Migrate Users / Groups – PowerShell Script


You might have seen the similar script in other blogs for migrating users / groups. Here is my contribution for the same requirement. You can use this script for migrating bulk AD users and AD groups in a single shot. I  have created this script to read the information from CSV file. You can find the actual script and two sample CSV files below of this post. My customer’s scenario was, they have upgraded their SharePoint 2007 to SharePoint Server 2010 but their domain changed in SharePoint Server 2010 so they have to update AD user and group information in the SharePoint databases by running the MigrateUserAccount & MigrateGroup method.

SPFarm.MigrateUserAccount is same as the STSADM migrateuser command that we all were familiar. This method migrate user account in SharePoint Foundation to a new login name and binary ID. If an entry for the new login name already exists, it is deleted to allow this change. The following entities are updated in the entire server farm: site collection users in the UserInfo tables, people lists, and security policies.

Add-PSSnapin Microsoft.SharePoint.PowerShell
function MigrateUserOrGroups($migrationType, $csvFile)
{
   #Getting the SPFarm object
   $farm = Get-SPFarm
 
   Write-Host $migrationType
   #Checking whether the user input the type of Migration as Group
   if($migrationType -eq "Group"){
   Import-Csv $csvFile | ForEach-Object{
      Write-Host "Migrating Group" $_.oldlogin "to" $_.newlogin -ForegroundColor Green
      $farm.MigrateGroup($_.oldlogin, $_.newlogin)
      
       }
      }
      
    #Checking whether the user input the type of Migration as User
    if($migrationType -eq "User")
      {
        
        Import-Csv $csvFile | ForEach-Object{
        Write-Host "Migrating User" $_.oldlogin "to" $_.newlogin -ForegroundColor Green
        $farm.MigrateUserAccount( $_.oldlogin, $_.newlogin, $false )
        }      
      }
      
   Write-Host "Migration Completed" -ForegroundColor Cyan
   
   
   # $farm.Name
}
 
MigrateUserOrGroups $args[0] $args[1]
 
You can download the above PowerShell Script and sample test CSV files from the below link
 

Comments (31)

  1. Gab says:

    I am having the same problems, can you tell me how it was done?

    I found links that moved only the ContentDB from moss2007 to SP2010, then run the "stsadm migrateuser" (and groups) command, one by one.

    Do I have to move more DBs from the old server? I am trying to migrate the administrator too intially using this coomand:

    stsadm -o migrateuser -oldlogin olddomainsharepointadmin -newlogin newdomain_SPAdmin

    should I do that or just run the

    stsadm -o siteowner -url http://portal -ownerlogin newdomain_SPAdmin ??

    When I run the migrateuser coomand I get this error now:

    "Value cannot be null. Parameter name: userProfileApplicationProxy"

    What am I doing wrong?

    If I use your script, how do I use it? Do I just run the ps1 without parameters?

  2. Gab says:

    is that it?

    PS S:toolsMigrationScript> .MigrateUserOrGroupInBulk.ps1

    Migration Completed

    do I have to do anythign else after? restart a service or iisreset?

    my new users get immediately access denied, do I have to force the user profile sync or something?

    plesase help me out ? I know I am so close…

    thanks

  3. sowmyancs says:

    What is the authentication type that you are using for your 2010 web application ?

    Make sure that the content database "dbo.UserInfo" table got updated with the new domain details. Also, hope in your domain migration SID history was the same.

  4. sowmyancs says:

    Also make sure that test your upgrade in a test environment. Do not try anything in production. Also keep a working backup copy of DB.

  5. Gab says:

    I am using NTLM (the default), I get prompted for a password all the times, it's the one for the new domain.

    I am using a sandbox with snapshots I cn revert to.

    This domain move is kicking my butt and I am contemplating the idea of putting this new server in the same domain first, install 2007, move the DB over and THEN do an upgrade to SP2010 (still in the old domain).

    And next time I have a maintenance window, I can do the domain move, but at least I can take time.

    I am willing to use the "migrateuser" command for all my users and groups, it's not a lot, but when I get the message "Value cannot be null. Parameter name: userProfileApplicationProxy" , I think it stopped and missed something.

    Can I query the DB Content to see where I left behind the old domain references?

    Also I am willing to edit tables of run queries to replace the user logins/permissions, but I am not sure how to search.

  6. Gab says:

    another pblem I have is to migrate the "MySite", I noticed in the new SP2010, it's only "/My/", in the URL and it gets page not found. During this process I also see that are some old MySites pages from users that are no longer here but cannot delete them, how do I take permission? My _SPAdmin doesn't reach there…

  7. sowmyancs says:

    Hi Gab,

    Make sure that the authenticatino prompt is not a loop back check issue or not.

    support.microsoft.com/…/896861

    For Mysite migration, if you are using explicit inclusion managed path it has to be created in the SharePoint 2010 prior to the upgrade. Please look at the below article for getting more information about how to do a user profile migration :

    spmike.com/…/migrating-moss-2007-sspmysites-to-sharepoint-2010-in-a-database-attach-scenario

    Direct modification of SharePoint DBs are not supported. In a test environment you can look at the table values if you want. Table you will be looking is dbo.UserInfo.

  8. Gab says:

    I've been using SPMike site, I found it before, I just have been misunderstanding which database to migrate, I've only done the WSS_Content DB but I think I have to do the SharedService as well. Im my SP site I have to migrate from, I have 1 managed app mounted under SharedServices, the DB is called SharedServicesContent_somerandomUIDm, thou I also have another one called SharedServices1_DB. Which one is the one to backup and mount on the new DB? Is it the one with the UID (the one that I see on my collection sites?

    I will try this tomorrow…

  9. sowmyancs says:

    Ok, you have to take the SSP configuration DB which contains the Userprofiles table and other details, In your case from the name it look like SharedServices1_DB. Please double check it.

  10. Gab says:

    weird, my comments don't go thru, I have to enter them twice…

    Anyway, I have 2 DBs in there, but the one attached to the WebApplication under Central Administration is the SharedServices_randomGUID one, NOT the other one named "…_DB", I am not sure which one I should migrate over of the two.

  11. sowmyancs says:

    You can't upgrade those two DBs, you have to leave it in 2007. Once you setup a new SharePoint 2010 environment it will be creating it for you. Just migrate only the content databases, SSP profiles, My Sites. Please read the below technet for getting more information : technet.microsoft.com/…/ee517214

  12. Gab says:

    I am not worried about the MySites, they don't need to be converted. I think I am at a good point right now, I've migrated to a new domain the 2 DBS (WSS_Content and SPP), I've upgraded and they are running in my webapplications.

    However on steps 16 and under of the SPMike page, I cannot start the FIM, and I cannot create the Sync Connection b/c the service is not running.

    Also I can't search anything in the current state.

    These are some of the errors I get related to FIM and User Profile Syncronization:

    The Execute method of job definition Microsoft.Office.Server.UserProfiles.UserProfileImportJob (ID 45690568-c3e9-4257-9a3b-afb709002afa) threw an exception. More information is included below.

    Operation is not valid due to the current state of the object.

    ——-

    System.Configuration: System.Configuration.ConfigurationErrorsException: Required attribute 'externalHostName' not found. (C:Program FilesMicrosoft Office Servers14.0ServiceMicrosoft.ResourceManagement.Service.exe.Config line 29)

      at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)

      at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)

      at System.Configuration.ClientConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(String sectionName)

      at System.Configuration.ConfigurationManager.GetSection(String sectionName)

      at Microsoft.ResourceManagement.WebServices.ResourceManagementServiceSection..cctor()

    —–

    The Forefront Identity Manager Service could not bind to its endpoints.  This failure prevents clients from communicating with the Web services.

    A most likely cause for the failure is another service, possibly another instance of Forefront Identity Manager Service, has already bound to the endpoint.  Another, less likely cause, is that the account under which the service runs does not have permission to bind to endpoints.

    Ensure that no other processes have bound to that endpoint and that the service account has permission to bind endpoints.  Further, check the application configuration file to ensure the Forefront Identity Manager Service is binding to the correct endpoints.

    —-

    Microsoft.ResourceManagement.Service: System.TypeInitializationException: The type initializer for 'Microsoft.ResourceManagement.WebServices.ResourceManagementServiceHostFactory' threw an exception. —> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.TypeInitializationException: The type initializer for 'Microsoft.ResourceManagement.WebServices.ResourceManagementServiceSection' threw an exception. —> System.Configuration.ConfigurationErrorsException: Required attribute 'externalHostName' not found. (C:Program FilesMicrosoft Office Servers14.0ServiceMicrosoft.ResourceManagement.Service.exe.Config line 29)

      at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)

      at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)

      at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)

      at System.Configuration.ClientConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(String sectionName)

      at System.Configuration.ConfigurationManager.GetSection(String sectionName)

      at Microsoft.ResourceManagement.WebServices.ResourceManagementServiceSection..cctor()

      — End of inner exception stack trace —

      at Microsoft.ResourceManagement.Policy.PolicyApplicationManager..ctor()

      — End of inner exception stack trace —

      at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandle& ctor, Boolean& bNeedSecurityCheck)

      at System.Activator.CreateInstance[T]()

      at Microsoft.ResourceManagement.Utilities.SingletonObjectBase`1.get_Instance()

      at Microsoft.ResourceManagement.Utilities.DefaultSingletonObjectClassFactory`2.CreateInstance()

      at Microsoft.ResourceManagement.Utilities.ClassFactoryManager.CreateInstance[T]()

      at Microsoft.ResourceManagement.WebServices.ResourceManagementServiceHostFactory..cctor()

      — End of inner exception stack trace —

      at Microsoft.ResourceManagement.WebServices.ResourceManagementServiceHostFactory..ctor()

      at Microsoft.ResourceManagement.WindowsHostService.OnStart(String[] args)

    ——

    Service cannot be started. System.TypeInitializationException: The type initializer for 'Microsoft.ResourceManagement.WebServices.ResourceManagementServiceHostFactory' threw an exception. —> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.TypeInitializationException: The type initializer for 'Microsoft.ResourceManagement.WebServices.ResourceManagementServiceSection' threw an exception. —> System.Configuration.ConfigurationErrorsException: Required attribute 'externalHostName' not found. (C:Program FilesMicrosoft Office Servers14.0ServiceMicrosoft.ResourceManagement.Service.exe.Config line 29)

      at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)

      at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeO…

    ———

    The Execute method of job definition Microsoft.Office.Server.UserProfiles.UserProfileImportJob (ID 45690568-c3e9-4257-9a3b-afb709002afa) threw an exception. More information is included below.

    Operation is not valid due to the current state of the object.

    —————

    The server encountered an unexpected error and stopped.

    "ERR: MMS(6944): libutils.cpp(10513): RegQueryValueEx of Server failed with 2

    BAIL: MMS(6944): libutils.cpp(10515): 0x80070002 (The system cannot find the file specified.)

    ERR: MMS(6944): libutils.cpp(10513): RegQueryValueEx of SQLInstance failed with 2

    BAIL: MMS(6944): libutils.cpp(10515): 0x80070002 (The system cannot find the file specified.)

    ERR: MMS(6944): libutils.cpp(10513): RegQueryValueEx of DBName failed with 2

    BAIL: MMS(6944): libutils.cpp(10515): 0x80070002 (The system cannot find the file specified.)

    BAIL: MMS(6944): server.cpp(359): 0x80070002 (The system cannot find the file specified.)

    BAIL: MMS(6944): server.cpp(3860): 0x80070002 (The system cannot find the file specified.)

    BAIL: MMS(6944): service.cpp(1531): 0x80070002 (The system cannot find the file specified.)

    ERR: MMS(6944): service.cpp(980): Error creating com objects. Error code: -2147024894. This is retry number 0.

    BAIL: MMS(6944): clrhost.cpp(224): 0x80131022

    BAIL: MMS(6944): scriptmanagerimpl.cpp(7670): 0x80131022

    BAIL: MMS(6944): server.cpp(251): 0x80131022

    BAIL: MMS(6944): server.cpp(3860): 0x80131022

    BAIL: MMS(6944): service.cpp(1531): 0x80131022

    ERR: MMS(6944): service.cpp(980): Error creating com objects. Error code: -2146234334. This is retry number 1.

    BAIL: MMS(6944): clrhost.cpp(224): 0x80131022

    BAIL: MMS(6944): scriptmanagerimpl.cpp(7670): 0x80131022

    BAIL: MMS(6944): server.cpp(251): 0x80131022

    BAIL: MMS(6944): server.cpp(3860): 0x80131022

    BAIL: MMS(6944): service.cpp(1531): 0x80131022

    ERR: MMS(6944): service.cpp(980): Error creating com objects. Error code: -2146234334. This is retry number 2.

    BAIL: MMS(6944): clrhost.cpp(224): 0x80131022

    BAIL: MMS(6944): scriptmanagerimpl.cpp(7670): 0x80131022

    BAIL: MMS(6944): server.cpp(251): 0x80131022

    BAIL: MMS(6944): server.cpp(3860): 0x80131022

    BAIL: MMS(6944): service.cpp(1531): 0x80131022

    ERR: MMS(6944): service.cpp(980): Error creating com objects. Error code: -2146234334. This is retry number 3.

    BAIL: MMS(6944): service.cpp(994): 0x80131022

    Forefront Identity Manager 4.0.2450.34"

    ———-

  13. Gab says:

    LEt me also mention that I've followed this page as well on creating new "MySites": sharepointgeorge.com/…/configuring-my-site-sharepoint-2010

    and I don't see MySites Template, is there an explaination for that ?

  14. sowmyancs says:

    If you are using enterprise edition of SharePoint 2010 you should see that template. Here is reference for troubleshooting UPA Synch service issue : technet.microsoft.com/…/gg750257.aspx

  15. Gab says:

    current license is: SharePoint Server with Standard Client Access License

    it seems it should have it, no?

    sharepoint.microsoft.com/…/editions-comparison.aspx

  16. sowmyancs says:

    Yes, it should be. Can you check following location in your SharePoint Server file system, C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14TEMPLATESiteTemplatesSPSMSITEHOST. This is the site template for My Site Host.

  17. Not Gab says:

    You should charge GAB for posting so many comments  đź™‚

  18. sowmyancs says:

    "I like it" not Gab LOL 🙂

  19. MaTee says:

    I have 10 web applications in my test environment (SharePoint Foundation 2010). Two of the web applications are on a different domain and now being migrated to sync with the 8 web applications. I downloaded your PS script and sample csv files and changed the content of the csv, both user and group with only one item each. Ran the MigrateUserorGroupBulk.ps1 as administrator in the test environment…message came up “Migration Completed”. When I checked the site permissions, nothing changed. The group and the user still contained the old domain. Can you please tell me what am I missing? Do I need to reboot my server or do an IISreset? Surely appreciate the help.

  20. sowmyancs says:

    Can you check the userinfo table in the database and see the status ?

  21. Wizzie says:

    Hi,

    We are migrating to another domain, users will go first and then SharePoint.

    I checked the command move-spuser and there you can add -ignoreSID, is there an option here too?

    Thnx

  22. ram says:

    will this same script works in moss 2007?

  23. Steven says:

    Hi,

    So how do I run it?? I am having a similar issue as MaTee. I Run it and nothing happens..

    This script is awesome, but can you explian how to run it properly, step by step? Where do you point the csv file.. how do you give values to the variables you use at the time of running?

  24. CB says:

    Will this work with SP 2007?

    All I'm trying to do is migrate user credentials/permissons from one domain to another.

    We have a one way trust from anoter domain we added in SP. Now everyone is moving over to the new domain and I need to copy/migrate the existing user names/credentials/permissions to the new domain accounts which are already created in AD – just need to add them to SP

  25. helen says:

    Hi,

    Your script assume to work that you don't use claims authentication. With claims authentication, the tp_login for a group contains the 'c:0+|' chain followed by the object SID…. How do you migrate groups in this case ?

    Thanks.

  26. Mustafa says:

    Can i use this script for SharePoint 2007? My client is migrating his Sharepoint 2007 solution from one machine to new machine. For this i need to migrate the user accounts from old AD domain to new domain for SharePoint 2007. If not, please suggest the best way to do this migration.

  27. Kuldeep says:

    This works fine for me!! Thank you for real help.

  28. SBeel says:

    Hi,

    I'm doing an ADMT between two forests, and I have to migrate the SharePoint users.  I have tested your script and it works well, but i have also seen references on other sites that suggest using the Move-SPUser command.  What is the difference and which one should I use?

    Thanks,

  29. Moreno says:

    Hi, i have a query about migrating AD groups to new domain. can we use the command stsadm -o migrategroup command to migrate the permissions given via AD groups?. I am having sharepoint 2010 farm

    i have migrated all the users using the stsadm -o migrateuser command successfully. A large no of users have been given permissions via AD groups so need to migrate these AD groups also.

    any suggestion on this would be greatly appreciated.

  30. conversion of users says:

    what  would be the script if i want to convert the NT token user to split up into two claims (windows claims +adfs claims)?

    lets say domainuser = i:0#w|domainuser + i:0#e| domainuser?

  31. Brian says:

    Do you have an updated version of this for 2013?

Skip to main content