SharePoint SPWeb Migrate Users from NTLM to Trusted Identity Provider (Claims) Powershell Script
Posted October 30, 2012on:
Inteded to: I am writing this article assuming that the reader is already aware of Claims based authentication, Trusted Identity Providers, ADFS and PowerShell.
Scenario: We are planning to Migrate a SharePoint site from NTLM to Claims based authentication using a Trusted Identity Provider (ADFS). So once the Migration is complete we are going to disable NTLM for the site so that the Users get’s authenticated using ADFS. The Trusted Identity Token Issuer for ADFS is configured with the Claims mapping using the Email Address of the users.
Problem: We have users their roles configured in the current site and we want to migrate those users and roles to Claims and remove the old NTLM users from the Site.
Resolution: Before we get into script let’s see what SPWeb.MigrateUsers (http://technet.microsoft.com/en-us/library/gg251985.aspx) does, and why it will not work in this case, for example
If we have a user CORP\DTOM in the Site once we say $objWeb.MigrateUsers($true) this user will be converted to Claims based user using the OOB Active Directory claims Provider (to see the list of Providers In PowerShell use the Command Get-SPClaimProvider. Get-SPTrustedIdentityTokenIssuer for the list of Trusted Identity Providers). So the converted ID will be i:0#.w|CORP\DTOM. Notice the “w” in the ID which indicates that it’s still being identified as a Active Directory user. Because claims is enabled on the website MigrateUsers converted the LoginID to Claims based LoginID. It actually has to be converted to i:<<some number>>#.t|<<providername>>|<<ClaimsMappingValue>> for example i:email@example.com
Below is the Powershell script to do the same, migrate the user permissions and remove the old user from the site before we turn off NTLM on the site.
$dn = New-Object System.DirectoryServices.DirectoryEntry (“LDAP://LDAPSERVER”,”LoginUsername”,”LoginPassword“)
$web = Get-SPWeb “https://mywebapplication”
$Users = @()
foreach ($user in $web.AllUsers)
$users += $user
foreach ($user in $Users)
$user2Find = $user.userlogin
$ds = new-object System.DirectoryServices.DirectorySearcher($dn)
$rnull = $ds.filter = “(sAMAccountName=” + $user2Find.ToUpper().Replace(CORP\’,”) + “)”
$rnull= $ds.SearchScope = “subtree”
$theUser = $ds.FindOne()
if ($theUser -ne $null)
$email = $theUser.Properties[“mail”]
$name = $theUser.Properties[“displayname”]
$claim = New-SPClaimsPrincipal -Identity $email -TrustedIdentityTokenIssuer “myadfstrustedprovider”
foreach ($group in $user.Groups)
if (!($group.ID -eq $null))
$web.Groups[$group].Users.Add($claim.ToEncodedString(),$email,$name,”Migrated user for ADFS authentication”)
Write-Host “Not Found” $user2Find
Write-Host “Not CORP User”