as per http://msdn.microsoft.com/en-us/library/bb975136%28office.12%29.aspx and the problem we are facing:
Primary group membership In Active Directory, each user has a primary group. When the LDAP Role provider is used with Active Directory, a user's primary group is not included in the list of roles for the user. By default, a user's primary group is the Domain Users group. As a result, the Domain Users group is not a good choice to add to a SharePoint group when you are provisioning permissions because unless the user's primary group is changed, no user is returned in the membership of that role. For more information, see the primaryGroupID attribute in User Security Attributes.
My requirement is:-
I have added user 'us1' in an ADGroup 'ADG1'. The ADGroup( via FBA ) is added to sharepoint site group "SiteGroup1" . The sharepoint site group "SiteGroup1" has 'view only' rights on a subsite in my Sharepoint portal - "Mysite1" .
when user 'us1' tries to access my sub site "Mysite1" on my FBA portal,he is not authorized to access it .....
any clues how to get it working?
Please grant SiteGroup1 ‘full control’ and try again.
If you get the same result, please check your FBA configuration settings.
Here is a useful article:
Hope it is helpful!
its not about giving Full Control or view only.
suppose a user has rights on the site being part of an ad group, and this ad group is its primary group.
ad group is added to the sharepoint site group.
but as the link i had given, the user is not having rights as given by the sharepoint site group, since ladap does not retive this user under the given role, cause its through primary group as membership group in AD.
From the link you given, the thing is that, only the domain users group will be unavailable to the SharePoint site since it is the default primary group. If you add this group to the SharePoint site, only the users who have changed the primary list will receive the role from this group in SharePoint site. For other primary groups you have set for some users, there is no this limitation.
If your need in your post is still not meted, please check your FBA configuration settings as I have mentioned.
Hope it is helpful!
Hey Seven you could replicate the exact scenario and verify what I meant here. I not pointing out specific Group who is Primary Group for all users by default.
Its like Primary AD Groups should not be used for providing rights. What I have understood till now . reason being if a user is member of a group and this group is also primary ad group for this user and if we add this primary group in a sharepoint site group, that's not done, user is still not having the intended rights!!!!