I worked this through with a co-worker yesterday and though I would share the solution.

The Problem:

  • You have setup the SharePoint Hybrid Search Connector using SharePoint 2013 or 2016.
  • You have configured your content sources and crawled your content.
  • Some of those local content sources are on file shares
  • You are not getting search results for all of the content

There is a search commend that you use to determine if your external content is showing up.  You use the IsCriticalSecurityObject=true in the search results and you will get all of your external content.  What we saw was that while we had crawled over 100K items we were seeing only about 12K results.

The issue is that there are some local security groups that are not replicated to Azure AD and thus while you have rights to the file and you should see it…the group that allows you to see it doesn’t exist in O365 and thus the results are being security trimmed.  Any group that has the IsCriticalSecurityObject sttribute set to true will not replicate.  The Domain Users group is one of those objects.  Thus anything that you have rights to only via Domain Users you won’t see in the search results because it is security trimmed.

The Solution:

You need to go to the items that have Domain Users as the security group granting access and use another group to allow users to see the file, one that will replicate to Azure AD.  The suggestion is “Everyone”, though that may not be optimal.

We are thinking of writing a PowerShell script that would walk the files shares and look for any item that has Domain Users and adding either Everyone or another AD group with the same permissions.

Hope that helps debug this odd issue.

Here is the Technet Article that finally resovled the issue.  Look at the Decide how to synchronize Active Directories section and the expanded Why can’t users get hybrid results…