none
SP 2010 - replicating permissions for users in a different AD forest, while retaining existing permissions RRS feed

  • Question

  • Hi there!

    We have a SP 2010 single-server farm with around 2500 public sector users authenticated through on-premises AD. The AD is used in coexistence with another public sector body, and we need to split away from them.

    We are setting up an AD forest which will use a totally different domain. What we need to do is

    a) find a way to allow all migrating users to access SharePoint 2010 with their new AD login, with the exact same permissions on all SharePoint objects that they currently have (sites, lists, libraries, docs, etc).

    b) continue to allow these users to access SharePoint 2010 in the meantime with their existing AD login.

    (Later on next year we will be setting up a new SharePoint Online structure and migrating over the 2010 content, and the users will use their new logins to access this.)

    We therefore need a way of exporting the AD login for each user, as well as all of the SharePoint permissions each user has for each SharePoint object (I think these are stored in the SharePoint 2010 content database and they authenticate against the Active Directory user?).

    We then need a way of mapping and assigning those exported SharePoint permissions against the new AD user, presumably by creating those user permissions in the SharePoint content database alongside their new AD username.

    I am struggling to find a way to do this. I did look into the possibility of using STSADM and the migrateuser command, but this won't cut it since it removes their old account access at the same time as it creates the new access.

    I have limited knowledge of AD / scripting / PowerShell commands for SharePoint – especially on-premises – to know what is and isn’t possible. There may be a better way of getting the same result, but those requirements above are key.

    Are there any PowerShell commands or other tools which will allow us to achieve this? Any assistance you can provide would be really appreciated!

    Thanks :)

    Friday, November 15, 2019 11:44 AM

All replies

  • Hi sparkyrob.

    I think you should write a PowerShell script that extract a list of all the users and the corresponding permissions and save them to a file and then uses that file to add again the users with the new domain prefix and grant them the necessary permissions.
    You could take a look at the thread at https://social.msdn.microsoft.com/Forums/sqlserver/en-US/e8462d3c-0a52-4f58-bdfb-bbbfb9f2027b/powershell-script-to-get-all-users-permissions?forum=sharepointgeneralprevious to know how to get all the users' permissions in your SharePoint environment.

    Bye.


    Luigi Bruno
    MCP, MOS, MTA, MCTS, MCSA, MCSE

    Friday, November 15, 2019 4:26 PM
  • Thanks - that script is useful.

    With regard to adding permissions, is it just a case of adding the users with the New-SPUser command, and passing through the new domain/username and permissions?

    Is something else required with regards to authentication given that the users are on a completely different domain? Or will SP 2010 just authenticate with the logged in Windows user regardless?

    Monday, November 18, 2019 11:19 AM
  • Thanks - that script is useful.

    With regard to adding permissions, is it just a case of adding the users with the New-SPUser command, and passing through the new domain/username and permissions?

    Is something else required with regards to authentication given that the users are on a completely different domain? Or will SP 2010 just authenticate with the logged in Windows user regardless?

    SharePoint must be able to see the new domain: maybe you've already configured a trust relationship or anything else; provided that, you have to add the users to SharePoint either directly or into a SharePoint group (you could refer to the example at https://www.sharepointdiary.com/2016/04/add-user-to-sharepoint-group-with-powershell.html.

    Bye.


    Luigi Bruno
    MCP, MOS, MTA, MCTS, MCSA, MCSE

    Monday, November 18, 2019 4:52 PM
  • Hi,

    If you find any replies helpful to you, please remember to mark them as answers. 

    Thank you for your understanding.

    Best regards,

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, November 19, 2019 11:00 AM