SharePoint – Managing the Security Model

January 26, 2014

SharePoint delivers a security Model that is a combination of AD and SP Users & Groups.

Which makes a granular approach for setting up security on SharePoint Objects.

But the Downside is that is get’s misty after a while when you want to control the security Farm wide šŸ˜¦

Therefore I tried to introduce this simplified approach

I created in AD 4 OU’s :

– Department Groups

– Distribution Groups

– Security Groups

– User Structure


In the User Structure I have an OU per subsidiary.

And in the OU just a list of all individual users in that subsidiary.


The Security Goups are used to add AD users in specific Groups, to be used in SharePoint are for other applicationsĀ  access like MS SQL access etc.


In Distribution Groups are the AD Groups used in Exchange as Email Groups per Department per subsidiary.


In Department Groups are the AD Groups per Department containing users across the subsidiaries.


Coming back to the SharePoint Security settings.

Here is an example on how you can keep an overview on the Site or Site Collection Access Permissions.

Extra benefits are that if new users come in, you just add them to the proper AD groups. And they get automatically access to the correct Sites Collections / Sites in SharePoint. Without too much interference of IT.


The Members SharePoint Group, is left empty


The Owners SharePoint Group, contain the Administrator


The Visitors SharePoint Group, Contain all AD Department Groups


And as last we added a Domain GroupĀ  domain\all in Pxx which has all Subsidiary AD users in it.

On downside adding AD Groups is that SharePoint can’t check who is in the AD Group as user immediately, depending on your Token Timeout settings. Default is 24 Hrs šŸ˜¦


Also try to make special SharePoint Security Permission levels on top of the standard ones.

Like Contribute_MinDelete or Contribute_MinEdit etc.

Go to Site Actions -> Site Permissions -> Permission Levels



Tips using AD groups

Adding AD users to the AD Group are not immediately reflex in the Check Permission box ?

Solution is to set the token refresh timer to a more reasonable frequency, standard it is set at 10 Hours?

CLS if((Get-PSSnapin | Where {$_.Name -eq "Microsoft.SharePoint.PowerShell"})
-eq $null) 
Add-PSSnapin Microsoft.SharePoint.PowerShell; 

$sts = Get-SPSecurityTokenServiceConfig 

$sts.FormsTokenLifetime = (New-TimeSpan -Minutes 60) # <- default 10 hour 

write-host $sts.FormsTokenLifetime 

$sts.WindowsTokenLifetime = (New-Timespan ā€“Minutes 5) # <- default 10 hour 

write-host $sts.WindowsTokenLifetime 

$sts.LogonTokenCacheExpirationWindow = (New-Timespan ā€“Minutes 2)
# <- default 10 mins 

write-host $sts.LogonTokenCacheExpirationWindow 


# Do a reset on WFE ! 

# iisreset 
[/sourcecode Language]

If the PS script does not work use the stsadmin.exe tool instead. I had to use this method instead too ?

Default is 1440 min or 24 Hrs !

“%CommonProgramFiles%\Microsoft Shared\web server extensions\14\BIN\stsadm.exe” -o getproperty -propertyname token-timeout

“%CommonProgramFiles%\Microsoft Shared\web server extensions\14\BIN\stsadm.exe” -o setproperty -propertyname token-timeout -propertyvalue 30

# Do a reset on WFE !


Second problem that may occur is that the Security Group Scope is not set correct when the AD Group was created. Don’t use Distribution Groups !

Change it from UNIVERSAL to GLOBAL


Bottom Line :

So as you can see by combining the SharePoint Group with AD Groups, you can keep in control.

Rule number one, is to limit individual access permissions as much as possible in SharePoint.