Saturday, May 14, 2016

Active Directory Group Polices for SharePoint farm and SharePoint Installation.

As SharePoint consultant, we rarely check with AD GPO that is essential for services that SharePoint service to function. In my earlier blog post, I had described that how you can clear the SharePoint cache for timer service or search service or for fixing the SharePoint designer.


We are implementing new SharePoint farm and following a typical SharePoint farm setup. We noticed that timer service is keep on stopping every day. The SharePoint logs and event viewer showed error but not much information. Our frustration peaked as we checked everything that is related to SharePoint farm. We found that there was no problem with SharePoint set up.

Solution and Fix:

A small primer about Active Directory Group Policy.

Group Policy:  It’s basically a Widows feature (2008, 2008R2, 2012, 2012R2 etc.) and an Active Directory. It allows us to centrally manage all the configuration for users and computers. It is a setting to define configuration centrally to the farm. You can define multiple group policy settings as per requirement in Group policy object.

Group Policy Object (GPO): You can apply GPO to specific scope to servers such as SharePoint servers.


a) It has be noted that you made to any settings, it will cascade down to all the servers as defined in your group policy.
b) GPO is pushed out on regular basis (for e.g. every 1 hour), and therefore it may overwrite any settings changes. It was exactly happening to us. The SharePoint timer service was keep on stopping every day primarily due to GPO.
c) It is not well documented in SharePoint literature and please refer to this for more information.
For troubleshooting failure for more than four weeks, we checked with our AD team. A SP_Group exists in Active Directory during the investigation.
1.      All SharePoint service services accounts (sp_farm, sp_admin, sp_userprofile, sp_crawl, sp_sql) have be added to this AD SP_Group group.

2.      When you add all service accounts for the SP_Group. then AD GPO settings are applied automatically.

3.      Verify if SP_Group on Windows Servers (for SharePoint) security settings applied on Local Polices / User Rights Assignment
a.      Log on as a batch job  
b.      Login on a service
c.      Replace a process level token

1. Next step is to apply GPUPDATE to all the SharePoint servers including SQL Server (just to be safe).  GPUpdate basically refreshes local and Active Directory-based group policy settings.

2.  Restart the SharePoint timer services for all SharePoint servers.

3. You can also get all the Group Policy information as a report. Execute following command prompt as Run As admin and SP_FARM account:

C:/Temp/sp_farm> gpresult /h C:\\temp\ADReport.html

I hope this blog post is useful for you.

Please comment if this blog post is helpful.

--aaroh :) 

1.      Social MSDN Wiki
Use Group Policy to Control SharePoint Installations


Harini R said...

I will bookmark your blog and take the feeds additionally? I’m satisfied to find so many helpful information here within the put up, we want work out extra strategies in this regard, thanks for sharing..
Sharepoint Training in Chennai

Aroh Shukla said...

Thanks Harini for feedback!

How to display Sharegate administrative dynamic reports via Power BI on SharePoint Online

After working in the SharePoint domain for a couple of years as SharePoint consultant , I am fortunate enough to help customers from man...