Renaming an AD group in SharePoint 2013

This post is part 3 of the guide to move Active Directory Groups in SharePoint 2013. We have gotten the identity claim in part 1 and migrated the AD group in part 2 but now we want to change the name for the SharePoint User Information List.

We have seen that the Name did not change after migrating the AD group and we have to change this afterwards with PowerShell. The command move-spuser effects the whole farm but we can only change the name per site collection.

The following posts will help you get the claim and move an AD group in SharePoint 2013:

  1. Get identity claim for AD groups in SharePoint 2013
  2. Migrating AD groups in SharePoint 2013
  3. Renaming an AD group in SharePoint 2013


Scenario

We have two AD groups and we have migrated from one to the other.

Domain\GroupWillBeMigrated (no entry in User Information List)
Domain\MigratedGroup (Migrated group from domain\groupwillbemigrated)

clip_image002

The account is pointing to the correct AD group but we want to change the Name to also point to the new group.

Renaming AD group in SharePoint 2013 User Information List

We are going to run the following command for each site collection. You can always change this script to run multiple times for each ad group change but I am currently showing this for one change.

$sites = get-spsite -limit all

foreach ($site in $sites)

{

$user = get-spuser -identity “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2109” -web $site.url -ErrorAction SilentlyContinue

If($user)

{

set-spuser -identity $user -displayname “PEET\MigratedGroup”

Write-host –foregroundcolor green “Changed the name for $($site.url)”

}

Else

{

Write-host –foregroundcolor red “The specified group does not exist in $($site.url)”

}

}

clip_image004

clip_image005

Migrating AD groups in SharePoint 2013

This post is part 2 of the guide to move Active Directory groups in SharePoint 2013. Microsoft added the PowerShell command move-spuser to migrate a user account in SharePoint 2010 and SharePoint 2013. We can leverage this command to migrate AD groups in SharePoint. We are going to need the identity claims for the groups because SharePoint 2013 uses claims authentication.

The following posts will help you get the claim and change the group name in SharePoint 2013:

  1. Get identity claim for AD groups in SharePoint 2013
  2. Migrating AD groups in SharePoint 2013
  3. Renaming an AD group in SharePoint 2013

 

Scenario

We have two AD groups and we want to migrate the permissions from one group to the other.

  • Domain\GroupWillBeMigrated (Full control on root site)
  • Domain\MigratedGroup (no entry in User Information List)

 

We first need to get the SharePoint 2013 user account and find the claims token for the group we want to migrate to.

Migrating the user

1. Get-spuser

We are going to need the user identity from SharePoint 2013 to select the account we want to migrate from. We can use the following two options to get this user

Based on displayname

$SPUser = Get-spuser –web https://portal.sharepointfire.com | Where-Object {$_.displayname –eq “peet\groupwillbemigrated”}

clip_image002

Based on claims token

$SPUser = get-spuser -identity “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2108” -web https://portal.sharepointfire.com

clip_image004

2. Move-spuser

The next step is using the identity from get-spuser and changing this to the new alias. We will need the claims token for the new account because we want to migrate the group to an identity claim and not to standard NTLM encoding. View my post about getting the identity claim for this.

We are going to use the PowerShell command Move-Spuser and we are going to use the following parameters.

Move-SPUser –Identity <String1> -NewAlias <String2> -IgnoreSID

  • String1 is the variable $SPUser from step 1
  • String2 is the identity claim for the group we want to migrate to
  • We are using –IgnoreSID because we otherwise get a message saying that SID history can only be enforced in Windows authentication mode.

 

move-spuser -identity $SPUser -newalias “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2109” -ignoresid

image

You will need to grant the logged in user full control on both the Permissions and Administrator tab at the User Profile Service Application if you’ll receive the error ‘Object reference not set to an instance of an object’.

The SharePoint account has now been migrated to the new identity claim and the permissions are being migrated to the new group.

clip_image008

And we can navigate to the Home Owners group

clip_image009

The account information is directing to the correct identity claim but the name is not correct. We will set this in part 3.

Get identity claim for AD groups in SharePoint 2013

This post will show a couple ways to get the identity claim for Active Directory groups that are being used in SharePoint 2013. We are going to need this identity claim for migrating Active Directory groups in SharePoint 2013. This makes it easy to migrate the permissions from one group to another if you change your Active Directory group structure.

I will explain how to migrate an Active Directory group account in SharePoint 2013 using the following blog posts:

  1. Get identity claim for AD groups in SharePoint 2013
  2. Migrating AD groups in SharePoint 2013
  3. Renaming an AD group in SharePoint 2013

 

Scenario

We have two AD groups and we want to migrate the permissions from one group to the other.

  • Domain\GroupWillBeMigrated (Full control on root site)
  • Domain\MigratedGroup (no entry in User Information List)

 

We are going to use the PowerShell command get-spuser to return the user account we are going to migrate. We will be needing this for the actual move of the group.

Ways to get the identity claim

1. PowerShell

We can user PowerShell to return the User Login for a specific display name.

We know that the display name is peet\groupwillbemigrated and we can use the following command:

Get-spuser –web https://portal.sharepointfire.com | Where-Object {$_.displayname -eq “peet\groupwillbemigrated”} | fl UserLogin

clip_image002

This will give us the identity claim for the group in SharePoint, but this can’t give us the identity claim for peet\migratedgroup because this group isn’t in the User Information List.

2. By checking effective permissions

You can do this by checking effective permissions or another people picker. Navigate to the root site and click on “check permissions” at the link “Site Permissions”

clip_image004

Fill in the group account and click on check now

clip_image006

You can now copy the claims token for this group.

3. Active Directory

The identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections

c:0+.w|<SID>

  • “c” for a claim other than identity
  • “+” for a group SID
  • “.” for a string
  • “w” for a Windows claim

 

You can get the SID using the Active Directory PowerShell commands or by using the GUI.

PowerShell

import-module ac*
Get-ADGroup migratedgroup -properties * | fl name, objectsid

clip_image008

GUI

clip_image009