none
domain change and , all user get access denied Error RRS feed

  • Question

  • I installed SharePoint 2010 on a server which name is BPMS-SERVER. My domain and active directory is on another server named PA-SERVER. PA-server -> active directory refresh and renewed but in same domain name and same user names.But SharePoint tells all user access denied. I can't access SharePoint central administration, I can't access SharePoint sites, any thing return me and my users access denied.I ran following script in powershell

    #SET ACCOUNT NAMES (Replace Domain and UserName)
            #SUPER USER ACCOUNT - Use your own Account (NB: NOT A SHAREPOINT ADMIN)
        $sOrigUser= "blue\SP_SuperUser"
        $sUserName = "SP_SuperUser"
            #SUPER READER ACCOUNT - Use your own Account (NB: NOT A SHAREPOINT ADMIN)
        $sOrigRead = "blue\SP_SuperRead"
        $sReadName = "SP_SuperRead"
                $apps = get-spwebapplication
        foreach ($app in $apps) {
           #DISPLAY THE URL IT IS BUSY WITH
           $app.Url
           if ($app.UseClaimsAuthentication -eq $true)
           {
            # IF CLAIMS THEN SET THE IDENTIFIER
            $sUser = "i:0#.w|" + $sOrigUser
            $sRead = "i:0#.w|" + $sOrigRead
           }
           else
           {
           # CLASSIC AUTH USED
             $sUser = $sOrigUser
             $sRead = $sOrigRead
           }
               # ADD THE SUPER USER ACC - FULL CONTROL (Required for writing the Cache)
           $policy = $app.Policies.Add($sUser, $sUserName)
           $policyRole = $app.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
           $policy.PolicyRoleBindings.Add($policyRole)
               $app.Properties["portalsuperuseraccount"] = $sUser
           $app.Update()
               # ADD THE SUPER READER ACC - READ ONLY
           $policy = $app.Policies.Add($sRead, $sReadName)
           $policyRole = $app.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)
           $policy.PolicyRoleBindings.Add($policyRole)
               $app.Properties["portalsuperreaderaccount"] = $sRead
           $app.Update()
             }
    
    
    

    I get access of site with this script for one user that I entered in the script , but I can't access central administration.I can't set permission for other user ( I set permission but I can't get any effect , still all user get access denied )

    Monday, February 9, 2015 5:57 AM

Answers

  • Hi,

    As I understand, you encountered the issue after you changed the domain.

    1. After you change the domain, you should create a new SharePoint account and then add the account to the Local Administrator, WSS_WPG, WSS_ADMIN & IIS_WPG group for the SharePoint farm.

    2. Setup appropriate permission for the new account created in step1 in SQL Server databases.

    3. Update the account for SharePoint, after update you can go to check the central admin pool and SharePoint service account are changed using IIS and Service manager.

    the command is below:

    Open CMD and navigate to cd %commonprogramfiles%\Microsoft Shared\Web server extensions\14\Bin

         1. stsadm -o updatefarmcredentials -userlogin CONTOSO\ServiceAccount -password NewPassword

         2. stsadm -o updateaccountpassword -userlogin CONTOSO\ServiceAccount -password NewPassword -noadmin

         3. stsadm.exe -o spsearch -farmserviceaccount CONTOSO\ServiceAccount -farmservicepassword NewPassword

         4. stsadm.exe -o spsearch -farmcontentaccessaccount CONTOSO\ServiceAccount –farmcontentaccesspassword NewPassword

        5.stsadm.exe -o editssp -title SharedServicesProviderName -ssplogin CONTOSO\ServiceAccount -ssppassword NewPassword

       6. stsadm.exe -o osearch -farmserviceaccount CONTOSO\ServiceAccount -farmservicepassword NewPassword

    4. Migrate the old domain users to new domain accounts using the below stsadm command

    stsadm.exe –o migrateusers –oldlogin mumbai\testuser –newlogin chennai\testuser -ignoresidhistory

    The article below is about how to change domain of a SharePoint farm step by step.

    http://aurramu.blogspot.in/2011/06/move-sharepoint-from-domain-to-another.html

    Best regards

    Sara Fan
    TechNet Community Support

    Friday, February 13, 2015 4:24 AM
    Moderator

All replies

  • So the end user's usernames are the same, but the domain is different (or was rebuilt)? If that is the case, you need to migrate users within SharePoint as the user's SIDs have changed:

    $user = Get-SPUser -Identity "domain\username" -Web http://webUrl #where the user exists in SharePoint
    Move-SPUser -Identity $user -NewAlias "domain2\username" -IgnoreSID


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, February 9, 2015 4:20 PM
    Moderator
  • By doing so SID's for all the user's are changed?
    Monday, February 9, 2015 6:25 PM
  • Yes, by either recreating the user in AD or recreating the domain, you effectively have created a new user.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, February 9, 2015 6:47 PM
    Moderator
  • hello  , tnx for helping me ...what i have to do !?

    what is have to write in power shell

    my old domain name is PARS.COM

    and my new domain name is PARS.COM


    my domain name didn't change
    Tuesday, February 10, 2015 11:09 AM
  • Can you screenshot any errors you have?

    If this is helpful please mark it so. Also if this solved your problem mark as answer.

    Tuesday, February 10, 2015 11:58 AM
  • you need to use the script provided by trevor to match you current SharePoint users to the active directory

    something like this

    $user = Get-SPUser -Identity "PARS\username" -Web http://webUrl #where the user exists in SharePoint
    Move-SPUser -Identity $user -NewAlias "PARS\username" -IgnoreSID

    first line get the user from your SharePoint (information stored in db) second line will do the matching with the active directory


    Best regards, Christopher.
    Blog | Mail
    Please remember to click "Mark As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.
    Why mark as answer?

    Tuesday, February 10, 2015 12:14 PM
  • Sharepoint saves a GUID for a user which is added by admin in a certain group. Now sharepoint is matching details against the GUID and unable to match successfully. Name is not enough for Sharepoint to trust. 

    I don't know the exact issue until and unless i know the sequence in which you have done changes to AD.

    Apparently you need to re run configuration wizard.

    other way around is you roll back db changes and then allow assess to a local user then re do changes. then you can change the site admins from new ad.

    Make sure you get backup first. 

    Tuesday, February 10, 2015 1:04 PM
  • this script return me access Denied
    Tuesday, February 10, 2015 3:11 PM
  • Like in the example I posted above, you need to appropriately change the parameters. In addition, you'll need to be a Farm Admin, of course, and if you have a User Profile Service, your user you're running the SharePoint Management Shell will need Admin access over that.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, February 10, 2015 3:13 PM
    Moderator
  • This script return me access denied for administrator center .
    Thursday, February 12, 2015 6:47 AM
  • i login as new administrator of site , but its seems that sharepoint administrator center don't let my change permission and keep SID of pervious administrator , you know new farm administrator  have same name but have different SID
    Thursday, February 12, 2015 6:51 AM
  • Hi,

    As I understand, you encountered the issue after you changed the domain.

    1. After you change the domain, you should create a new SharePoint account and then add the account to the Local Administrator, WSS_WPG, WSS_ADMIN & IIS_WPG group for the SharePoint farm.

    2. Setup appropriate permission for the new account created in step1 in SQL Server databases.

    3. Update the account for SharePoint, after update you can go to check the central admin pool and SharePoint service account are changed using IIS and Service manager.

    the command is below:

    Open CMD and navigate to cd %commonprogramfiles%\Microsoft Shared\Web server extensions\14\Bin

         1. stsadm -o updatefarmcredentials -userlogin CONTOSO\ServiceAccount -password NewPassword

         2. stsadm -o updateaccountpassword -userlogin CONTOSO\ServiceAccount -password NewPassword -noadmin

         3. stsadm.exe -o spsearch -farmserviceaccount CONTOSO\ServiceAccount -farmservicepassword NewPassword

         4. stsadm.exe -o spsearch -farmcontentaccessaccount CONTOSO\ServiceAccount –farmcontentaccesspassword NewPassword

        5.stsadm.exe -o editssp -title SharedServicesProviderName -ssplogin CONTOSO\ServiceAccount -ssppassword NewPassword

       6. stsadm.exe -o osearch -farmserviceaccount CONTOSO\ServiceAccount -farmservicepassword NewPassword

    4. Migrate the old domain users to new domain accounts using the below stsadm command

    stsadm.exe –o migrateusers –oldlogin mumbai\testuser –newlogin chennai\testuser -ignoresidhistory

    The article below is about how to change domain of a SharePoint farm step by step.

    http://aurramu.blogspot.in/2011/06/move-sharepoint-from-domain-to-another.html

    Best regards

    Sara Fan
    TechNet Community Support

    Friday, February 13, 2015 4:24 AM
    Moderator