Skip to main content
Sign In |
  Help (new window)
Trans Am

Todd Klindt's SharePoint Admin Blog

Go Search
Home
Blog
Netcast homepage
SharePoint Terminology Wiki
  

Todd Klindt's home page > Todd Klindt's SharePoint Admin Blog > Posts > A few notes about STSADM –o migrateuser

7/29/2008

A few notes about STSADM –o migrateuser

As those of you that have seen me present know, I do a lot with STSADM. I find it to be an incredibly useful tool for large deployments, and pretty handy for smaller ones too. I've seen a few questions on how the migrateuser operation works, so I thought I'd write a little something up. Its purpose is to move permissions from one account to another. One scenario would be if a domain was being split up. You would want the new accounts to have the same permission as the old accounts. Another use would be accountname changes. If someone's account is renamed you don't want to have to grant them permission to all of the same resources. The usage for migrateuser is pretty simple. Let's take a look:

You just supply it with the old account and the new account and that's it. If you're not migrating from one domain to another you can tell it to ignore SID history as well. Some of migrateuser's behavior isn't obvious, so I thought I'd spell some of it out. Here is a crude flowchart (I didn't do well in art in grade school) that shows the logic migrateuser uses:

 

Ugly, I know. The main thing I want you to take away from this is that if domain\newuser has any permissions before you run migrateuser, they will be gone and replaced with the permissions domain\olduser had. They will not be combined. To demonstrate how this works I've created a site collection and given domain\newuser and domain\olduser permissions. Domain\newuser is in the Owners group while domain\olduser is simply in the Vistors group. You can see the information in SQL in this "before" picture:

Here are the two entries for domain\newuser and domain\olduser in the UserInfo table. You can see they each have their own tp_ID and their tp_Tokens are different. This token is where their permissions are stored. In the before picture they are different. I ran this command to migrate from domain\olduser to domain\newuser:

Pretty simple, nothing too it. STSADM is finished in a flash. Now let's refresh SQL and see what changes have been made:

There are a couple of things to note here. First, note tp_ID 9 has a tp_Login value of domain\newuser instead of domain\olduser in the previous screenshot. Essentially migrateuser just changed the value. Next you'll notice the tp_Token is the same as it was before. It was not changed to domain\newuser's nor were the two combined. Finally you'll see that domain\newuser's previous tp_ID, 8, is now marked as Deleted. That's the first step in the flowchart.

Besides removing all of domain\newuser's permissions, migrateuser has another "gotcha." Since it deletes domain\newuser's permissions before it maps them to domain\olduser's permissions (even if there are no domain\olduser permissions to map) there is a split second where it's possible that no one has permission. This is the case with Site Owners. If domain\newuser is the only Site Owner (meaning a secondary wasn't defined) then after migrateuser deletes it, the Site now has no Owner and cannot be administrated. I have not seen a way to recover from that. The site still renders, and users can still use it, but no administrative tasks can be done. In both cases that I've seen this I've had to recover the site from a backup. There may be a way to fix this in SQL, but I would recommendation against editing SQL by hand.

I hope this helps you understand the migrateuser operation a little better.

tk

Posted at 12:25 AM by Todd O. Klindt | Permalink | Email this Post | Comments (46)

Comments

How about migrating groups?

Do you know if its possible to migrate a security group? I have a customer who changed some OU in their AD. This is a problem as they use these groups for filtering content.
at 7/29/2008 7:30 AM

Re: How about migrating groups?

I have not tried to migrate a group, I'm not sure if it's possible or not.

tk
Todd Klindt at 7/31/2008 10:19 PM

Re: How about migrating groups?

Ok, anyway great post! :-)
at 8/1/2008 7:35 AM

Cannot add user because user already exists error

Hi Todd,

This is Gary.  Good post.  Another place where this works well is when the active directory account has changed, and a person gets the "Cannot add user because user already exists error", but the user isn't listed on the site.  Running this tool, with the exact same value for the -olduser and -newuser refreshes the site collection, and the user can be added.  And the old permissions are not retained.  There must be another piece of logic in there that checks to see if the old and new is the same, before deciding to delete the new.
at 8/12/2008 7:08 AM

Re: Cannot add user because user already exists error

Hey Gary,
Good to see you.  When you get the "cannot add user" error have you tried going to Site Settings > Site Administration > (
Under Site Collection Administrator) > View Site Collection User Information and delete the user from there?  Like we've talked about recently there is a list of users for each web, and a list of users for the site collection.  Normally when you get this error the user does not exist in one, but does exist in the other.

tk
Todd Klindt at 8/19/2008 9:39 AM

Cannot complete this action?

Hi Todd

We are trying to use migrateuser to update a users SIP address. Her email address changed when she married and we now need to update her record in all site collections that she has visited. When we use this command we get the error Cannot complete this action. If we try the command without the -ignoresidhistory switch we get: New user account does not have valid SID history. Can you shed any light? We've had this problem for a while now. Thanks
at 8/27/2008 2:35 PM

Re: Cannot complete this action?

The migrateuser operation only adjusts permissions nothing else.  It won't fix display names or email addresses.  If you are only using WSS there is no way to do this out of the box.  In the v2/sps space you can use Keith Richie's SPUserUtil to sync SharePoint user data with Active Directory, http://blogs.msdn.com/krichie/archive/2006/02/18/534767.aspx  I don't believe that works with WSS v3.  I know the folks at Bamboo Solutions have a product that works with v3, but it costs money.  You can find more information here, http://store.bamboosolutions.com/ps-45-6-user-profile-sync-release-13.aspx 

As to the error you're getting, I assume that the user's account has never been migrated from one domain to another.  If that is the case, then it does not have any Sid History.  Did you try running the command with the -ignoresidhistory flag?  It still won't do what you're trying to do, but I would think that would keep it from throwing an error.

tk
Todd Klindt at 8/28/2008 7:09 AM

Re: Cannot complete this action?

We have tried the command with and without the ignoresidhistory. The error with the ignoresidhistory is included in my original post.

So my next question to you is, can we use Sharepoint Designer to update the userinfo table without directly modifying the database?
at 8/28/2008 9:11 AM

Re: Cannot complete this action?

I don't know of any way to fix that with SharePoint Designer.  Of course I have to mention that you should never ever alter the SharePoint databases directly, but you probably already knew that.  :)

The user could change the address herself in the UI.  She'll have to do it for each Site Collection, but it's the only free option I know of.

tk
Todd Klindt at 8/29/2008 3:36 PM

Keep getting user does not exist or is not unique.

We are currently going through a phased migration of several domains into one Company-wide domain. We have a local WSS v3 server that the migrateuser command seems to work well on. The issue I am having is that we also have an externally hosted box that is running MOSS. On the external box, I continue to get the "user does not exist, or is not unique" error on the accounts I have tried migrating. This happens whether or not I include the -ignoresidhistory parameter. Any information you can provide is greatly appreciated.
at 9/9/2008 10:52 AM

Cannot Complete this action or HResult 0x80040E09

Todd,


I am getting these errors and cannot find anything about them. Any idea where I can start for troubleshooting?

Thanks,

Ben
at 9/16/2008 3:41 PM

Re: Cannot Complete this action or HResult 0x80040E09

Hey Ben,
Normally those kinds of errors make me think your SQL server is having problems.  My first suggestion is to go over your SQL server with a fine toothed comb and see how it's doing.  Are any drives full?  Do your data and log files have some white space in them so that they can grow?  Stuff like that.  Also look through your ULS logs and see if there's anything in there.  I'd start by just searching for "error".

Let me know if you need any more help.  Good luck.

tk
Todd Klindt at 9/16/2008 8:50 PM

Cannot Complete this action or HResult 0x80040E09

Todd,


I am getting these errors and cannot find anything about them. Any idea where I can start for troubleshooting?

Thanks,

Ben
at 9/16/2008 9:51 PM

MigrateUser with Content Deployment

Hi Todd,

Some advice would be really useful if possible! I'm planning on using a Content Deployment job to migrate content from Domain A to Domain B.

Domain A was a temporary domain which users were accessing and creating content on SP. Ideally I want to be able to use Content Deployment to migrate the content to Domain B, and then map their permissions using migrateuser manually one for one, so that the content and site permissions they had in the old domain/SP environment come across to the new domain.

Is this actually possible? Will the Content Deployment allow me to bring over the user data into the new domain without crashing because the users don't exist over there?

Cheers
Gavin
at 10/7/2008 12:42 PM

Re: MigrateUser with Content Deployment

That should work. When you use CD to move the data from Domain A to Domain B, make sure you maintain permissions. If not, there will be no users to migrate once you get to Domain B.

tk
Todd Klindt at 10/7/2008 2:17 PM

Unable to connect to database when running migrateuser

Hi Todd,

Regular reader, first time commenter.

I have a user who has had a new account created (not migrated) and I need to migrate the SharePoint account.

I've tried migrateuser without ignoresidhistory and get the expected SID hostory error.

When I run;

stsadm -o migrateuser -oldlogin xxxx\GADTEST1 -newlogin xxxx\GADTest2 -ignoresidhistory

I get the following error:

"Unable to connect to database.  check database connection information and make sure the database server is running."

The database is our core business database server hosting numerous other apps including our production WSS and MOSS as well as the dev WSS I'm trialling the user migration on.

Any ideas?
at 11/21/2008 12:37 AM

Re: Unable to connect to database when running migrateuser

Weird error. I don't know the solution off the top of my head. Do you get any errors in the event log? I assume everything else in that content database is working, isn't it?

tk
Todd O. Klindt at 11/25/2008 10:08 PM

Unable to connect to database when running migrateuser

I’m having the same problem. Have you found a solution for it?

In the event viewer the error says it cant find the mysite db, but in the console it gives the same error as you got. Ideas?

PS: the mysite does work fine, and the db exists...
at 12/6/2008 7:03 AM

MigrateUser Profiles cris crossed and Page Page Cannot be displayed on Admin Page

Hello Todd,

       Very nice information about the migrateuser. We are migrating all the users from one domain to another with new ids, so I have used migrateuser to migrate permissions and was moving personal MySites exporting and importing them into their new domain user MySite. The problems that I have noticed are
Ii) if the user is logged in with their new domain id and hit "My Site" it is for some reason taking them to their old profile and they are not getting "My Home" "My Profile" buttons on their MySite to edit their profile data and in the URL it is showing both domain/users names like this
http://sharepoint.mycompany.com/users/Person.aspx?accountname=OLDDOMAIN%5COLDID&PortalUrl=http%3A%2F%2Fsharepoint%2Emycompany%2Ecom%2Fpersonal%2FNEWID%2Fdefault%2Easpx&Public=1

(ii) Cannot see the site collection from the Central Admin, when it reaches that personal site it is taking me to the error page with "User cannot be found" so literally cannot administor the site. I tried to do enum sites and I see the below message for all the sites
<Site Url="http://sharepoint.mycompany.com/personal/myuserid" Error="User cannot be found.">

Do you think there are being caused by the same glitch that you have mentioned in your article?

Work Around: I found that if I delete the whole "MySite" and re-import them back (from my old mysite backup using export site) everything is working like it should, but is there any quick fix rather than deleting 3000 odd Personal Site collections and re-import them?
at 12/16/2008 10:17 AM

MigrateUser Profiles cris crossed and Page Page Cannot be displayed on Admin Page

Hello Todd,

       Very nice information about the migrateuser. We are migrating all the users from one domain to another with new ids, so I have used migrateuser to migrate permissions and was moving personal MySites exporting and importing them into their new domain user MySite. The problems that I have noticed are
Ii) if the user is logged in with their new domain id and hit "My Site" it is for some reason taking them to their old profile and they are not getting "My Home" "My Profile" buttons on their MySite to edit their profile data and in the URL it is showing both domain/users names like this
http://sharepoint.mycompany.com/users/Person.aspx?accountname=OLDDOMAIN%5COLDID&PortalUrl=http%3A%2F%2Fsharepoint%2Emycompany%2Ecom%2Fpersonal%2FNEWID%2Fdefault%2Easpx&Public=1

(ii) Cannot see the site collection from the Central Admin, when it reaches that personal site it is taking me to the error page with "User cannot be found" so literally cannot administor the site. I tried to do enum sites and I see the below message for all the sites
<Site Url="http://sharepoint.mycompany.com/personal/myuserid" Error="User cannot be found.">

Do you think there are being caused by the same glitch that you have mentioned in your article?

Work Around: I found that if I delete the whole "MySite" and re-import them back (from my old mysite backup using export site) everything is working like it should, but is there any quick fix rather than deleting 3000 odd Personal Site collections and re-import them?
at 12/17/2008 9:17 AM

How to migrate to a new domain!!!

Hi,

We started using this migrateuser command way back from 2008. We seem to have not captured this issue and now we are left with lot of orphans.

Here is the situation.
1) The users have multiple accounts in multiple domains.
2) All the domains were allowed for access to sharepoint due to internal reasons.
3) One user can be added (and were added) with 2 different domain IDs at different places in the same site collection. (Due to users confusing which ID to pick)
4) When we run migrate user command to move Dom1\User to Dom2\User, it is removing the entries of Dom2\User which were there already and making them as Person or Just the name, clicking on which we will get user cannot be found.

Given the scenario above, we want to move to a single domain now.
--We want to restrict users from accessing the old domain accounts from people picker.
--We are using custom LDAP filter to filter out old domain accounts from AD.
--But the old accounts already added on the site collection are showing up on people picker results. According to MS, we cant restrict the accounts added on site collection from people picker.

The option I know of is:-
Remove all the old domain accounts from site collection. But the issue with this is, all the active workflows, metadata for these old domain users will be lost.

Given the scenario above, Please advise the best appoach to move to a single domain and restrict people picker to show only one domain IDs going forward.

Any advice is much appreciated.
at 1/28/2009 12:37 PM

Group got migrated/recreated - oh boy

A Universal Security was mistakenly migrated to a new child domain along with a user being migrated to it.  Rather than migrate back (which ADMT does not support IIRC), the groups was recreated and repopulated.  The original, migrated group (thenin the child domain) was deleted.

But the SIDs in the dB and on the recreated group, of course, don't match.  Can "stsadm -o migrateuser -oldlogin 'domain\lost group -newlogin 'domain\lost group' -ignoresidhistory" save our bacon?
at 2/5/2009 1:56 PM

Re: Group got migrated/recreated - oh boy

The migrateuser operation doesn't touch groups as far as I know, only users. I don't think it will help in your situation.

tk
Todd Klindt at 2/6/2009 2:24 PM

Another option for usage

For some reason that I cannot explain, this failed when I used the format of:

stsadm -o migrateuser -oldlogin domain\lostname -newlogin domain\newname -ignoresidhistory

When using that format, I would get the error message "user does not exist, or is not unique" as reported by other readers of this blog.

After experimenting a little, I stumbled upon the following, which did work for me:

stsadm -o migrateuser -oldlogin domain\lostname -newlogin newname -ignoresidhistory

By basically including the domain with the old login, but excluding it for the new login, I got the accounts to migrate successfully.
at 2/9/2009 10:17 AM

Restoring permissions to a re-created user

Hi - We deleted a bunch of users from the AD accidentally and having recreated then found that they no longer had access to the WSS 3.0 team site where they were previously 'team site visitors'.

I used the migrateuser command with new login and old login containing the same value. The ignore SID history command was included and WSS permissions seem to be restored. Before I run this on live users I am just wondering if this command affects the AD in any other way.

Please can you confirm

Thanks very much
at 4/19/2009 8:18 AM

Re: Restoring permissions to a re-created user

That's a pretty creative use for "migrateuser." I'm impressed. I'm adding that to my talks. :)

Migrateuser will not affect AD in any way. It is completely confined to SharePoint. It is only making changes on your SharePoint database. I can't think of any changes it will make to your AD.

tk
Todd O. Klindt at 4/19/2009 11:20 AM

Re: Restoring permissions to a re-created user

No effect on the AD - that certainly is good to hear.

Thanks for your input.

O
at 4/19/2009 4:24 PM

Migrateuser but with SQL auth

We are migrating just users and workstations while maintaining SID history, to a new forest.

I attempted to use the stsadm –o migrateuser command but it gave me errors indicating it could not connect to the database. This is most likely caused by the fact that we are using SQL authentication for the DBs and not Windows. Is there a way to specify SQL credentials for this command? If not, what exactly does the migrateuser command do? If it is a few simple operations in the MOSS DBs, I can work with our DBA team to run updates or queries from the SQL server itself.

Yes, I know it's highly recomended to use Windows Auth but it was not my call unfotunately, so I'm stuck with it as it is.

Have a PSS case open but they're not too helpful at this point, they don't seem to understand the issue.

Any suggestions?
at 4/21/2009 12:37 PM

Actually you can fix the "the Site now has no Owner and cannot be administrated"

With regards to the issue about migrating a user who is the sole site collection administrator.

I recently ran into this issue and fixed it by simply running the following command on the problem site collection: stsadm -o sitowner -url http://SitCollectionURL -ownerlogin domain\user
at 5/25/2009 5:48 AM

OK, so it doesn't combine permissions...then how -do- you do it?

Both oldlogin and newlogin are added to multiple, various site collections, and we want to consolidate them all to just newlogin...how do we do that without losing the permissions that newlogin currently holds?

I -really- want to just do this in SQL, because, even though M$ has this strict "don't touch our database" clause, what else are we supposed to do when they don't provide the basic functionality to do these things?

I'm nowhere near the first person that's needed this, and why they haven't added this simple task to STSADM yet is beyond me.

Ideas?

I think we'll have DocAve installed by next week, so I think I'll be able to map all of their permissions from the old user to the new user, then just delete the old user that way...but it'd probably be 1 solitary user at a time...for 3500+ users.  *sigh*  Help?

  --ANK
at 6/4/2009 1:00 PM

Re: OK, so it doesn't combine permissions...then how -do- you do it?

I've never found a way to combine the permissions of two users. I haven't ever really looked though. Hopefully someone reading these comments will have a suggestion.

tk
Todd O. Klindt at 6/4/2009 8:36 PM

Re: OK, so it doesn't combine permissions...then how -do- you do it?

To me it seems that the migrateuser command is somehow combining the two accounts.
We used:
stsadm -o migrateuser -oldlogin olddomain\oldusername -newlogin newdomain\newusername -ignoresidhistory

and we got the error: Error migrating user profile.

Bevore running the command both users where member in a site (but different ones).
Now after running the command I can find the new user in both sites and in the databases I can also just find the new users name and it is not set as deleted...

Has maybe anything changed for the command?
at 7/10/2009 2:29 AM

Re: OK, so it doesn't combine permissions...then how -do- you do it?

The functionality may have been changed in patches that have come out since I originally published this. I haven't checked lately.

tk
Todd O. Klindt at 7/10/2009 10:07 AM

migrareuser with -ignoresdihistory option worked wrong

Hi,

I executed stsadm -o migrateuser -oldlogin "domain\OLDName" -newlogin "domain\newName" -ignoresidhistory . It executed successfully . But the result it has given is opposite : i.e. newName is replaced with oldName.. can you please tell me what is wrong in the command written or how to correct this now?
at 7/27/2009 6:21 AM

AD Account was renamed

Hi,

Can we use the stsadm -migrateuser to migrate an AD user account which was renamed.

Thanks.
at 8/18/2009 1:15 AM

Re: AD Account was renamed

Yes, it will work fine for renamed accounts. That's what I've used it most for, accounts that were based on last names and people got married and changed their names. Works like a champ.

tk
Todd O. Klindt at 8/18/2009 10:59 AM

RE:Actually you can fix the "the Site now has no Owner and cannot be administrated"

This should also be fixable by going to the central administration website and updating the site collection administrator user.
-Zak
at 9/4/2009 4:36 PM

RE: Another option for usage

Excluding the new domain name seems to work.

If you receive the error message "Error migrating user profile.", just run the command again using the following syntax:

stsadm -o migrateuser -oldlogin oldDomain\name  -newlogin name -ignoresidhistory

-okan
at 9/24/2009 12:50 PM

Changed Domain

We recently had to change to our corporate domain. I have been looking at everyone great success and I can't figure out why four (4) users can access the WSS site and the other thirty (30) users can't. I will try what I have read so far. I will let you know how everything turns out. I know I got to get SQL 2005 for what was shown earlier also.
at 2/3/2010 7:22 PM

Error: stsadm migrateuser

I need to migrate users from one domain to another domain, which includes around 5000 users.. I try to run command to migrateuser to another domain with stsadm -o migrateuser, and always end with "Object reference not to set to an instance of Object". I mentioned the error message here:

http://social.msdn.microsoft.com/Forums/en-US/sharepointadmin/thread/8eb15d7c-3d17-4c05-9a00-e934f081232c

Although users have been successfully migrated, I am not sure what the future impact because of the error.

Do you have any idea, Todd?
at 3/23/2010 2:45 AM

Re: Error: stsadm migrateuser

Not sure what is causing that error. It's a pretty generic .NET error. If the users are working fine now, I wouldn't worry about it. Have you looked in SQL to verify everything looks correct? If you're worried about there being a problem, trying running "stsadm -o preupgradecheck" and see if it finds any issues.

tk
Todd O. Klindt at 3/28/2010 11:58 AM

Multiple domain users in a migrated farm

Hi Todd - I have a peculiar requirement where we have a sharepoint farm content users from two domains (A and B) and  we need to migrate this sharepoint farm which is currently hosted in B domain to A domain. We then would decommission the B domain. The problem here is we have users from both these domains added in this farm and if I run MigrateUser command, it's going to delete the A domain users with same ID and this will be a total disaster. Can you suggest the best approach to migrate users from one domain to another without deleting the existing users from target domain? 
at 5/16/2010 6:04 AM

Re: Multiple domain users in a migrated farm

There is no way to combine the permissions of two accounts, at least not with the migrateuser operation. You have to pick one to be the official one.

Migrateuser does work at the user level, so you can mix and match. domaina\john can overwrite domainb\john, but but domainb\jane might be the one you want to overwrite domaina\jane. However, there's no way to add domainb\jane's permission to the permissions domaina\jane has.

tk
Todd O. Klindt at 5/16/2010 6:46 PM

Migrate multiple source domain user account permissions into single domain user account

Based on your last reply on the multiple domain users into single user this does not look possible via stsadm. I have an internal and external SPS portal that has the same users on both and they need to be migrated into their new internal AD account.

Are there any other methodas you have found to achieve this? OOTB or 3rd party?
at 6/14/2010 2:52 PM

nice post

Nice post, I'm looking to migrate >70K users soon, looking at your explaination of the stsadm command, I'm going to encounter issues.  It looks such a crude way to do it, looking at your example, it adds a new entry into the userinfo table, with a new tp_id!!!!!!   if it uses this as the new one and marks the old one for deletion it will screw up all the lists in the site that have a people and groups column.  This is an assumption as I have not tested anything yet, but I had an issue moving a list containing a people/groups column because it uses tp_id!!!!! 

Looks like I'll have to pay someone write me an app or powershell script to do this

benjamin_davies@msn.com
at 6/25/2010 5:56 AM

OoPs !!! Tricky command.

We lost more than 20 K user permissions given manually. Was wondering why -until microsoft support pointed towards this blog..

The only way to get back close to original state was to restore the point in time backups and write a code snipet to genereate user permissions and push it to production with new login :). Only permissions are pushed not the content.
at 7/20/2010 3:04 AM

Add Comment
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Today's date *

Please enter today's date so I know you are a real person
Attachments