Get identity claim for AD groups in SharePoint 2013

This post will show a couple ways to get the identity claim for Active Directory groups that are being used in SharePoint 2013. We are going to need this identity claim for migrating Active Directory groups in SharePoint 2013. This makes it easy to migrate the permissions from one group to another if you change your Active Directory group structure.

I will explain how to migrate an Active Directory group account in SharePoint 2013 using the following blog posts:

  1. Get identity claim for AD groups in SharePoint 2013
  2. Migrating AD groups in SharePoint 2013
  3. Renaming an AD group in SharePoint 2013

 

Scenario

We have two AD groups and we want to migrate the permissions from one group to the other.

  • Domain\GroupWillBeMigrated (Full control on root site)
  • Domain\MigratedGroup (no entry in User Information List)

 

We are going to use the PowerShell command get-spuser to return the user account we are going to migrate. We will be needing this for the actual move of the group.

Ways to get the identity claim

1. PowerShell

We can user PowerShell to return the User Login for a specific display name.

We know that the display name is peet\groupwillbemigrated and we can use the following command:

Get-spuser –web https://portal.sharepointfire.com | Where-Object {$_.displayname -eq “peet\groupwillbemigrated”} | fl UserLogin

clip_image002

This will give us the identity claim for the group in SharePoint, but this can’t give us the identity claim for peet\migratedgroup because this group isn’t in the User Information List.

2. By checking effective permissions

You can do this by checking effective permissions or another people picker. Navigate to the root site and click on “check permissions” at the link “Site Permissions”

clip_image004

Fill in the group account and click on check now

clip_image006

You can now copy the claims token for this group.

3. Active Directory

The identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections

c:0+.w|<SID>

  • “c” for a claim other than identity
  • “+” for a group SID
  • “.” for a string
  • “w” for a Windows claim

 

You can get the SID using the Active Directory PowerShell commands or by using the GUI.

PowerShell

import-module ac*
Get-ADGroup migratedgroup -properties * | fl name, objectsid

clip_image008

GUI

clip_image009

Leave a Reply

Your email address will not be published. Required fields are marked *