Protiviti / SharePoint Blog

SharePoint Blog

October 20
Move-SPUser and its Side Effects

The scenario is that we have 5 webapps.  One is moving to a new custom claim provider (webapp.)  The other four need to stay on NTLM (webapps 2-5).

We assume the following is done:

1) You have your trustedtokenidentityissuer configured and verified

2) You can log into the webapp

3)  You have put into place some people picker solution

If so, then it is now time to migrate the existing users. 

Normally you use something like:

                                        Move-SPUser -IgnoreSID -Confirm:$false -Identity $user -NewAlias $newidentity -ErrorAction SilentlyContinue
                                        $newUser=Get-SPUser -Identity "$newIdentity" -Web $url
                                        Set-SPUser -Identity $newUser -DisplayName $displayname

This will move the user from say a windows domain claim to your new claim provider.  But be aware that 1) all of your webapps will be affected.  This means if i:0#.w|domain\username1 has access to webapp1 and webapp2 the user name in both areas will be updated.  In fact, after the migration if username1 tries to access the webapp2 site collection he is going to get an access denied.  This occurs becuse webapp2 was using NTLM, but the users login name has changed to the new claims format.


2) The ids of the migrated user are kept in place.  That means if you have 10 documents belonging to domain\username1 whose user ID is "15" then we migrate this user to say an ADFS provider like i:0ǵ.t|adfs30|username1, the id for our newly migrated user will still be "15."  The old domain user will no longer exist in webapp1 and all his documents should belong to our ADFS user.  Now there can be an issue with comments, Modified By, Created By etc.  That is why you should first do an audit of the original user's name along with the documents they own.  This will ensure you have a way to update these fields (comments, authors etc) after your user migration.

Notice the ids before and after migration are the same for user 25 even though the use login name has changed.


3) There is a way to help cirumvent this unwanted side effect where all webapps are affected.  That is to do the following have two UPS- one for NTLM and one for ADFS.  Associate your ADFS UPS with the ADFS webapp and visa versa for the NTLM UPS.  Take all webapps and the NTLM UPS offline before you run the move-spuser action.  Run the move-spuser.  Run any user profile jobs by force to ensure any hanging job is completed.  Bring all your webapps and NTLM UPS back online. 

4) One last point, some of your comments, authors, editors etc may also need to be updated after the migration.  Again, do an audit before running the move-spuser so you have all of this documented and can update the property for any existing items, after the migration.

Quick Launch

© Protiviti 2021. All rights reserved.   |   Privacy Policy