User accounts migrated with their SID history across forests are not resolved in SharePoint
Symptoms
Consider the following scenario:
- You have two forests, ForestA and ForestB.
- There is a two-way forest trust between the forests.
- You have SharePoint installed in ForestB.
- You migrate the user accounts together with their security identifier (SID) history from ForestA to ForestB.
- The ForestA\user1 and ForestB\user1 user accounts are both enabled.
In this scenario, when you try to add the ForestA\user1 user account to SharePoint resources, you experience errors during the user name resolution. For example, the People Picker displays the following error message:
The user does not exist or is not unique.
Cause
This behavior is expected.
When you migrate a user from ForestA to ForestB together with its SID history, the ForestB\user1 account has a new SID in the new domain and its SIDHistory attribute is populated by using the SID of ForestA\user1. Then, the new SID is resolved to ForestB\user1 by a local domain controller (DC) in ForestB.
For more information about mapping the SID to the user account, see LookupAccountSid function.
Resolution
To work around the issue, don't have both accounts enabled at the same time.
References
SharePoint People Picker shows old domain account during Active Directory migration
SharePoint and SID History not playing well together
More information
Still need help? Go to SharePoint Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for