When
trouble shooting SharePoint user identity related issues such as UPN and SID
values, it will be extremely helpful to compare the values from SharePoint with
AD since SharePoint will synchronize users’ AD attributes through user profile
services. One example is some users changed
their AD UPN from userid@domain.company.com to userid@company.com and we are not sure
whether this will have any impact to SharePoint. In this blog, we will provide
the Powershell to query both AD and SharePoint user profile.
You
could use Active Directory Explorer to view user’s AD attributes and it would
be easy is to use Active Directory Cmdlets in Windows PowerShell for
automation. If you have never used Active Directory Cmdlets, you should verify
whether you have the feature installed by the following powershell.
Get-WindowsFeature | where displayname –like “*active dir*”
Get-WindowsFeature
rsat-AD-powershell
You
could follow the instruction here to enable the AD remote powershell feature or
use the powershell command to enable it.
Add--WindowsFeature rsat-AD-powershell
This
is simple example to get AD user through user CN. Please note, this will NOT
work if you have multiple AD domains.
import-module activedirectory
get-module -listavailable
get-module -listavailable
$wUser
= "userid"
$aduser
= Get-ADUser
-Identity $wUser
$aduser
This
is simple example to get AD user through user CN and it will work on multiple AD
domains. This will also include the deleted users.
$usercn=
"userid"
$ldapfilter= "(&(objectclass=user)(!objectclass=computer)(cn="
+ $usercn + "))"
$users
= Get-adobject
-ldapfilter $ldapfilter
-server "ADController:portnumber"
-IncludeDeletedObjects -properties
DisplayName,
userPrincipalName,
cn
$users
In
order to get SharePoint user’s atttributes, you would need to configure the UPS
and complete the full sync. You could use the following powershell to retrieve
user’s UPN.
$userID=‘domain\userid’
$ca
= Get-spwebapplication
-includecentraladministration | where {$_.IsAdministrationWebApplication}
$spsite
= $ca.url
$site
= Get-SPSite
$spsite
$context
= Get-SPServiceContext
$site
$upsa
= New-Object
Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$profile
= $upsa.GetEnumerator() |Where-Object {$_.AccountName -eq
$userID}
$profile["SPS-UserPrincipalName"].Value
If
you found the UPN values are different after it changed form AD, you would need
to run UPS full sync to sync the changes to SharePoint.
No comments:
Post a Comment