Microsoft KB Archive/938110

= Site groups are not maintained, and users are assigned to roles after you upgrade from SharePoint Portal Server 2003 to SharePoint Server 2007 =

Article ID: 938110

Article Last Modified on 6/26/2007

-

APPLIES TO


 * Microsoft Office SharePoint Server 2007

-



SYMPTOMS
After you upgrade from Microsoft Office SharePoint Portal Server 2003 to Microsoft Office SharePoint Server 2007, site groups that were present in SharePoint Portal Server 2003 are not maintained in SharePoint Server 2007. Instead, individual users are assigned to roles (also known as permission levels). For example, when you view the Site Permissions list, you see a list of users and the roles to which the users are assigned. You do not see site groups. This can sometimes clutter the Site Permissions list.



CAUSE
By design, SharePoint Server 2007 works in this manner. When you upgrade to SharePoint Server 2007, SharePoint Portal Server 2003 site groups are converted to SharePoint Server 2007 roles. Additionally, SharePoint Portal Server 2003 cross-site groups are converted to SharePoint Server 2007 groups.



WORKAROUND
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

To work around this behavior, modify the structure of groups in SharePoint Portal Server 2003 so that the upgrade operation creates site groups instead of roles in SharePoint Server 2007. To do this, populate SharePoint Portal Server 2003 cross-site groups based on existing SharePoint Portal Server 2003 site groups. Do this in a way that site groups are created in SharePoint Server 2007 during the upgrade operation.

The following is an example of code that performs these actions. using System; using System.Collections; using System.Collections.Generic; using System.Text; using Microsoft.SharePoint; using Microsoft.SharePoint.Administration;

/* * * Usage * * Role2Group.exe -url foo -url bar [-fix] * * Parameters * *   1. A list of urls that specifies which SharePoint *     virtual server to process. *  2. An optional flag (fix) to indicate whether *     we should execute the code to move members that are *     assigned to SPRoles or that are assigned to SPGroup. *     By default, this is off to prevent any accidental updates to the database. * * Details * *  The program will examine each Web that has unique permissions within each site *  collection on each virtual server. It will examine each Role *  and each site group within those Webs. This program will do the following: *  1. Create a new cross-site group. *  2. Assign the new group to the role that is to be processed. *  3. Move all the users who are assigned to the Role into the newly created group. * *      The following are the exceptions: * *         - If no user is assigned to that role, no action is taken. *         - If only one user is assigned to the admin role, no action is taken. *         - If groups are assigned to that role, those groups will be warned *           because those groups cannot be assigned to another cross-site group. *         - If domain groups are assigned to that role, the domain groups will *           be warned because domain groups cannot be assigned to a cross-site group. */ namespace ConsoleApplication1 {   static class Program {       static int cWarning = 0; static int cError = 0;

static void Main(string[] args) {           if ((args.Length == 0) ||                (args.Length == 1 && (args[0] == &quot;-?&quot; || args[0] == &quot;-help&quot;))) {               Console.WriteLine(&quot;&quot;); Console.WriteLine(&quot;Role2Group -url foo -url bar [-fix]&quot;); Console.WriteLine(&quot;&quot;); return; }

ArrayList urls = new ArrayList; bool fix = false;

for (int i = 0; i < args.Length; i++) {               if (args[i] == &quot;-url&quot; && i + 1 < args.Length) {                   urls.Add(args[i + 1]); i++; continue; }               else if (args[i] == &quot;-fix&quot;) {                   fix = true; continue; }               else {                   Console.WriteLine(String.Format(&quot;Unrecognized switch {0}&quot;, args[i])); return; }           }

if (fix) {               Console.WriteLine(&quot;You have specified the -fix option. This &quot; +                     &quot;will cause updates to your database&quot;); Console.WriteLine(&quot;Press [Enter] to continue, or [Ctrl+C] to exit...&quot;); Console.ReadLine; }

SPGlobalAdmin globalAdmin = new SPGlobalAdmin;

foreach (string url in urls) {               Uri uri = new Uri(url); SPVirtualServer vs = globalAdmin.OpenVirtualServer(uri);

if (vs == null) {                   Console.WriteLine(String.Format( &quot;Cannot process virtual server at {0}.&quot;, url)); return; }

if (vs.State != SPVirtualServerState.Ready) {                   Console.WriteLine(String.Format( &quot;Skipping virtual server: {0}. Server state = {1}. &quot; + &quot;Cannot process this virtual server.&quot;, url, vs.State)); return; }

try {                   Console.WriteLine(String.Format(&quot;Processing virtual server {0}...&quot;, url)); ProcessOneVirtualServer(vs, fix); }               catch (Exception e)                { cError++; Console.WriteLine(String.Format(&quot;Error occured while &quot; + &quot;processing virtual server {0}&quot;, url)); Console.WriteLine(e); }

Console.WriteLine; Console.WriteLine(&quot;Finished. {0} Errors, {1} Warnings encountered&quot;, cError, cWarning); }       }

static private void WarnAboutDomainGroup(SPSite site, SPWeb web, SPRole role, SPUser user) {           cWarning++; Console.WriteLine(&quot;WARNING: {0} is a domain group, which cannot &quot; +               &quot;be assigned to a group&quot;, user, role.Name); }

static private void WarnAboutGroup(SPSite site, SPWeb web, SPRole role, SPGroup group) {           cWarning++; Console.WriteLine(&quot;WARNING: {0} is a cross site group, which &quot; +               &quot;cannot be assigned to another cross site group &quot;,                 group.Name, role.Name); }

static private SPGroup EnsureGroup(SPSite site, SPWeb web, SPUser user,           string name, string description) {           SPGroupCollection groups = web.SiteGroups; SPGroup group = null; int cTry = 0; string groupname = name;

while (true) {               try {                   // if the group already exists, then modify // the original name with a number appendix group = groups[groupname]; cTry++; groupname = String.Format(&quot;{0}_{1}&quot;, name, cTry); }               catch {                   // break, if we have found a unique group name break; }           }

groups.Add(groupname, user, user, description); group = groups[groupname]; return group; }

static private void ProcessOneWeb(SPSite site, SPWeb web, bool fix) {           Console.WriteLine(string.Format(&quot;Processing web {0} ...&quot;, web.Url));

StringBuilder sbGroupId = new StringBuilder(&quot;&quot;); SPRoleCollection roles = web.Roles;

foreach (SPRole role in roles) {               Console.WriteLine(string.Format(&quot;Processing role {0} ...&quot;, role.Name));

SPGroup newgroup = null; string groupname = String.Format(&quot;{0} Group from {1}&quot;, role.Name, web.Title);

// Get rid the following invalid chars from group // name: / \ [ ] : | < > + = ;, ? * ' @                 groupname = groupname.Replace('/', '_'); groupname = groupname.Replace('\\', '_'); groupname = groupname.Replace('[', '_'); groupname = groupname.Replace(']', '_'); groupname = groupname.Replace(':', '_'); groupname = groupname.Replace('|', '_'); groupname = groupname.Replace('<', '_'); groupname = groupname.Replace('>', '_'); groupname = groupname.Replace('+', '_'); groupname = groupname.Replace('=', '_'); groupname = groupname.Replace(';', '_'); groupname = groupname.Replace(',', '_'); groupname = groupname.Replace('?', '_'); groupname = groupname.Replace('*', '_'); groupname = groupname.Replace('\'', '_'); groupname = groupname.Replace('@', '_');

string groupdesc = String.Format(&quot;{0} Group from {1}. This &quot; +                   &quot;group is automatically generated.&quot;, role.Name, web.Title);

// there is nothing to do, if there is no individual user if (role.Type == SPRoleType.Guest || role.Users == null || role.Users.Count == 0) continue;

foreach (SPGroup group in role.Groups) {                   WarnAboutGroup(site, web, role, group); }

foreach (SPUser user in role.Users) {                   if (user.IsDomainGroup) {                       WarnAboutDomainGroup(site, web, role, user); }                   else if (fix) {                       if (newgroup == null) {                           newgroup = EnsureGroup(site, web, user, groupname, groupdesc); role.AddGroup(newgroup);

if (sbGroupId.Length == 0) {                               sbGroupId.Append(String.Format(&quot;{0}&quot;, newgroup.ID)); }                           else {                               sbGroupId.Append(String.Format(&quot;;{0}&quot;, newgroup.ID)); }

}

newgroup.AddUser(user); }               }

if (newgroup != null && fix) {                   foreach (SPUser user in newgroup.Users) {                       try {                           role.RemoveUser(user); }                       catch {                           // We sometimes will fail, because we cannot remove // all users from the administrator role. }                   }                }            }

if (fix && sbGroupId.Length > 0) {               web.Properties[&quot;vti_associategroups&quot;] = sbGroupId.ToString; web.Properties.Update; }

return; }

static private void ProcessOneVirtualServer(SPVirtualServer curVS, bool fix) {           SPSiteCollection sites = curVS.Sites;

if (sites != null) {               foreach (SPSite site in sites) {                   if (site != null) {                       try {                           foreach (SPWeb web in site.AllWebs) {                               int template = web.WebTemplateId;

// If we have a Web with a template ID that is                               //      20, 21, 22, 30, 31, 32, 33, 34, 35, or 36, //  this is an area Web or a bucket Web from //  an SPS 2003 instalation. // We will be unable to process these Webs because they use // an external security provider. The external // security provider will deliberately return // ACCESS_DENIED to the WSS security object model. // However, it is also unnecessary to process these Webs because // the SPS 2003 upgrade logic already does the role-to-group conversion. if ((template >= 20 && template <= 22) ||                                   (template >= 30 && template <= 36)) {                                   Console.WriteLine(string.Format(&quot;Skipping SPS2003 web {0} ...&quot;, web.Url)); continue; }

if (web.HasUniquePerm) ProcessOneWeb(site, web, fix); }                       }                        finally {                           site.Close; }                   }                }            }        }    } }



MORE INFORMATION
For more information about how to upgrade to SharePoint Server 2007, visit the following Microsoft Web site:

http://technet2.microsoft.com/Office/en-us/library/396c85d9-4b86-484e-9cc5-f6c4d725c5781033.mspx?mfr=true

Additional query words: permissions administrative crosssite

Keywords: kbtshoot kbexpertiseinter kbprb KB938110

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.