User automatically removed from SharePoint Group

During my current project we received an access request from a user. We did what we normally do, we checked the request and added the user in the appropriate SharePoint Group and notified the user.

After 15 minutes the user told us that it wasn’t working. We looked at the User Group and found out that the user was not in the group. So we added the user again because we thought that we forgot this step. After some time we received another mail from the user telling us that it still wasn’t working.

We requested the account details from the user and tried it our self, we found out that the user was missing again and added the account again. We logged in with the user opened a document with Office Web Applications and took another look at the members of the specific SharePoint group. WTF the user was gone!

After digging into the ULS files and looking in the Event log we did not found a clue of what was happening. After a small conversation with the user she told us that everything worked fine before and that she had several problems since see re-joined the company.

What happened was the following the user was removed from the active directory and when she got back a new account was created with the same login name.

When the user re-joined the account had the same login name but did not have the same SID. SharePoint saves information about an account by using the login name and the SID (Security Identifier) of a user. Because of the mismatch SharePoint was removing the applied security rights.

This issue can be fixed by using different commands:

The commands look as followed:

$user = Get-SPUser -Web [SiteUrl] -Identity [Login Name]
Move-SPUser -Identity $user -NewAlias [Login Name] -IgnoreSID

For the PowerShell commando you will first need to retrieve the specific user.When retrieving the user and setting the new alias you should always use the claim login name: “i:0#.w|Domain\user”.

stsadm -o migrateuser -oldlogin [Login Name] -newlogin [Login Name] -ignoresidhistory

The STSADM command looks almost the same as the PowerShell command if you also look at the parameters they both have something to Ignore the SID history. The parameter is included because if you do not include the parameter it will check the SID references and as we all know they do not match.

Possible Problem: When performing one of these options you can receive a “Object reference not set to an instance of an object”. The solution to this problem is pretty simple, When it happens your user does not have enough rights. Try it with another account or give your current user rights to the User Profile Service Application.”

4 Replies to “User automatically removed from SharePoint Group”

  1. Thanks for this, we spent a good 2 days of “wtf’s” on this problem before I stumbled across your article.

    1. I have the same issue, the sharepoint still remember the old SID for the same username.
      now the problem is that I have one user with one alias, and your solution said to move it to another alias how?
      user in domain\jone and i need to keep him using same username not to change his alias
      thanks

  2. We recently had a similar issue where after an audit showed we had a number of AD accounts that had expired. In order for us to stay in compliance the auditor recommended that we delete those AD accounts . However, some of those AD accounts were accounts used in by contractors who were developing a solution for us in SharePoint. With their accounts deleted we had to re-create them from scratch. This then caused the issue described above. However, in our case the old accounts wouldn’t merge with the script as written because we had also turned off claims-based authentication, I had to force new accounts be created first and then merge those accounts with the old ones. Here’s my script:
    Add-PSSnapin Microsoft.SharePoint.PowerShell
    $site = ‘[site url]’
    $kLO = ‘[NEW domain\username]’

    Get-SPWeb $site | New-SPUser -UserAlias ‘[NEW domain\username]’
    $k = Get-SPUser -Web $site -Identity [OLD domain\username’
    Move-SPUser -Identity $k -NewAlias ‘[NEW domain\username]’ -IgnoreSID
    $k = Get-SPUser -Web $site -Identity ‘[NEW domain\username]’
    $k |Select LoginName,sid

  3. Good day All,

    We have a similar scenario where an AD group just disappear from the Permissions set-up screen from the one day to the next. Any suggestions?

    Kind Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.