Sharepoint - Nested AD Groups not propagating permissions
Answer: One of the groups is not setup as a security group in Active Directory.
This still applies to all versions of SharePoint and is most common for nested sub-groups.
To verify: Contact the team which maintains AD or check yourself using a tool like ldp: Ldp Overview.
Then, change the group to be a security group!
Other issues:
If you cannot find the group in the people picker at all
- Check it is a security group
- Check that you can find a different group in the same domain
- If not able to do #1 and #2 above, you will need to verify you have configured the server to search the domain you are expecting. See Configure People Picker in SharePoint 2013.
If your AD group is a security group and you are using SharePoint 2013, the way that AD Groups work are a little different. Each time a user logs into to SharePoint, they receive a token that is their identity for the AD groups they are involved with. There is a property of the Security Token Service called Windows Token Lifetime which is the expiration of the token which then grabs a new token with any new changes to their membership. The default time is 10 hours. Use can check this using:
$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime
The LogonTokenCacheExpirationWindow is the amount of time that SharePoint will allow as a buffer for that Token. To change it to check/expire quicker, use the following powershell.
$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime = (New-TimeSpan -Minutes 15)
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes 15)
$sts.Update()