1

We're converting all SP permissions into ActiveDirectory groups (one per uninherited object, per role level). I wanted the group names to reflect where the permissions were/are, so I assigned each group with a name that matched the site structure:

sitecollection|site|list|Full Control

Active Directory had issues with the pipes and the potential length, so I reconfigured everything to use the description of the Active Directory object instead. The actual CN of the group is -someNumber- (-1-,-2-, etc).

I ran across an interesting phenomena while adding the groups into SharePoint under the same role level; I had to start the groups at 1000 else the EnsureUser couldn't find the group no matter what.

$web.EnsureUser('c:0-.f|myprovider|-1-') says it doesn't exist, whereas $web.EnsureUser('c:0-.f|myprovider|-1000-') does just fine.

Is there some sort of limitation to the number of characters a SAM Account Name / Principal Name must be when being searched by SharePoint?

Christopher
  • 277
  • 5
  • 19

1 Answers1

-2

You need to include the Domain name in EnsureUser - Domain\Username

Or you can just add i:0#.f|myprovider| to the username so it looks like i:0#.f|myprovider|myuser and pass the result into EnsureUser. In my case "myprovider" is the name of my custom membership provider.

Luke
  • 647
  • 1
  • 8
  • 22
  • We're moving all of our permissions to ActiveDirectory - completely separate from SharePoint (since SP groups can't cross site collections). So, we can't use the user qualified name since we're not adding individual users. And `c:0-.f|myprovider|-1000-` works fine, so I'm not sure it's an issue with the format that I'm passing in. – Christopher May 12 '15 at 17:39