Migrating AD groups in SharePoint 2013

This post is part 2 of the guide to move Active Directory groups in SharePoint 2013. Microsoft added the PowerShell command move-spuser to migrate a user account in SharePoint 2010 and SharePoint 2013. We can leverage this command to migrate AD groups in SharePoint. We are going to need the identity claims for the groups because SharePoint 2013 uses claims authentication.

The following posts will help you get the claim and change the group name in SharePoint 2013:

  1. Get identity claim for AD groups in SharePoint 2013
  2. Migrating AD groups in SharePoint 2013
  3. Renaming an AD group in SharePoint 2013

 

Scenario

We have two AD groups and we want to migrate the permissions from one group to the other.

  • Domain\GroupWillBeMigrated (Full control on root site)
  • Domain\MigratedGroup (no entry in User Information List)

 

We first need to get the SharePoint 2013 user account and find the claims token for the group we want to migrate to.

Migrating the user

1. Get-spuser

We are going to need the user identity from SharePoint 2013 to select the account we want to migrate from. We can use the following two options to get this user

Based on displayname

$SPUser = Get-spuser –web https://portal.sharepointfire.com | Where-Object {$_.displayname –eq “peet\groupwillbemigrated”}

clip_image002

Based on claims token

$SPUser = get-spuser -identity “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2108” -web https://portal.sharepointfire.com

clip_image004

2. Move-spuser

The next step is using the identity from get-spuser and changing this to the new alias. We will need the claims token for the new account because we want to migrate the group to an identity claim and not to standard NTLM encoding. View my post about getting the identity claim for this.

We are going to use the PowerShell command Move-Spuser and we are going to use the following parameters.

Move-SPUser –Identity <String1> -NewAlias <String2> -IgnoreSID

  • String1 is the variable $SPUser from step 1
  • String2 is the identity claim for the group we want to migrate to
  • We are using –IgnoreSID because we otherwise get a message saying that SID history can only be enforced in Windows authentication mode.

 

move-spuser -identity $SPUser -newalias “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2109” -ignoresid

image

You will need to grant the logged in user full control on both the Permissions and Administrator tab at the User Profile Service Application if you’ll receive the error ‘Object reference not set to an instance of an object’.

The SharePoint account has now been migrated to the new identity claim and the permissions are being migrated to the new group.

clip_image008

And we can navigate to the Home Owners group

clip_image009

The account information is directing to the correct identity claim but the name is not correct. We will set this in part 3.

7 thoughts on “Migrating AD groups in SharePoint 2013

  1. Hey,

    You get the “Object reference not set to an instance of an object” because you didn’t add your account on the UserProfile Service Application. You need to highlight it, click on permissions on the top bar, add your account (running powershell) with Full Control. Then go in “Administrators” and add your account there as well!

  2. Hello,

    I followed your steps and I got an error:
    Move-SPUser : Operation is not valid due to the current state of the object.
    Any help?

    Thanks.

    • Hello Sarah,

      I am not able to reproduce this error at the moment.

      Is this a domain migration or a standard group migration in the same domain?
      What information do you get from the ULS logging?
      At what version is your SharePoint Farm and does the content database needs an update?

      Kind regards,
      Maarten

  3. Hi Maarten,
    Here is all the info you asked for:
    ———————————-
    It is a domain migration.
    ———————————-
    ULS Logging: 2 HIgh Level Issues:
    1:
    System.InvalidOperationException: Operation is not valid due to the current state of the object. at Microsoft.SharePoint.Administration.SPFarm.MigrateUserOrGroup(Guid subscriptionId, String oldLogin, String newLogin, Boolean usersOnly, Boolean enforceSidHistory) at Microsoft.SharePoint.Administration.SPFarm.MigrateUserAccount(Guid subscriptionId, String oldLogin, String newLogin, Boolean enforceSidHistory) at Microsoft.SharePoint.Administration.SPFarm.MigrateUserAccount(String oldLogin, String newLogin, Boolean enforceSidHistory) at Microsoft.SharePoint.PowerShell.SPCmdletMoveUser.InternalProcessRecord() at Microsoft.SharePoint.PowerShell.SPCmdlet.ProcessRecord()
    2:
    Error Category: InvalidData Target Object Microsoft.SharePoint.PowerShell.SPCmdletMoveUser Details NULL RecommendedAction NULL
    ———————————-
    Content database is updated
    ———————————-
    Thank you

    • Hello sarah,

      I am currently not able to test this scenario.
      But its maybe occurring because of the User Profile Service Application, are you able to re-create this Service Application?

      Kind regards,
      Maarten

Leave a Reply

Your email address will not be published. Required fields are marked *