalogs/users/simple.aspx).

7) Using the Active Directory Users and Computers application, right-click the security group “MarjGroupABC” and select the Rename action.  Change the group name to “MarjGroupDEF”. After this change the security group’s “name” properties reflect the following values

cn:   MarjGroupDEF
distinguishedName:   CN=MarjGroupDEF,CN=Users,DC=dev,DC=sp14a,DC=mapalm,DC=com
name:   MarjGroupDEF
samAccountName:   MarjGroupDEF

8)  In the User Information List of the site collection (/_catalogs/users/simple.aspx) in SharePoint, the AD group still appears with the old name “dev\MarjGroupABC”.

9)  In the SharePoint group “Members” the AD group still appears with the old name “dev\MarjGroupABC”.

10)  Can the user “dev\TestUser1” still successfully login to the SharePoint site, even though the AD group was renamed in Active Directory?  YES!  The SharePoint permissions authorization for the user apparently were unaffected by the rename of the AD group.

11)  Looking at the User Information List of the site collection (/_catalogs/users/simple.aspx) in SharePoint again, the AD group still appears with the old name “dev\MarjGroupABC”.  The new “dev\MarjGroupDEF” name does NOT appear in the list.

12) Using People Picker in SharePoint, search for “MarjGroup” and now see both old and new AD security group names “dev\MarjGroupABC” and “dev\MarjGroupDEF”.

SHAREPOINT ISSUES OBSERVED AFTER AD GROUP RENAME:

1) ISSUE: Both the old and the new AD group names will show in SharePoint People Picker.  
2) ISSUE: Only the old AD group name displays as item in the hidden User Information List in SharePoint.  Reason is the Name (Display Name) still reflects old AD group name.  However, if you view the associated Login Name property for that item it does reflect the new AD group name.
3) ISSUE: Only the old AD group name displays as mapped member of SharePoint group.

Note:  SharePoint permissions authorization for the user appear to be unaffected by the rename of the AD group.

DESIRED OUTCOME:

1) Only the new AD group name should show in SharePoint People Picker.  
2) The new AD group name should display for the item in the hidden User Information List in SharePoint.
3) The new AD group name should display for the mapped member in the SharePoint group.

POSSIBLE WORKAROUND FOR DESIRED OUTCOME?

From my research and testing in my own SharePoint 2010 lab environment, the following steps seem to fix SharePoint to have the desired outcome. I would expect same outcome for SharePoint 2013.  If you plan to use this possible fix, you should fully test it in your own SharePoint test environment to ensure it fully works with no unexpected side-effects and meets your expectations.

Step 1) If the CN name is changed for an AD security group, then you would have to run the stsadm –o migrategroup command in SharePoint.  This seems to fix People Picker issue and fixes Login Name property.  For example,

stsadm –o migrategroup –oldlogin "dev\MarjGroupABC" –newlogin "dev\MarjGroupDEF"

Note: Above command seems to work OK, even though it displays an error “value cannot be null parameter name: userprofileapplicationproxy.”  Not sure why error displays???

Step 2) Write and execute a PowerShell script to change the “Display Name” on all SharePoint site collections as per new display name (name) attribute in AD

$login= "dev\MarjGroupDEF" # fill with correct new value
$title = "dev\MarjGroupDEF" # fill with correct new value
Get-SPSite -Limit all | % {$domainGroup = $_.OpenWeb().SiteUsers[$login]; if ($domainGroup -ne $null) {$domainGroup.DisplayName=$title; $domainGroup.Update()}}

How Does AD Group Rename Affect Audience Targeting in SharePoint 2010?

The impact of renaming a group (either a Distribution Group or an email-enabled Security Group) in Active Directory of will depend upon how the group is being used within SharePoint.

SCENARIO #1:  Group used in an audience definition within SharePoint Central Administration

• Issue:  Once an audience has been defined, it must be compiled on a regular basis because the underlying user profile properties and membership in directory services and groups can frequently change.

• Fix: An administrator schedules the timer job that controls when audiences are compiled.

SCENARIO #2: When you target a web part or a list item, you don’t *have* to use an audience, you can select an AD group directly.  

• Issue:  Webparts/documents that had audience targets for that renamed group will become broken (e.g., group name underscored with red squiggly line).

• Fix: You will need to manually ( or programmatically through PowerShell or standalone application ) identify and re-assign the audience to the webpart/document in the sites.

About Audiences in SharePoint

Audiences can be defined by one or a combination of the following items:

  • Membership in a distribution list
  • Membership in a Windows security group
  • Location in organizational reporting structure
  • By public properties in user profiles

Audiences Defined by Windows security groups and distribution lists:  

  • The Windows security groups that are available when you are creating audiences are those that are imported when user profiles synchronized with the User Profile service application.
  • The distribution lists that are available when you are creating audiences are those that are imported when user profiles are imported into the User Profile service application.

Compiling Audiences

Once an audience has been defined, it must be compiled on a regular basis because the underlying user profile properties and membership in directory services and groups can frequently change. An administrator schedules the timer job that controls when audiences are compiled.