How to rename AD Group Name in Site Collection

  • Article

If you have ever tried to change an AD Group Name, you would have seen that the old name will still appear in the Site Collection.

Probably you will try to solve the problem in the SSP Profiles, or using “stsadm migrateuser”, but after some time you will understand that this won’t solve the issue (this command only works with users). The solution is to delete and re create the group in the Site Collection.

In the past, I have experienced this problem on a customer and we had to delete the group and recreate it. But what happens if you have the group assigned to documents? If you simply delete the group, you will lose these assignments.

So, the solution is to build a tool to change the security in all documents to a temporary group, so we can delete the group, and run again the tool to change the assignments to the updated group. Here is the necessary code for the tool:

First Step: Create a SPSite, SPWeb and SPFolder (The Document Library you want).

   using (SPSite objSite = new SPSite(“https://example/mySite”))

                {

                    using (SPWeb objWeb = objSite.OpenWeb())

                    {

                        SPFolder myFolderCollection = objWeb.GetFolder(“Docs”);

                        if (!myFolderCollection.Exists)

                        {

                            Console.WriteLine("\n\nERROR: The Folder doesn't exist: " + docLibPath + " \n\n");

                            return;

  }

                   // SECOND STEP HERE

                  }

           }

Second Step: Get all files SPFile (one by one) in the Folder you opened, and create the SPRoleAssignment.

SPRoleAssignment oldGroup = buildRoleAssigment(objWeb.SiteUsers[ABC\XPTO], objWeb.RoleDefinitions[“Full Control”]);

SPRoleAssignment newGroup = buildRoleAssigment(objWeb.SiteUsers[ABC\XPTO2], objWeb.RoleDefinitions[“Full Control”]);

 SPFile auxFile;

   for (int indexFile = 0; indexFile < myFolderCollection.Files.Count; indexFile++)

      {

     auxFile = myFolderCollection.Files[indexFile];

       ChangePermissions(auxFile, buildRoleAssigment (oldGroup, buildRoleAssigment newGroup)

        }

Where “BuildRoleAssigment”:

private static SPRoleAssignment buildRoleAssigment(SPUser myAdGroup, SPRoleDefinition myRoleDefinition)

        {

            SPRoleAssignment auxRoleAssgn = new SPRoleAssignment(myAdGroup);

            auxRoleAssgn.RoleDefinitionBindings.Add(myRoleDefinition);

            return auxRoleAssgn;

        }

and “ChangePermissions”:

private static void ChangePermissions(SPFile fileToProcess, SPRoleAssignment groupToDelete, SPRoleAssignment groupToAdd)

 {

      fileToProcess.Item.RoleAssignments.Remove(groupToDelete.Member);

      fileToProcess.Item.RoleAssignments.Add(groupToAdd);

  }

Note that you need to add more code (exception handling, some logging, etc..), but the main idea is here!

Note also that if you know exactly the documents (or items) you want to change (the content type, etc.), you should use the SPSiteDataQuery, and not a “for cycle”.

See you next time …

Nuno Nunes