SharePoint: Display Name does not update when NT AuthorityAuthenticated Users are added to Site's Visitors Group
To give read access on a SharePoint site to all the users within a domain we generally add NT Authority\Authenticated Users to Site’s Visitor group.
However, we have identified that we will run into situations where some attributes of a user is updated in Active Directory however the changes don’t reflect in SharePoint Sites even after doing Profile Import.
For e.g., let us take a user “Lisa Costar” gets married and it changes to “Lisa Rao”
Within SharePoint 2010 we import all the users through User Profile Service Application and in SharePoint 2007 we import it using Shared Services Provider
After a Full \ Incremental import we see the following information is being imported for a user
Within SharePoint 2010 we can find following jobs which are responsible for syncing the information from user profile service application to the SharePoint site.
Timer Job: User Profile Service Application - User Profile to SharePoint Full Synchronization
Schedule: Hourly
Description: Synchronizes user information from the user profile application to SharePoint users and synchronizes site memberships from SharePoint to the user profile application
Timer Job: User Profile Service Application - User Profile to SharePoint Quick Synchronization
Schedule: Every 5 Minutes
Description: Synchronizes user information from the user profile application to SharePoint users recently added to a site
Modifying last name of user:
Perform a Profile Import:
Navigate to Application Management within SharePoint Central Administration –> Manage Service Application and then Click on the User Profile Service Application
Under Synchronization Click on Start Profile Synchronization
Note: We can perform an Incremental Profile import as we already have the user imported.
After the profile import we noticed that information would be changed within the Manage User Profile
As mentioned earlier we would have to wait for an hour for the sync to happen which would update user information on the SharePoint Site
Note: We can change the schedule of full synchronization to happen every 5 minutes if you we don’t want to wait an hour while troubleshooting, however revert it back to an hour.
Open command prompt and navigate to following location:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Bin
Execute:
Stsadm.exe –o sync –synctiming M:5
Even after waiting for an hour we would notice that display name of that user will not change on the site.
Behind the Scene:
User Profile Service Application - User Profile to SharePoint Full Synchronization job when executes it updates the user attributes (information) under dbo.userinfo table within the content database of the site.
We would notice that tp_IgnoreIsActive is set to 0 for the user which is not added to the site explicitly
0 stands for false and 1 stands for true.
Note: Directly modifying any information within the content database would make the environment unsupported.
Ref: https://support.microsoft.com/kb/841057
1st Workaround:
1. Navigate to the SharePoint Site
2. Click on Site Actions –> Site Settings
3. Under Users and Permission click on People and Groups
4. Click on New and then add user
Note: At this moment we can add a specific user which is not getting updated or can add NT Authority\Authenticated Users under Site Members group (Contribute Rights)
5. By default as we have scheduled the sync to happen every 5 minutes.
Result: After a successful Sync we will notice that the attribute will get changed.
Note: The above workaround would not be acceptable as if we will have to add each affected user manually and wait for it to get synced. Also adding the NT Authority\Authenticated Users with contributor access would elevate permission for each user on the site which can have drastic effects.
2nd Workaround:
1. Navigate to the SharePoint Site
2. Create a Test Document Library name it something like “Do not delete” and hide it from Quick launch
3. Create a folder within that library and then break the inheritance by click on Manage Permissions on the folder
4. Click on Stop Inheriting and then add NT Authority\Authenticated Users with contributor access.
Or
We can simply break the inheritance of Home.aspx hosted under Site Pages Library and then add NT Authority\Authenticated Users with contributor rights
Note: User gets the ability to Edit the page but can be controlled by enabling versioning on the Site Library.
5. By default as we have scheduled the sync to happen every 5 minutes.
Result: After a successful Sync we will notice that the attribute of the users will get changed.
Note: This can be acceptable as all the users would have read access to the entire site, however will have contributor access on that folder which should not create an issue with security as users would not be able to delete \modify any information on the site.
Also behind the scenes we would notice that tp_IgnoreIsActive is set to 1 for the user which even though it is not added explicitly to the site.
Comments
- Anonymous
October 24, 2014
Interesting article. I know I looked at it once before to resolve and issue and since another person got married, this has come about again. Surprised Microsoft have not already provided a patch for this as it is obviously a bug
I have tried to follow the steps but still not having any luck. Sharepoint 2010 platform. Wondered whether step "1." in both "1st Workaround" and "2nd Workaround" above means navigating to the MySite or the TopLevel site.