关于Move-SPUser的清晰度 [英] Clarity around Move-SPUser
问题描述
希望进一步了解Move-SPUser的确切更新.显然,它会更新用户信息列表"中的用户帐户名称,但是SID如何更新?是用户首次以新域用户身份登录
Looking for a deeper dive on what exactly Move-SPUser updates. It obviously updates the account name of users in the User Information List, but how does the SID get updated? Is that upon the user first logging in as the new domain user
我们已使用Move-SPUser Commandlet将一部分用户从DomainA迁移到DomainB.目前,我们只有与DomainA的UPSA同步连接.我们注意到, UPSA配置文件数据库已更改为DomainB \ user.第一个问题是,因为我们不与DomainB同步并且当前不存在DomainB配置文件,是否应该这样?
We have migrated a block of users from DomainA to DomainB using the Move-SPUser commandlet. Currently we only have UPSA Sync Connection to DomainA. We've noticed that the Account Name property of the users in the UPSA profile database has changed to DomainB\user. First question is, should that be expected since we aren't syncing with DomainB and no DomainB profiles currently exist?
第二天,一些迁移的用户使用其旧的DomainA帐户登录.这是可能的,因为该网站向所有经过身份验证的用户开放(读取访问权限).他们发现自己犯了一个错误,然后注销,然后以 DomainB帐户.反过来,这又将其帐户从其所属的任何SharePoint组中删除.当我们查看UIL时,原来的用户已经走了,并创建了一个新用户.为什么会这样?
The following day some of the migrated users logged in with their old DomainA account. This was possible because the site was open to all authenticated users (read access). They noticed they made a mistake, logged out, then logged back in as DomainB account. This in turn caused their account to be removed from any SharePoint group they were a member of. When we looked at the UIL, the original user was gone and a new one had been created. Why is that?
非常感谢!
推荐答案
这里的几个问题...
Few questions here...
这是林间迁移,我愿意吗?拥有全程双向信任吗?启用了SIDHistory吗?
This is an inter-forest migration, I take it? With full-two way trust? SIDHistory enabled?
如果上述全部是,如果您尚未禁用一个或另一个帐户,则说明您正在破坏Microsoft安全模型(即,一个启用的对象具有特定的SID).
If the above is all yes, if you haven't disabled one or the other account, you're breaking the Microsoft security model (that is, a single enabled object has a particular SID).
是的,如果UPSA看到用户正在访问SharePoint,或者您通过UPSA与SharePoint同步,则SharePoint当然可以自动迁移用户(您可以在ULS中搜索"MigrateAccount").
Yes, if the UPSA sees a user access SharePoint or you synchronize with SharePoint via UPSA, it is certainly possible for SharePoint to auto-migrate the user (you can search for 'MigrateAccount' in ULS).
这篇关于关于Move-SPUser的清晰度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
