Share via


Using "stsadm -o migrateuser" After deleting and re-creating an Account in Active Directory

Hello Everyone… Its been a while since I wrote a blog. I wanted to share some good information on using stsadm -o migrateuser after an Account has been deleted within Active Directory and then re-created with the same Account Name.

 

Consider the following Scenario:

 

  • We have a user that has an account in Active Directory with account name = DOMAIN\jdoe
  • This user has a SID = S-1-5-21-1461310-839809092-932994037-4144
  • User, DOMAIN\jdoe, has been granted permissions to some 300 site collections
  • Its determined that this user account is having some permission issues within the Domain so the AD account is deleted. :)
  • The account is now re-created again within AD and given the same account name, DOMAIN\jdoe
  • Except now a new SID is created within AD
  • SID = S-1-5-21-1461310-839809092-932994037-4147
  • The problem we now have is that because this user already had permissions on some 300 sites that are associated with the Old SID
  • The account name may be the same but when this user tries to Access Any of the Sites, there is a SID mismatch and the user now gets an Access Denied:

  

  •  
  • The UserInfo table is the table on Each Content Database that holds the users login information as well as the SID. These are stored in the following two columns within the UserInfo Table

 

LoginName

tp_systemID

 

So the question is….. How do we get the new SID from AD into the UserInfo table. While this can be done with creating a temporary account in AD and doing some "stsadm -o migrateuser" flipping from Temp Account to Valid Account and vise versa, I have found that we can achieve this task by passing the same value for the " -oldlogin" & "-newlogin" and setting the "-ignoresidhistory" switch on our "stsadm -o migrateuser" command. So this is basically what you would do:

 

stsadm –o migrateuser –oldlogin DOMAIN\jdoe –newlogin DOMAIN\jdoe –ignoresidhistory

 

What this should do is flip the SID, or "tp_SystemId" in the UserInfo table to be the new account SID from AD and your user should now have access to all 300+ sites again.

 

Happy Migrating!!

Comments

  • Anonymous
    January 01, 2003
    nice one

  • Anonymous
    May 18, 2011
    Thanks for your work on this Anthony. I have a peer who has been battling this issue for sometime. Great to see the fix.  The -ignoresidhistory should do the trick!

  • Anonymous
    February 11, 2013
    Great tip, Anthony! What if I need to apply this for 10,000 Active Directory users because they were migrated into a new domain?  Is there a way to do this en-masse?  Maybe a script?  Thanks!

  • Anonymous
    January 09, 2015
    Hi anthony, i am facing an issue where the trick you have provided have worked, but somehow it rollsback and the user starts to face the problem again,what can be the cause?