Access denied to a site despite permissions are granted
Recently I faced an odd situation, that user was complaining that they have access denied to the site, even though when I was checking their permissions, SharePoint was displaying, that they do have “Contribute” access level granted.
However, what made me concerned, was the fact, that apart from displaying “Contribute” access, user also was granted, separately, “Limited Access” permissions:
Moreover, that Limited Access was given directly, without information, on what item/ list/ library it was actually granted. And that lead me to thinking, that maybe this is the reason of access denial.
User information list
Touched by the feeling, I decided to open hidden user information list in the site (it is available under: https://<your-tenant>.sharepoint.com/sites/…/_catalogs/users/simple.aspx) to discover, user’s entry is present there twice:
There is a numerous reasons why this situation occurs. In this specific case, user was working for the company, than moved to another one and after some time was re-hired again. That caused SharePoint to think, those are actually two different accounts since they had different SIDs (Security Identifiers, coming from AD). So when user entered SharePoint after they were re-hired, SharePoint created second entry on the list.
Finally, because user picker in the grant permissions form was considering these two entries as one, admin was only able to grant permissions to one account, whereas the other one still didn’t have permissions. What resulted in constant access denied, despite the fact user was granted right permissions. SharePoint we love you <3 🙂
How to resolve it?
Go to “All People” page (it is available under: https://<your-tenant>.sharepoint.com/sites/…/ _layouts/15/people.aspx?MembershipGroupId=0) and remove both entries or specific entry.
Important! You have to open “All People” in the top site collection. When you remove both entries, user will loose existing permissions, so they must be re-set afterwards. Optionally, you can only remove the obsolete entry, but you have to identify which one is that (possibly the one created earlier or the one that will display errors in Delve).
After you select entry you want to delete, under “Actions” select “Delete Users from Site Collection”:
Once that is done, simply grant them permissions again. Issue solved!
You may as well find useful this post: Find Duplicate Users in SharePoint User Information List – The Lazy SharePoint Admin (thelazyspadmin.com), where James describes a PowerShell script that will help you to find all duplicated entries, so that you can fix it before your users start complaining 🙂