When attempting to view members of an Active Directory group from permissions analysis results, an error window displays which includes the following message:
System.Exception: Cannot get the members of the group [domain\group] possibly because of network or permissions problems
The ControlPoint Service Account does not have permissions to read all users within the Active Directory group.
Make sure the ControlPoint Service Account has at least Read Permissions for the Active Directory record of every SharePoint user. Consult your Microsoft Active Directory documentation for details.
When attempting to view membership in an Active Directory group from Permissions analysis results, the following message displays:
Group: [group-name] Cannot connect to the domain controller for domain
A trust relationship between the domain or forest that hosts the Active Directory group and the domain or forest in which ControlPoint is installed
·does not exist
·requires additional authentication.
See Accessing Members of Active Directory Groups in Different Domains or Forests (on page 78).
After clicking [Calculate Totals] On the ControlPoint Properties dialog, the number of Total Users with Permissions is followed by (Incomplete).
An exception was encountered when Active Directory users were being counted. Possible reasons include:
·The ControlPoint Service Account does not have access to an entire Active Directory group or one or more accounts within an Active Directory group.
·Networking problems have been encountered.
Review the ControlPoint Administration log (xcadmin) to determine the cause of the exception.
One or more users who have permissions to SharePoint objects through a claim are not being included in permissions analysis results.
If your SharePoint farm includes claims-based authentication, permissions granted through a claim may not be reliably reported because SharePoint only retains permissions information for an augmentation claims-based user for a limited time after the user logs in.
The same behavior can be observed in SharePoint. For example, the SharePoint Site Permissions > Check Permissions feature may or may not show permissions granted through an augmentation claim, depending on when the user last logged in.