Just setup a new 2013 SharePoint…Put a handful of users in an AD group that was then put in the SP site members group. Works perfect for most people, but some are getting access denied messages to the site even though they are in the AD group. If we give the people access explicitly in the SharePoint members group they have no troubles. What am I missing?
Update: When I go to the permissions page and select Check Permissions…The people that are having trouble show a permission level of None even thought they are in the AD group!?!
Best Answer
SharePoint caches your AD Group Membership. So if the user already exists and had logged into SharePoint recently, their group membership change won't take effect until the cached values expire.
This means that adding a user to a group might not take effect until tomorrow, and removing a user from a group won't take effect immediately either.
The parts you're looking for are found by running Get-SPSecurityTokenServiceConfig and the WindowsTokenLifetime and LogonTokenCacheExpirationWindow setting. You can either ask the users to wait, or alter these settings to something shorter.