SharePoint Arsenal

The official blog of Anthony Casillas, Microsoft SharePoint Sr. Support Escalation Engineer
Options
Search Blogs
Tags
Archive
Archives

Using "stsadm -o migrateuser" After deleting and re-creating an Account in Active Directory

TechNet Blogs » SharePoint Arsenal » Using "stsadm -o migrateuser" After deleting and re-creating an Account in Active Directory

Using "stsadm -o migrateuser" After deleting and re-creating an Account in Active Directory

Anthony Casillas Anthony Casillas
13 May 2011 3:14 PM
  • Comments 3
  • Likes

Hello Everyone… Its been a while since I wrote a blog. I wanted to share some good information on using stsadm -o migrateuser after an Account has been deleted within Active Directory and then re-created with the same Account Name.

 

Consider the following Scenario:

 

  • We have a user that has an account in Active Directory with account name = DOMAIN\jdoe
  • This user has a SID = S-1-5-21-1461310-839809092-932994037-4144
  • User, DOMAIN\jdoe, has been granted permissions to some 300 site collections
  • Its determined that this user account is having some permission issues within the Domain so the AD account is deleted. :)
  • The account is now re-created again within AD and given the same account name, DOMAIN\jdoe
  • Except now a new SID is created within AD
  • SID = S-1-5-21-1461310-839809092-932994037-4147
  • The problem we now have is that because this user already had permissions on some 300 sites that are associated with the Old SID
  • The account name may be the same but when this user tries to Access Any of the Sites, there is a SID mismatch and the user now gets an Access Denied:

  

     

  • The UserInfo table is the table on Each Content Database that holds the users login information as well as the SID. These are stored in the following two columns within the UserInfo Table

 

LoginName

tp_systemID

 

So the question is….. How do we get the new SID from AD into the UserInfo table. While this can be done with creating a  temporary account in AD and doing some  "stsadm -o migrateuser" flipping from Temp Account to Valid Account and vise versa,  I have found that we can achieve this task by passing the same value for the "-oldlogin" & "-newlogin" and setting the "-ignoresidhistory" switch on our "stsadm -o migrateuser" command. So this is basically what you would do:

 

stsadm –o migrateuser –oldlogin DOMAIN\jdoe –newlogin DOMAIN\jdoe –ignoresidhistory

 

What this should do is flip the SID, or "tp_SystemId" in the UserInfo table to be the new account SID from AD and your user should now have access to all 300+ sites again.

 

Happy Migrating!!

 

Comments
Comments
  • Anonymous ScotyB
    18 May 2011 9:19 PM

    Thanks for your work on this Anthony. I have a peer who has been battling this issue for sometime. Great to see the fix.  The -ignoresidhistory should do the trick!

  • Anonymous Shola Salako
    11 Feb 2013 2:31 PM

    Great tip, Anthony! What if I need to apply this for 10,000 Active Directory users because they were migrated into a new domain?  Is there a way to do this en-masse?  Maybe a script?  Thanks!

  • harsh damania harsh damania
    15 Jan 2014 6:27 AM

    nice one

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment