Microsoft KB Archive/896593

= After you migrate a user from a different Active Directory domain, the user can no longer access Windows SharePoint Services =

Article ID: 896593

Article Last Modified on 4/7/2006

-

APPLIES TO


 * Microsoft Windows SharePoint Services

-





SYMPTOMS
After you migrate a user from one Active Directory domain to another Active Directory domain, the user experiences one of the following symptoms:
 * The user can no longer access Microsoft Windows SharePoint Services.
 * The user can access Windows SharePoint Services, but the user's settings are no longer the same as they were before the migration.



CAUSE
When a user is migrated in Active Directory, the Security Identifier (SID) changes for the user. Additionally, the logon information for the user might be changed. Windows SharePoint Services and Microsoft SharePoint Portal Server 2003 store user information based on both the user SID and the user logon information. When the user SID or the user logon information changes in Active Directory, Windows SharePoint Services must be updated with the new user information before the user can access Windows SharePoint Services successfully.



How to obtain the hotfix
This issue is fixed in the Microsoft Windows SharePoint Services post-Service Pack 1 Hotfix Package that is dated March 29, 2005. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896349 Description of the Windows SharePoint Services post-Service Pack 1 hotfix package: March 29, 2005

API information
The Windows SharePoint Services post-Service Pack 1 hotfix package that is dated March 29, 2005 contains an API that you can use to update Windows SharePoint Services with the migrated user information. This new API is made up of the following data:
 * Namespace: Microsoft.SharePoint.Administration
 * Class: SPGlobalAdmin
 * Method: MigrateUserAccount

Method usage
///  /// Migrate a WSS user to a new login name. ///  /// Old login name /// New login name /// If true, Active Directory will be /// queried to ensure that the specified old login name is contained /// within the new login name's SID history.

public void MigrateUserAccount(string oldLogin,                                string newLogin,                                 bool enforceSidHistory);

Example
SPGlobalAdmin g = new SPGlobalAdmin; string oldLogin = @&quot;DOMAIN\user&quot;; string newLogin = @&quot;DOMAIN\user2&quot;; bool enforceSidHistory = true;

g.MigrateUserAccount(oldLogin, newLogin, enforceSidHistory);

Parameters

 * Replace this value with the original pre-migration user name of the migrated user. This user name must be in the domain\username format.
 * Replace this value with the new post-migration user name of the migrated user. This user name must be in the domain\username format.
 * Set this value to True to require that the SID History attribute of the user name that you specified in the  value contains the SID of the user name that you specified in the   value. Alternatively, if you do not want the SID History attribute to be verified, set the   value to False.

Additionally, the following new command is added to the Stsadm.exe command-line tool:

stsadm -o migrateuser -oldlogin \  -newlogin  \  [-ignoresidhistory]

If you do not specify the -ignoresidhistory parameter in this command line, the command queries Active Directory for the SID History attribute. This attribute is automatically populated by Microsoft Windows when you migrate a user to another domain.

Error messages
The following error messages are available:  You receive a &quot;The user does not exist&quot; error message if either of the following conditions is true:  The user information that you specify in the  value is a domain group. The records have not been updated because the original user logon information or the original user SID was not found in the content database.  If the new user account does not have an SID History field, or if none of the SIDs in that field match an SID in the content database, you receive the following error message:

Cannot complete this action. Please try again

Note You also receive this error message if the user information that you specify in the  value is corrupted.</li> If the user information that you specify in the  value is corrupted, you receive the following error message:

The user or group ' ' is unknown.

</li></ul>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
Important If you want to migrate a user to SharePoint Portal Server 2003 by using the procedure that is described in the following Microsoft Knowledge Base article, you must first migrate the user to Windows SharePoint Services by using the hotfix that is mentioned in this article:

896161 A user can no longer access SharePoint Portal Server 2003 after you migrate that user from one Active Directory domain to another Active Directory domain

Additional query words: SPS, WSS, sidhist

Keywords: kbbug kbfix kbqfe kbwsspresp2fix kbhotfixserver KB896593

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.