Hello Everyone… Its been a while since I wrote a blog. I wanted to share some good information on using stsadm -o migrateuser after an Account has been deleted within Active Directory and then re-created with the same Account Name.
Consider the following Scenario:
- We have a user that has an account in Active Directory with account name = DOMAIN\jdoe
- This user has a SID = S-1-5-21-1461310-839809092-932994037-4144
- User, DOMAIN\jdoe, has been granted permissions to some 300 site collections
- Its determined that this user account is having some permission issues within the Domain so the AD account is deleted. 🙂
- The account is now re-created again within AD and given the same account name, DOMAIN\jdoe
- Except now a new SID is created within AD
- SID = S-1-5-21-1461310-839809092-932994037-4147
- The problem we now have is that because this user already had permissions on some 300 sites that are associated with the Old SID
- The account name may be the same but when this user tries to Access Any of the Sites, there is a SID mismatch and the user now gets an Access Denied:
- The UserInfo table is the table on Each Content Database that holds the users login information as well as the SID. These are stored in the following two columns within the UserInfo Table
So the question is….. How do we get the new SID from AD into the UserInfo table. While this can be done with creating a temporary account in AD and doing some “stsadm -o migrateuser” flipping from Temp Account to Valid Account and vise versa, I have found that we can achieve this task by passing the same value for the “-oldlogin” & “-newlogin” and setting the “-ignoresidhistory” switch on our “stsadm -o migrateuser” command. So this is basically what you would do:
stsadm –o migrateuser –oldlogin DOMAIN\jdoe –newlogin DOMAIN\jdoe –ignoresidhistory
What this should do is flip the SID, or “tp_SystemId” in the UserInfo table to be the new account SID from AD and your user should now have access to all 300+ sites again.