SharePoint User Permissions mapping after AD migration
Hi,

I'm currently working in a situation where AD migration took place. The users were successfully migrated from one AD to another AD, and were told to user the new domain to logon to SharePoint sites.

Here comes the problem, they are receiving an access denied message whenever they are trying to login using their new domain account details. I know this is due to not running SharePoint migration for mapping user permissions.

So, I tried to run the STSADM migrate user command. The message show' operation successful' but when I cross checked the user profile, the email is still pointing to old domain.  And also is there any PowerShell script to run the command for many users at a time in bulk ?

Can someone please help me on this ?

Thanks in advance.
July 21st, 2015 6:43pm

Here is the general process you would use:

$user = Get-SPUser -Identity "olddomain\username" -Web http://webUrl
Move-SPUser -Identity $user -NewAlias "newdomain\username" -IgnoreSid

Only use -IgnoreSid if SID History was not enabled during migration (ask the individuals who performed the migration), or if using Windows Claims identities (where the username starts with "i:0#.w|").

Next, you'll need to recreate your UPS synchronization connection, pointing to the new domain instead of the old domain. Perform a Full Synchronization, and this should update the user's profile in the UPA. The profile changes should get pushed out to each Site Collection within a day via another timer job.

Free Windows Admin Tool Kit Click here and download it now
July 21st, 2015 7:56pm

Hello Trevor,

Thanks for your reply.

I tried to run this command in dev environment, and I get the following error message.

"Get-SPUser : You must specify a valid user object or user identity", 

"Move-SPUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try command again."

Here is the exact scenario where I'm struck.

Before running stsadm migrate user command    
old login abc\alpha alpha@abc.com 1234567890 finance
new login def\alpha alpha@def.com 1234567890 finance
   
After running migrate user command  
old login abc\alpha alpha@abc.com 1234567890 finance
new login def\alpha alpha@abc.com 1234567890 finance

If you can notice the email for new login after running stsadm changed to @abc.

July 22nd, 2015 10:39am

That is likely the UPN and not email address. Where are you seeing this value?

When you use Get-SPUser, you must specify a valid Site Collection where the user exists. It will still migrate it farm wide.

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 12:13pm

I'm seeing this in the people picker and User Profile Properties (Central Admin) as well .

And also I'm  providing a valid site collection address, but still seeing the same error while running the commands you've provided. 

July 22nd, 2015 4:30pm

Is the Web Application using Claims?

Have you updated the UPA Sync Connection to point to the new forest?

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 4:51pm

It is using the default/ windows authentication.

Actually I'm kinda new to SharePoint, I do see two forests/connections in my 'Synchronization connections' (in Central Admin).

How can I update the UP Sync Application to point to exactly one forest as I will be having two forests in my connections ?

Please correct me if I'm wrong.

July 22nd, 2015 5:13pm

Delete the Sync Connection that points to the old forest. That way the UPA will only update from the new forest.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 5:14pm

I just deleted the connection (old AD connection) and tried to run the UPA.

But this time in the find profiles search box those users are not being returned anymore.

I can only find the users that were in the domain (2nd forest) from the beginning.

July 22nd, 2015 6:19pm

You probably need to check the permission for the user account that is used for the sync connection in Active Directory. You may also want to check the miisclient application to see the status of the sync and check for errors.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 8:45pm

I was using sp.farm (system account) while running the UPS and when I check the missclient, there are no errors found.
July 22nd, 2015 10:22pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics