locked
User Migration & People Picker issue RRS feed

  • Question

  • Hi,

    I'm consulting at a client which is in the middle of an AD migration project and we're having a problem with the SharePoint people picker not picking up the migrated users.

    SharePoint 2016 on premise.

    User Profile Service has an Active Directory Import connection to OLDad only (I can't add a connection to NEWad at present as NEWad contains accounts for everybody, even though only a small number of test users are actively using their NEWad accounts).

    I've run Move-SPUser for the users testing the NEWad accounts, and this has correctly migrated their permissions and they can access the same resources as previously. The problem is that if I want to give them permissions to something else the people picker only returns the OLDad account and so I can't give them permissions to anything.

    I've checked Central Admin and only the NEWad account is listed, and I've also checked the relevant Site Collections' UserList and confirmed that only the NEWad account is listed, so it looks like People Picker isn't looking at these which seems odd. How can I get People Picker to include SharePoint user profiles in its lookup options?

    NOTE: I can't add a User Profile connection for NEWad as a) it would mean everybody having 2 accounts in SharePoint and appearing twice in People Picker (admin nightmare) and b) it would screw the Move-SPUser migration if the NEWad account already existed as its permissions would be removed.

    Thanks

    Martin

    Monday, October 30, 2017 4:06 PM

Answers

  • UPSA has nothing to do with the People Picker. If using sidHistory, you should only ever have one account enabled at a time; enabling both breaks the Microsoft security model. In addition, it will cause loops where by the account will be migrated back and forth automatically due to having AD Import enabled (on one or both forests). If you enable the disabled account filter, disabled accounts will not be added to the UPSA, so it should be safe to create a connection to both the old and new domain (note that AD Import will not remove accounts if they become disabled; use MIM if you need that functionality).

    But in order to enable SharePoint to see both accounts, you need to configure the People Picker. Fill out the variables and this will enable it on both domains (note this assumes a full two-way transitive trust is in place; one-way trust requires additional parameters).

    $d1NetBIOS = "AD"
    $d1FQDN = "AD.DOMAIN.COM"
    $d2NetBIOS = "CORP"
    $d2FQDN = "CORP.EXAMPLE.COM
    
    $was = Get-SPWebApplication
    
    foreach($wa in $was)
    {
        $adsearchobj = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
        $adsearchobj.DomainName = $d1FQDN
        $adsearchobj.ShortDomainName = $d1NetBIOS
        $adsearchobj.IsForest = $true
        $wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($adsearchobj)
        $adsearchobj = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
        $adsearchobj.DomainName = $d2FQDN
        $adsearchobj.ShortDomainName = $d2NetBIOS
        $adsearchobj.IsForest = $true
        $wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($adsearchobj)
        $wa.Update()
    }


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by mmc071dotnet Friday, November 3, 2017 3:58 PM
    Monday, October 30, 2017 4:12 PM

All replies

  • UPSA has nothing to do with the People Picker. If using sidHistory, you should only ever have one account enabled at a time; enabling both breaks the Microsoft security model. In addition, it will cause loops where by the account will be migrated back and forth automatically due to having AD Import enabled (on one or both forests). If you enable the disabled account filter, disabled accounts will not be added to the UPSA, so it should be safe to create a connection to both the old and new domain (note that AD Import will not remove accounts if they become disabled; use MIM if you need that functionality).

    But in order to enable SharePoint to see both accounts, you need to configure the People Picker. Fill out the variables and this will enable it on both domains (note this assumes a full two-way transitive trust is in place; one-way trust requires additional parameters).

    $d1NetBIOS = "AD"
    $d1FQDN = "AD.DOMAIN.COM"
    $d2NetBIOS = "CORP"
    $d2FQDN = "CORP.EXAMPLE.COM
    
    $was = Get-SPWebApplication
    
    foreach($wa in $was)
    {
        $adsearchobj = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
        $adsearchobj.DomainName = $d1FQDN
        $adsearchobj.ShortDomainName = $d1NetBIOS
        $adsearchobj.IsForest = $true
        $wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($adsearchobj)
        $adsearchobj = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
        $adsearchobj.DomainName = $d2FQDN
        $adsearchobj.ShortDomainName = $d2NetBIOS
        $adsearchobj.IsForest = $true
        $wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($adsearchobj)
        $wa.Update()
    }


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by mmc071dotnet Friday, November 3, 2017 3:58 PM
    Monday, October 30, 2017 4:12 PM
  • If your SharePoint Server is hosted on oldAD it will pull users from oldAD and if it is hosted on newAD it will pull users from NewAD.

    As trevor suggested you can also filter peoplepicker to pull users from newAD.

    Hope it clears your question.



    • Proposed as answer by Amol Pawar Monday, October 30, 2017 4:13 PM
    • Unproposed as answer by Trevor SewardMVP Monday, October 30, 2017 4:13 PM
    • Edited by Amol Pawar Monday, October 30, 2017 4:16 PM
    Monday, October 30, 2017 4:13 PM
  • Thanks Trevor, that works as far as getting the people picker to look at both domains.

    I've since been told that all users will have 2 active AD accounts for the duration of the 4 month project due to the number of systems that that need updating (ie, can't disable the old accounts post migration, or the new accounts pre migration). So users will have to put up with 2 accounts being returned per user in the people picker dialog and be relied upon to select the correct one. Going to be an administrative headache - but at least it's not one that I'll have to deal with!  

    Regards
    Martin


    Friday, November 3, 2017 4:03 PM