Microsoft Land

SharePoint SPWeb Migrate Users from NTLM to Trusted Identity Provider (Claims) Powershell Script

Posted on: October 30, 2012

Inteded to: I am writing this article assuming that the reader is already aware of Claims based authentication, Trusted Identity Providers, ADFS and PowerShell.

Scenario: We are planning to Migrate a SharePoint site from NTLM to Claims based authentication using a Trusted Identity Provider (ADFS). So once the Migration is complete we are going to disable NTLM for the site so that the Users get’s authenticated using ADFS. The Trusted Identity Token Issuer for ADFS is configured with the Claims mapping using the Email Address of the users.

Problem: We have users their roles configured in the current site and we want to migrate those users and roles to Claims and remove the old NTLM users from the Site.

Resolution: Before we get into script let’s see what SPWeb.MigrateUsers ( does, and why it will not work in this case, for example

If we have a user CORP\DTOM in the Site once we say $objWeb.MigrateUsers($true) this user will be converted to Claims based user using the OOB Active Directory claims Provider (to see the list of Providers In PowerShell use the Command Get-SPClaimProvider. Get-SPTrustedIdentityTokenIssuer for the list of Trusted Identity Providers). So the converted ID will be i:0#.w|CORP\DTOM. Notice the “w” in the ID which indicates that it’s still being identified as a Active Directory user.  Because claims is enabled on the website MigrateUsers converted the LoginID to Claims based LoginID. It actually has to be converted to i:<<some number>>#.t|<<providername>>|<<ClaimsMappingValue>> for example i:05#.t|myadfstrustedprovider|

Below is the Powershell script to do the same, migrate the user permissions and remove the old user from the site before we turn off NTLM on the site.

$dn = New-Object System.DirectoryServices.DirectoryEntry (“LDAP://LDAPSERVER”,”LoginUsername”,”LoginPassword“)
$web = Get-SPWeb “https://mywebapplication
$Users = @()
foreach ($user in $web.AllUsers)
$users += $user
foreach ($user in $Users)
$user2Find = $user.userlogin
if ($user2Find.ToUpper().Contains(CORP\’))
$ds = new-object System.DirectoryServices.DirectorySearcher($dn)
$rnull = $ds.filter = “(sAMAccountName=” + $user2Find.ToUpper().Replace(CORP\’,”) + “)”
$rnull= $ds.SearchScope = “subtree”
$rnull= $ds.PropertiesToLoad.Add(“mail”)
$rnull= $ds.PropertiesToLoad.Add(“displayname”)
$theUser = $ds.FindOne()
if ($theUser -ne $null)
$email = $theUser.Properties[“mail”]
$name = $theUser.Properties[“displayname”]
$claim = New-SPClaimsPrincipal -Identity $email -TrustedIdentityTokenIssuer “myadfstrustedprovider”
foreach ($group in $user.Groups)
if (!($group.ID -eq $null))
$web.Groups[$group].Users.Add($claim.ToEncodedString(),$email,$name,”Migrated user for ADFS authentication”)
Write-Host “Not Found”  $user2Find
Write-Host “Not CORP User”

About these ads

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

My Tweets


Get every new post delivered to your Inbox.

Join 121 other followers

%d bloggers like this: