Article ID: 896593
Article Last Modified on 4/7/2006
APPLIES TO
- Microsoft Windows SharePoint Services
SYMPTOMS
After you migrate a user from one Active Directory domain to another Active Directory domain, the user experiences one of the following symptoms:
- The user can no longer access Microsoft Windows SharePoint Services.
- The user can access Windows SharePoint Services, but the user's settings are no longer the same as they were before the migration.
CAUSE
When a user is migrated in Active Directory, the Security Identifier (SID) changes for the user. Additionally, the logon information for the user might be changed. Windows SharePoint Services and Microsoft SharePoint Portal Server 2003 store user information based on both the user SID and the user logon information. When the user SID or the user logon information changes in Active Directory, Windows SharePoint Services must be updated with the new user information before the user can access Windows SharePoint Services successfully.
RESOLUTION
How to obtain the hotfix
This issue is fixed in the Microsoft Windows SharePoint Services post-Service Pack 1 Hotfix Package that is dated March 29, 2005. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
896349 Description of the Windows SharePoint Services post-Service Pack 1 hotfix package: March 29, 2005
API information
The Windows SharePoint Services post-Service Pack 1 hotfix package that is dated March 29, 2005 contains an API that you can use to update Windows SharePoint Services with the migrated user information. This new API is made up of the following data:
- Namespace: Microsoft.SharePoint.Administration
- Class: SPGlobalAdmin
- Method: MigrateUserAccount
Method usage
/// <summary> /// Migrate a WSS user to a new login name. /// </summary> /// <param name="oldLogin">Old login name</param> /// <param name="newLogin">New login name</param> /// <param name="enforceSidHistory">If true, Active Directory will be /// queried to ensure that the specified old login name is contained /// within the new login name's SID history.</param> public void MigrateUserAccount(string oldLogin, string newLogin, bool enforceSidHistory);
Example
SPGlobalAdmin g = new SPGlobalAdmin(); string oldLogin = @"DOMAIN\user"; string newLogin = @"DOMAIN\user2"; bool enforceSidHistory = true; g.MigrateUserAccount(oldLogin, newLogin, enforceSidHistory);
Parameters
Old login name
Replace this value with the original pre-migration user name of the migrated user. This user name must be in the domain\username format.New login name
Replace this value with the new post-migration user name of the migrated user. This user name must be in the domain\username format.enforceSidHistory
Set this value to True to require that the SID History attribute of the user name that you specified in theNew login name
value contains the SID of the user name that you specified in theOld login name
value. Alternatively, if you do not want the SID History attribute to be verified, set theenforceSidHistory
value to False.
Additionally, the following new command is added to the Stsadm.exe command-line tool:
stsadm -o migrateuser -oldlogin DOMAIN
\user
-newlogin DOMAIN
\user
[-ignoresidhistory]
If you do not specify the -ignoresidhistory parameter in this command line, the command queries Active Directory for the SID History attribute. This attribute is automatically populated by Microsoft Windows when you migrate a user to another domain.
Error messages
The following error messages are available:
- You receive a "The user does not exist" error message if either of the following conditions is true:
- The user information that you specify in the
new login name
value is a domain group. - The records have not been updated because the original user logon information or the original user SID was not found in the content database.
- The user information that you specify in the
- If the new user account does not have an SID History field, or if none of the SIDs in that field match an SID in the content database, you receive the following error message:
old login name
value is corrupted.
Note You also receive this error message if the user information that you specify in the - If the user information that you specify in the
new login name
value is corrupted, you receive the following error message:
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
Important If you want to migrate a user to SharePoint Portal Server 2003 by using the procedure that is described in the following Microsoft Knowledge Base article, you must first migrate the user to Windows SharePoint Services by using the hotfix that is mentioned in this article:
896161 A user can no longer access SharePoint Portal Server 2003 after you migrate that user from one Active Directory domain to another Active Directory domain
Additional query words: SPS, WSS, sidhist
Keywords: kbbug kbfix kbqfe kbwsspresp2fix kbhotfixserver KB896593