Updating the Site Collection Local User Record (Account Migration)

During a user's life cycle, a number of user attributes can change in Active Directory. Some common changes are name (user has legally had their name changed), domain (the user was migrated from one Active Directory domain to another), or forest (user was migrated from one Active Directory forest to another).

Because there is no automatic way to synchronize the user information in the User Info table of the content database with the Active Directory, a MigrateUser command line option is provided. The most common use of this command is for updating the user record when the user has been migrated from one domain to another within the same forest, or from one forest to another forest.

A local user record is identified with the user SID. The command to migrate the user takes the original user account name and the new account name and indicates whether to validate the SID history.

In the case of a domain-to-domain transfer within the same forest, validation of SID history is recommended. When the MigrateUser command is issued, the Windows SharePoint Services front-end web server gets the new user SID from Active Directory from the new user account name, looks up the User Table for the record under the old user SID, and updates that row with the new user SID. In effect, this converts the user from one SID to another. When SID history is turned on, the new user token is examined to make sure that it contains the old user SID.

In the case of a forest-to-forest transfer, it is not possible to verify the SID history because the Active Directory forest is the boundary for security principals. In this case, the new SID is looked up from the new Active Directory forest (2), the User Table record that matches the old user SID is located, and the record is updated with the new SID.