Domain User Migration: SharePoint and SIDHistory

One of the basic principles of an Active Directory domain migration is the access to resources in the source domain based on SIDHistory information of the migrated user-account or group. The SID of the object in the source domain is written into the SIDHistory attribute of the object in the target domain. This enables the access to resources in the source domain during the migration process.

Unfortunately, Microsoft breaks with this principle here. SharePoint and SIDHistory.

Index

The SharePoint and SIDHistory problem

Microsoft Sharepoint 2007, 2010 and 2013 do not support the access to SharePoint content based on authorizations given by the SIDHistory. In case user accounts are migrated into another Active Directory domain and the SharePoint farm remains in the source domain for the time being, the migrated user account cannot access SharePoint contents.

The user can still access SharePoint manually with their account from the source domain, but this can only serve as a workaround.

Solution 1 – STSADM

A solution could be the exchange of the user accounts within the SharePoint authorizations. Before there were the new possibilities via Powershell, we could use the command line tool STSADM:

<span style="color: #0000ff;">stsadm</span> <span style="color: #ff6600;">-o migrateuser</span> <span style="color: #ff6600;">-oldlogin</span> <span style="color: #008000;">Domain\olduser</span><span style="color: #ff6600;"> -newlogin</span> <span style="color: #008000;">Domain\newuser</span> <span style="color: #ff6600;">-ignoresidhistory</span>

stsadm -o migrateuser -oldlogin Domain\olduser -newlogin Domain\newuser -ignoresidhistory

An important note is that the user accounts are exchanged resulting in the source domain account not having access to the SharePoint contents anymore. This has notable influence on the implementation planning and has to be considered at any rate.

Solution 2 – PowerShell (recommended for SharePoint 2010 and higher)

Since SharePoint 2010 Microsoft recommends the usage of PowerShell cmdLets for SharePoint. STSADM can still be used but will not be updated. It will probably be discontinued with one of the next SharePoint versions. Thus I recommend becoming familiar with alternatives of PowerShell.

The cmdLet “Move-SPUser” widely replaces the functions of “stsadm -o migrateuser“.

<span style="color: #0000ff;">Move-SPUser </span><span style="color: #ff6600;">-Identity </span><span style="color: #008000;">domain\olduser </span><span style="color: #ff6600;">-NewAlias</span> <span style="color: #008000;">domain\newuser </span><span style="color: #ff6600;">-IgnoreSID</span>

1	<span style="color: #0000ff;">Move-SPUser </span><span style="color: #ff6600;">-Identity </span><span style="color: #008000;">domain\olduser </span><span style="color: #ff6600;">-NewAlias</span> <span style="color: #008000;">domain\newuser </span><span style="color: #ff6600;">-IgnoreSID</span>

It you work with the cmdLet “Move-SPUser“, you quickly become aware of other similar cmdLets: get-SPUser and set-SPUser. The cmdLet get-SPUser displays a list of the authorizations of one site collection. With a little fantasy you can turn it into a little script reading the authorized user accounts of a site collection, swapping the domain name “old” against “new” and set the new authorizations with move-SPUser.

<span style="color: #0000ff;">get-SPUser</span><span style="color: #ff6600;"> -web</span> <span style="color: #008000;"><a href="https://webapplication/sites/sitecollection"><span style="color: #008000;">https://webapplication/sites/sitecollection</span></a> </span>|<span style="color: #0000ff;"> select</span> <span style="color: #ff6600;">userlogin</span>

get-SPUser -web <a href="https://webapplication/sites/sitecollection">https://webapplication/sites/sitecollection</a> | select userlogin

Depending on whether the Claims Based Authentication of the Web App was activated or not, the output looks as follows:

UserLogin
---------
Domain\username <em>(NTLM)
</em>i:0#.w|Domain\username <em>(Claims Based)</em>

UserLogin

---------

Domain\username (NTLM)

i:0#.w|Domain\username (Claims Based)

The following script lines are to be an inspiration for a migration script.

Add-PSSnapin Microsoft.SharePoint.PowerShell
$users = get-SPUser -web “https://webapplication/sites/sitecollection“
foreach ($oldUser in $users)
{
$oldUserSTR = $oldUser.userlogin
$newUser = $oldUserSTR.replace(“oldDomain“, “newDomain“)
move-SPUser -Identity $oldUser -NewAlias $newUser -IgnoreSID
}

Link to the Microsoft Technet website about “Move-SPUser“

Did this help you? Share it or leave a comment:

Artikel erstellt am: 04.09.2014

Stewart Beel

· Reply

February 25, 2015 at 9:38 AM

Hi,

I hope you can offer some advice. I am currently in the process of performing an Active Directory migration between two forests. We have a SharePoint 2010 farm and I want to migrate the SharePoint users between domains. I have tested your Powershell commands and they work for me, but I have also seen other posts suggesting to use SPFarm.MigrateUserAccount method as is shown in this post
http://blogs.msdn.com/b/sowmyancs/archive/2012/01/07/migrate-users-groups-powershell-script.aspx

I’m a little confused as to which would be the preferred method and if either option offers any benefits. Could you shed any light on this for me?

Many thanks,
Stewart

Matthias Rudolph
· Reply

March 4, 2015 at 4:31 PM

Hi Stewart,

Jens said there are 3 ways:
1. stsadm -o migrateuser (SharePoint 2007)
2. Move-SPUser (SharePoint 2010 / 2013)
3. SPFarm.MigrateUserAccount

But so far he doesn’t have any experience with SPFarm.MigrateUserAccount. I am sorry, that we currently can’t tell you what the advantages and disadvantages are.
We might come back to the issue later.

I hope that someone who already has experience with SPFarm.MigrateUserAccount reads this – We would appreciate your commment to help!
Matthias

Scott Maurer

December 15, 2015 at 8:39 PM

Hello,

I am also hoping for some advice about a migration.

We are currently using SP2013 with Claims Based Authentication and NTLM. We have the server in Domain “Dest” already and the Users in Domain “Original”. We are currently in the process of move all Users to Domain “Dest” but none of the solutions above are working in SharePoint.

After the user account has been moved from Domain “Original” to Domain “Dest” I run the command on SharePoint and I get the following result:

Move-SPUser : The parameterless Read method can only be used when this
instance was initialized with an SPUser object.

Since the account has moved domains and we are not using new accounts, could this be causing the problem? Does an account have to exist in both domains at the same time in order for SharePoint to perform this command?

Jens
· Reply

Author

January 19, 2016 at 3:20 PM

Hi Scott,

I’m not 100% sure (I have currently no test environment to check it).
When you move the user accounts to the new Domain it sounds like a intra-forest-Migration?
So you move the accounts with ADMT?

The SharePoint User Profile Service will remove the user account from the profie database in SharePoint. So the pointer in Move-SPUser is invalid:

Move-SPUser -Identity ORIGINAL\old_user

Try to bind the “original user object” into a variable:
$oldUser= Get-SPuser -Identity ORIGINAL\old_user
Move-SPUser -Identity $oldUser -NewAlias DEST\new_user

Regards,
Jens

mike_pal

May 5, 2017 at 6:33 PM

I’m kinda confused,
Our environment doesn’t give access to specific users, it gives access to Global Domain groups and then we set the permissions

now we are doing a Users/groups migration using SID History.

Non of the New Domain have been given access to Our SharePoint sites or haven’t done any move-spuser scripting. but the users from the New Domain can login in our SharePoint Environment.

If the new account of the new AD is a member of an AD Group that is synchronized with one of the old AD groups that is added to our SharePoint site, then the new account have the same permission level as the one from the Old AD group…. How is this possible? is sharepoint using SIDHistory or not ?

Raghav

June 1, 2017 at 3:10 PM

Hi, Apart from migrating the user in AD and in SP (Move-SPUser), do we need to execute any other scripts to take care of other services like InfoPath forms, workflows, BCS etc? Thank you.

Was

December 11, 2017 at 7:28 PM

Please have a look at the following article which also describes the SharePoint user migration:
https://medium.com/@huptdawas/migrate-sharepoint-userprofiles-from-one-domain-to-another-4b2e45e3ccdb

Domain User Migration: SharePoint and SIDHistory

The SharePoint and SIDHistory problem

Solution 1 – STSADM

Solution 2 – PowerShell (recommended for SharePoint 2010 and higher)

7 Comments

Leave your reply.

Leave a Reply

<p>Your email is safe with us.<br/>Information about our <a href="https://activedirectoryfaq.com/contact-us/">data protection policies</a></p>

Dynamic AD Groups

Links

Social Icons Widget

Dynamic Entra ID Groups

Recent Articles

Categories

Domain User Migration: SharePoint and SIDHistory

The SharePoint and SIDHistory problem

Solution 1 – STSADM

Solution 2 – PowerShell (recommended for SharePoint 2010 and higher)

You also might be interested in

Import PowerShell sessions from computers in another domain

Authentication for MS Teams in hybrid networks

Dynamic OU Groups – Assign Permissions to OUs

7 Comments

Leave your reply.

Leave a Reply

<p>Your email is safe with us.<br/>Information about our <a href="https://activedirectoryfaq.com/contact-us/">data protection policies</a></p>

Dynamic AD Groups

Links

Social Icons Widget

Dynamic Entra ID Groups

Recent Articles

Categories