SharePoint User Permissions mapping after AD migration
Hi,

I'm currently working in a situation where AD migration took place. The users were successfully migrated from one AD to another AD, and were told to user the new domain to logon to SharePoint sites.

Here comes the problem, they are receiving an access denied message whenever they are trying to login using their new domain account details. I know this is due to not running SharePoint migration for mapping user permissions.

So, I tried to run the STSADM migrate user command. The message show' operation successful' but when I cross checked the user profile, the email is still pointing to old domain.  And also is there any PowerShell script to run the command for many users at a time in bulk ?

July 21st, 2015 6:43pm

Here is the general process you would use:

$user = Get-SPUser -Identity "olddomain\username" -Web http://webUrl Move-SPUser -Identity$user -NewAlias "newdomain\username" -IgnoreSid

Only use -IgnoreSid if SID History was not enabled during migration (ask the individuals who performed the migration), or if using Windows Claims identities (where the username starts with "i:0#.w|").

Next, you'll need to recreate your UPS synchronization connection, pointing to the new domain instead of the old domain. Perform a Full Synchronization, and this should update the user's profile in the UPA. The profile changes should get pushed out to each Site Collection within a day via another timer job.

July 21st, 2015 7:56pm

Hello Trevor,

I tried to run this command in dev environment, and I get the following error message.

"Get-SPUser : You must specify a valid user object or user identity",

"Move-SPUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try command again."

Here is the exact scenario where I'm struck.

 Before running stsadm migrate user command old login abc\alpha alpha@abc.com 1234567890 finance new login def\alpha alpha@def.com 1234567890 finance After running migrate user command old login abc\alpha alpha@abc.com 1234567890 finance new login def\alpha alpha@abc.com 1234567890 finance

If you can notice the email for new login after running stsadm changed to @abc.

July 22nd, 2015 10:39am

That is likely the UPN and not email address. Where are you seeing this value?

When you use Get-SPUser, you must specify a valid Site Collection where the user exists. It will still migrate it farm wide.

July 22nd, 2015 12:13pm

I'm seeing this in the people picker and User Profile Properties (Central Admin) as well .

And also I'm  providing a valid site collection address, but still seeing the same error while running the commands you've provided.

July 22nd, 2015 4:30pm

Is the Web Application using Claims?

Have you updated the UPA Sync Connection to point to the new forest?

July 22nd, 2015 4:51pm

It is using the default/ windows authentication.

Actually I'm kinda new to SharePoint, I do see two forests/connections in my 'Synchronization connections' (in Central Admin).

How can I update the UP Sync Application to point to exactly one forest as I will be having two forests in my connections ?

Please correct me if I'm wrong.

July 22nd, 2015 5:13pm

Delete the Sync Connection that points to the old forest. That way the UPA will only update from the new forest.
July 22nd, 2015 5:14pm

I just deleted the connection (old AD connection) and tried to run the UPA.

But this time in the find profiles search box those users are not being returned anymore.

I can only find the users that were in the domain (2nd forest) from the beginning.

July 22nd, 2015 6:19pm

You probably need to check the permission for the user account that is used for the sync connection in Active Directory. You may also want to check the miisclient application to see the status of the sync and check for errors.