SharePoint Active Directory Group Membership Sync Problem and Solution

Problem: SharePoint AD group membership permission changes are not reflected immediately. Active directory group users get access denied in SharePoint!

In a SharePoint site where users are managed from AD security groups, newly added members to Active Directory security groups couldn’t access SharePoint sites immediately. But the next day, they are able to log in without any issues. Same way, users removed from an AD security group that is granted access to SharePoint sites can still access!

sharepoint 2010 ad group membership not updating

So, the catch here is: SharePoint AD group permissions are not working as AD group permissions are not getting reflected in SharePoint immediately – So they get access denied! For example, if you remove a user from the AD security group, the user can still access the site. If you add a new user to the AD security group membership, the user still receives an access denied error message in SharePoint.

The root cause of SharePoint 2010 AD group membership not updating issue:
In SharePoint Web Applications configured to use Claims-Based Authentication, When the user hits SharePoint sites, SharePoint checks the security token store cache for the user’s claims. If claims are found in the cache, SharePoint uses it to authorize the user. If not, SharePoint queries for claims again from the AD.

Since SharePoint has no clues on modified permissions on the AD group, it periodically expires the claims token to sync with AD group permissions. By default, this sync happens once per 10 Hours!


Let’s use PowerShell to set the token lifetime and expiration schedules:

Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue

#Get Security Token Service Configuration
$STSConfig = Get-SPSecurityTokenServiceConfig

#Default value: 10 Hours
$STSConfig.WindowsTokenLifetime = (New-TimeSpan -minutes 2)

#Default value: 10 Minutes
$STSConfig.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)

Important: If you set Token lifetime lesser than the token expiration window, You’ll start seeing a message “The context has expired and can no longer be used. Exception from HRESULT: 0x80090317”, So don’t do it!

SharePoint ad group new members get access denied – permission problem in Classic Mode?
On classic mode authentication, This behavior is controlled by a property:token-timeout. By default, it’s set to 24 hours! You can adjust it accordingly.

To check the current timeout value: stsadm -o getproperty -propertyname token-timeout

E.g. stsadm -o setproperty -pn token-timeout -pv 5

sharepoint active directory group membership sync interval

This fixes the SharePoint 2010 AD group membership not updating issue!

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

3 thoughts on “SharePoint Active Directory Group Membership Sync Problem and Solution

  • Hello,

    I tested this script on SharePoint 2019 and it does not seem to work. Values are changed but the replication times for permissions are the same ~ 10 hours or so.

    Any ides on this?

  • Hi,
    Do you know how to shorten the time for SharePoint Online?

  • This solution will continue to expire my access to SharePoint, isn’t it? After every minute the page will expire and I won’t have access to it.


Leave a Reply

Your email address will not be published. Required fields are marked *