We have been having an issue with a couple of users in which a site admin would grant them access to either a subsite or a document library. But when the user tries to access the location they recieve the standard SharePoint Page stating current user does not have access. So what was going on, if we just granted them access?
It turned out these users that were having problems were either contractors/summer students/interns. All people who have been here in the past but had their Active Directory account temporarily disabled. This in turn must have set a flag on the SharePoint sites in which the users previously had access to from past positions, that their accounts were disabled.
The fix: was to go through the site collection and remove the user from all locations that they had had access. Once they were fully removed everywhere on the site collection we had to go back through and re-add them. Once they have been re-added to the site collection they still maintained the incorrect user information i.e. Title, Name, etc… This information is stored in a hidden User Information List on site collections: http://<SiteCollectionUrl>/_catalogs/users/detail.aspx. The user information list needs to be synced up by running the appropriate User Profile Service Aplication Proxy timer jobs:
“User Profile Service Application Proxy – User Profile to SharePoint Full
“User Profile Service Application Proxy – User Profile to SharePoint Quick
Generally these jobs are scheduled to run every hour and every couple of minutes respectively, so you may not need to run them immediately and could just wait for the next run time. Once they have run you should see the user information updated and the users should be able to access the sites now.
A real handy tool was to use the Check Permissions tab in the permissions ribbon as well as the powershell script developed by Aptillon http://blog.falchionconsulting.com/index.php/2010/04/discovering-who-has-access-to-sharepoint-2010-securable-objects/
*Update: It appears this fix also works for the case of past users with the same username as new hires. i.e. Bob Dole (username: Bdole) leaves the company and Bill Dole (username: Bdole) joins the company. Bill would run into problems when trying to access a site as it would resolve him as Bob. The fix above resolves this.
Hope you found this helpful