This post is part 2 of the guide to move Active Directory groups in SharePoint 2013. Microsoft added the PowerShell command move-spuser to migrate a user account in SharePoint 2010 and SharePoint 2013. We can leverage this command to migrate AD groups in SharePoint. We are going to need the identity claims for the groups because SharePoint 2013 uses claims authentication.
The following posts will help you get the claim and change the group name in SharePoint 2013:
- Get identity claim for AD groups in SharePoint 2013
- Migrating AD groups in SharePoint 2013
- Renaming an AD group in SharePoint 2013
Scenario
We have two AD groups and we want to migrate the permissions from one group to the other.
- Domain\GroupWillBeMigrated (Full control on root site)
- Domain\MigratedGroup (no entry in User Information List)
We first need to get the SharePoint 2013 user account and find the claims token for the group we want to migrate to.
Migrating the user
1. Get-spuser
We are going to need the user identity from SharePoint 2013 to select the account we want to migrate from. We can use the following two options to get this user
Based on displayname
$SPUser = Get-spuser –web https://portal.sharepointfire.com | Where-Object {$_.displayname –eq “peet\groupwillbemigrated”}
Based on claims token
$SPUser = get-spuser -identity “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2108” -web https://portal.sharepointfire.com
2. Move-spuser
The next step is using the identity from get-spuser and changing this to the new alias. We will need the claims token for the new account because we want to migrate the group to an identity claim and not to standard NTLM encoding. View my post about getting the identity claim for this.
We are going to use the PowerShell command Move-Spuser and we are going to use the following parameters.
Move-SPUser –Identity <String1> -NewAlias <String2> -IgnoreSID
- String1 is the variable $SPUser from step 1
- String2 is the identity claim for the group we want to migrate to
- We are using –IgnoreSID because we otherwise get a message saying that SID history can only be enforced in Windows authentication mode.
move-spuser -identity $SPUser -newalias “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2109” -ignoresid
You will need to grant the logged in user full control on both the Permissions and Administrator tab at the User Profile Service Application if you’ll receive the error ‘Object reference not set to an instance of an object’.
The SharePoint account has now been migrated to the new identity claim and the permissions are being migrated to the new group.
And we can navigate to the Home Owners group
The account information is directing to the correct identity claim but the name is not correct. We will set this in part 3.