Freigeben über


How to Update a SharePoint User Account When They Leave the Company and Return

In this article, I'll show you how to handle a common scenario when a user leaves the company and returns later.  Many organizations delete user accounts after a period of time and when a user returns they often get a new Windows account with the same (or slightly different) account name.  SharePoint stores its own user information and associates it to a Windows account.  But rather than using the Windows account name to make the association, it uses a unique identifier called a SID.  The SID is guaranteed to be unique, whereas account names can be reused.

When someone first accesses a SharePoint site, their Windows information (including their SID) is recorded and copied into the SharePoint user store.  This information is used throughout SharePoint for things such as permissions, content authoring and user profiles.  When a Windows account is deleted, the information remains in SharePoint.  Because there can be significant history and permission configuration for a user, site administrators usually want to associate the "old" SharePoint user information with a new Windows account.  To accomplish this, you use the stsadm migrationuser operation.  I will demonstrate usage with the following scenario-based walkthrough:

John Doe has just joined the company, and IT creates a Windows account for him

image

A SharePoint site collection administrator grants John Doe access to the site:

image 

John Doe logs in to the SharePoint site and updates his user profile:

image

Over the next year, John is an active SharePoint contributor and has invested hours building his profile and My Site.  Unfortunately for Litware, John finds a seemingly better position at Contoso and leaves the company.  IT disables his Windows account, and after 30 days, they delete it:

image

6 months pass, and John realizes Contoso isn't everything he thought it would be.  He considered moving to Adventureworks, but wasn't passionate about their product line and decides to return to Litware.  IT creates a new account for him since the old one was deleted:

image

John tries to access the Litware site, but receives an Access Denied message:

image

John contacts the site administrator and reports the problem and being a certified SharePoint administrator, he runs the migrateuser operation to link John's new Windows account with his old SharePoint information.  Note: in this example different account names are used, but when they are the same, run this command, but migrate to a bogus account such as litware\temp and then migrate from litware\temp to the new account name as outlined in this blog post.

image

John Doe is able to access the site and when he returns to his My Site, can see all of his old information:

image

 

As you can see, with stsadm, it is quite straightforward to update the association between a Windows account and a SharePoint user.

 

References and Additional Reading

Comments

  • Anonymous
    August 14, 2008
    PingBack from http://housesfunnywallpaper.cn/?p=852

  • Anonymous
    March 09, 2009
    Does this command also update user information that is changed in active directory and not updated on sharepoint?

  • Anonymous
    March 16, 2009
    If the old user and new user is having the same LAN ID (remove from AD then create a new account with the same LAN ID, no issue at AD side) but they are actually different person, when i assign the new created AD account to sharepoint site, i got access denied page ( even i deleted the old user from the site collection ) ? any advise ? thks.

  • Anonymous
    October 13, 2009
    This was just what I was lookin for.  Thanks old friend.

  • Anonymous
    January 26, 2010
    Last time I checked Security Identifiers (SID) were only guaranteed to be unique within a single Active Directory domain.  This is why there are multiple technet articles on why you should Globally Unique Identifier (GUID) instead if you require a truly globally unique identifier.  Way to drop the ball again Microsoft.

  • Anonymous
    February 01, 2010
    Hi, We have a user that has been given a new username, and I have followed the steps specified above. When I open one of the sites the user has access to, I can see under Site Permissions that the account has successfully changed from oldusername to newusername. The permissions are also maintained (Full Control). However, when the user tries to log in to the site, he gets the Access denied page. Do you have any idea why this is so?

  • Anonymous
    August 06, 2010
    The user's dept and the designation is not showing correctly even though i modified the userprofile. Can any one help to fix this?

  • Anonymous
    October 11, 2011
    In the example of a user leaving the company. Shouldn't the Sharepoint synchronization remove the SID if it no longer sees it AD? In the company I work for we hire up to 1000 people at a time for temporary work and then they are let go, then in another 6 months we would hire another 1000 people. Some of the AD User ID's get reused but and sharepoint holds onto the old SID of that user ID. If synchronization is setup correctly in SharePoint shouldn't these olds SID's get removed ???