This project has moved and is read-only. For the latest updates, please go here.

Ad groups not resolve anymore

Nov 27, 2014 at 3:28 PM
Edited Nov 27, 2014 at 3:29 PM
Hi all, i read the article of the discussion list but i cannot fix my problem,

yesterday i was able to pickup Ad groups from otherdomain throw people picker but today i cannot anymore the user are correctly resolved but group no.

i check the (Get-SPTrustedIdentityTokenIssuer).ClaimTypeInformation,

DisplayName : Role
InputClaimType :
MappedClaimType :
IsIdentityClaim : False
AcceptOnlyKnownClaimValues : False
ClaimValueModificationAction : None
ClaimValueModificationArgument :
KnownClaimValues : {}
UpgradedPersistedProperties :

my other claims are email adress UPN and SID

The only difference beetwen today and yesterday is the user used in the ldapcp configuration. it seems an error occured with the password after reseting the password and reconfigure the ldap entry, i was able to query again but only user.

my claims mapping are


i check ULS log and found something interesting,


it seems that ldacp found my 11 domain users group but getback only one (the adfs main domain group).

thanks in advance for helping me.

best regards
Nov 27, 2014 at 4:47 PM
Hello, the screenshot doesn't show the whole LDAP query (1st line in the SharePoint log).
Can you copy it?
And just in case, SharePoint never queries groups in site collection administrators page, you have to test in a normal web application to be sure to request a group.
Nov 28, 2014 at 8:25 AM
hi yvan,

here is the complete query

[LDAPCP] Got 11 result(s) from all LDAP server(s) with query "(| (&(objectclass=user)(mail=domain users*)) (&(objectclass=user)(userPrincipalName=domain users*)) (&(objectclass=group)(sAMAccountName=domain users*)) (&(objectclass=user)(displayName=domain users*)) (&(objectclass=user)(cn=domain users*)(!(objectClass=computer))) (&(objectclass=user)(sn=domain users*)) )"

I try to add my groups in the default Visitors group of my site collection

best regards
Nov 28, 2014 at 12:42 PM

Configuration looks correct as LDAPCP actually queries groups:
(&(objectclass=group)(sAMAccountName=domain users*))
But it seems to be removed by filtering (which looks unexpected) as it goes from 11 results to 1.

Is there any chance that you can run this query with ldifde.exe command line tool, to confirm that group is returned?
can you also try with another group that has a completely different name (like "ImAUniqueGroup")?

Nov 28, 2014 at 2:01 PM
Hello Yvan,

I got more information, we discover that if the group (whatether the name) have a space in, people picker is not able to display it.

We try with a group : domain guests

in ULS log, the group is found but not displayed on peoplepicker.

we modify the group for domain_guests

in ULS log the group was found and displayed on people picker

he appear as (Role)Domain_guests.

How can we replace the (role) prefix for the domain and how display the groups with space in ?

Kind regards
Dec 1, 2014 at 12:28 PM
to be sure I tried your scenario, and I can confirm that this works fine with groups that have a space in their name.
Just to tet, can you try in another web application (or at least in a new content database in same web application) and let me know if you reproduce the issue?
Dec 2, 2014 at 12:48 PM
hi Yvand,

I test yesterday a lot of thing and here is my results.

I got 5 different DB on the same web app and all get me the same results.

I enable Both NTLM and my custom claims provider.

Results : i can resolve "domain users group" (but the authentication is still not possible) because the group appear like this :


as we can see there is not my authenticated provider in the prefixe,

here is a group from the same domain who is working when i add it on the people picker.


I try on a new web app

When i first attemp to search my group,

i got this


So exact same result of the previous web app, the other group were correctly resolve (Global_KOL_list)

Best regards
Dec 3, 2014 at 12:10 PM
from the logging message in the last screenshot, LDAPCP appears to work fine: it found "Domain Users" and addeed it to the list of results.
If it doesn't appear in the people picker, it looks like a SharePoint issue...
Could you use a HTTP debugger (like Fiddler) and check if the permission is present in the response to the query submitted by the people picker?