1

I am currently working on a sharepoint migration on a test environment, and have now come to the point where I would like to map/migrate my existing Ad groups and users from SP 2010 to SP 2013. Now when researching this I find alot of vague information but nothing very solid concerning this matter. How would I best go about this.

Let's say I have following users in a csv file representing the users on the SP 2010 environment:

c:0!.s|windows
i:0#.w|domainhere\administrator i:0#.w|domainhere\apservice
i:0#.w|domainhere\koen
NT AUTHORITY\LOCAL SERVICE
SHAREPOINT\system
Domainhere\APService

Should I write a powershell script somehing which resembles the following

$csv = Import-CSV ".\sites-default.csv"

$web = Get-SPWeb = "https://mymachine.mydomain"

foreach($row in $csv)
{

#You could do this to format your account name if not already in the csv

$username = "Domain\" + $row.key

$web.EnsureUser($username)

$group = $web.SiteGroups |?{$_.name -eq "GROUPNAME"}

Set-SPUser -identity $username -web $web.url -group $group

}

Or are they better ways to do this kind of matter?

Pieter
  • 359
  • 3
  • 14

2 Answers2

0

I have some code that works in C# using CSOM. It reads the permissions from all lists (document libraries also are lists) and the site level and writes them to an excel.

Then it reads the permissions from Excel and puts them on the new SharePoint.

The Excel uses using OfficeOpenXml;

The model

public class PermissionsToExcel
{
    public string ListTitle { get; set; }
    public string Gebruikersnaam { get; set; }
    public string Rechten { get; set; }
    public string ListUrl { get; set; }
    public bool HasUniqueRoleAssignments { get; set; }
}

The code that gets the groups and their permissions from each list:

List<PermissionsToExcel> permissionsToExcelList = new List<PermissionsToExcel>();
using (ClientContext ctx = new ClientContext(@"http://yoursharepointurl.com/"))
{
    Web web = ctx.Web;
    ctx.Load(web, w => w.HasUniqueRoleAssignments, w => w.Url);
    ctx.Load(web.RoleAssignments);
    ctx.Load(web.Lists);
    ctx.Load(web.Lists, lists => lists.Include(list => list.Title, list => list.DefaultViewUrl, list => list.RoleAssignments, list => list.RoleAssignments.Groups, list => list.HasUniqueRoleAssignments));
    ctx.ExecuteQuery();
    //Get permissions on site level
    foreach (RoleAssignment webRA in web.RoleAssignments)
    {
        ctx.Load(webRA.Member);
        ctx.Load(webRA.RoleDefinitionBindings);
        ctx.ExecuteQuery();
        foreach (RoleDefinition definition in webRA.RoleDefinitionBindings)
        {
            ctx.Load(definition);
            ctx.ExecuteQuery();
            permissionsToExcelList.Add(new PermissionsToExcel() { ListTitle = "", Gebruikersnaam = webRA.Member.LoginName, Rechten = definition.Name, ListUrl = web.Url, HasUniqueRoleAssignments = web.HasUniqueRoleAssignments });
        }
    }
    //Write down each group per list and their permissions
    foreach (List list in web.Lists)
    {
        string listUrl = list.Context.Url + list.GetWebRelativeUrl();
        foreach (RoleAssignment listRA in list.RoleAssignments)
        {
            ctx.Load(listRA.Member);
            ctx.Load(listRA.RoleDefinitionBindings);
            ctx.ExecuteQuery();
            foreach (RoleDefinition definition in listRA.RoleDefinitionBindings)
            {
                ctx.Load(definition);
                ctx.ExecuteQuery();
                permissionsToExcelList.Add(new PermissionsToExcel() { ListTitle = list.Title, Gebruikersnaam = listRA.Member.LoginName, Rechten = definition.Name, ListUrl = listUrl, HasUniqueRoleAssignments = list.HasUniqueRoleAssignments });
            }
        }
    }
}

Write the permissions to Excel using EPPlus

ExcelPackage excel = new ExcelPackage();
var workSheet = excel.Workbook.Worksheets.Add("Permissions");
workSheet.Cells[1, 1].LoadFromCollection(permissionsList, true);

using (var memoryStream = new MemoryStream())
{
    Response.ContentType = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";
    Response.AddHeader("content-disposition", "attachment;  filename=Permissions.xlsx");
    excel.SaveAs(memoryStream);
    memoryStream.WriteTo(Response.OutputStream);
    Response.Flush();
    Response.End();
 }

Read the permissions from Excel

List<PermissionsToExcel> permissionslist = new List<PermissionsToExcel>();

FileInfo existingFile = new FileInfo(@"C:\path\Permissions.xlsx");
using (ExcelPackage package = new ExcelPackage(existingFile))
{
    //Get the first worksheet in the workbook
    ExcelWorksheet excelWorksheet = package.Workbook.Worksheets["Permissions"];
    int colCount = excelWorksheet.Dimension.End.Column;  //get Column Count
    int rowCount = excelWorksheet.Dimension.End.Row;     //get row count
    for (int row = 2; row <= rowCount; row++)//Rij 1 is de titel rij, beginnen bij rij 2
    {
        PermissionsToExcel permission = new PermissionsToExcel
        {
            ListTitle = excelWorksheet.Cells[row, 1].Value.ToString().Trim(),
            Gebruikersnaam = excelWorksheet.Cells[row, 2].Value.ToString().Trim(),
            Rechten = excelWorksheet.Cells[row, 3].Value.ToString().Trim(),
            ListUrl = excelWorksheet.Cells[row, 4].Value.ToString().Trim(),
            HasUniqueRoleAssignments = excelWorksheet.Cells[row, 5].Value.ToString().Trim().ToBoolean()
        };
        permissionslist.Add(permission);
    }
    return permissionslist;
}

Put the permissions onto a new site (which has the same library setup as the old one!!

using (ClientContext ctx = new ClientContext(@"http://newSharePointSiteUrl.com/"))
{
    Web web = ctx.Web;
    ctx.Load(web.Lists);
    ctx.Load(web.RoleDefinitions);
    ctx.ExecuteQuery();
    //Ophalen rollen
    RoleDefinition roleTypeOwner = ctx.Web.RoleDefinitions.GetByType(RoleType.Administrator);
    RoleDefinition roleTypeEditor = ctx.Web.RoleDefinitions.GetByType(RoleType.Editor);
    RoleDefinition roleTypeVisitor = ctx.Web.RoleDefinitions.GetByType(RoleType.Reader);
    //RoleDefinition roleTypeNone = ctx.Web.RoleDefinitions.GetByType(RoleType.None);//Werkt niet
    ctx.ExecuteQuery();
    //Get groups
    ctx.Load(ctx.Web.SiteGroups);
    ctx.Load(ctx.Web.SiteUsers);
    ctx.ExecuteQuery();
    foreach (PermissionsToExcel pte in permissionslist)
    {
        if (pte.ListTitle == "")//If listtitle is empty, it's the site permissions
        {
            //Get site
            User user = ctx.Web.SiteUsers.GetByLoginName(pte.Gebruikersnaam);
            ctx.Load(user);
            ctx.ExecuteQuery();
            //Check if the site had unique permissions
            if (pte.HasUniqueRoleAssignments)//Site had unique permissions, break inheritance and take away the old groups
            {
                RoleDefinitionBindingCollection rdbc = new RoleDefinitionBindingCollection(ctx);
                switch (pte.Rechten)
                {
                    case "Read":
                        rdbc.Add(roleTypeVisitor);
                        break;
                    case "Edit":
                        rdbc.Add(roleTypeEditor);
                        break;
                    case "Full Control":
                        rdbc.Add(roleTypeOwner);
                        break;
                    default:
                        break;
                }
                web.BreakRoleInheritance(false, true);
                web.RoleAssignments.Add(user, rdbc);
            }
            else//Site had no unique permissions, inherit from above
            {
                //TODO: do we want that?
            }
        }
        else if (web.ListExists(pte.ListTitle))//Go over all lists
        {
            //Get List
            List list = web.Lists.First(t => t.Title == pte.ListTitle);
            //var group = ctx.Web.SiteGroups.GetByName(pte.Gebruikersnaam);
            //ctx.Load(Group);
            //ctx.ExecuteQuery();
            User user = ctx.Web.SiteUsers.GetByLoginName(pte.Gebruikersnaam);
            ctx.Load(user);
            ctx.ExecuteQuery();
            //Check if list had unique permissions
            if (pte.HasUniqueRoleAssignments)//List had unique permissions, stop inheritance and put back groups with their permissions
            {
                RoleDefinitionBindingCollection rdbc = new RoleDefinitionBindingCollection(ctx);
                switch (pte.Rechten)
                {
                    case "Read":
                        rdbc.Add(roleTypeVisitor);
                        break;
                    case "Edit":
                        rdbc.Add(roleTypeEditor);
                        break;
                    case "Full Control":
                        rdbc.Add(roleTypeOwner);
                        break;
                    default:
                        break;
                }
                list.BreakRoleInheritance(false, true);
                //list.RoleAssignments.Add(Group, rdbc);
                list.RoleAssignments.Add(user, rdbc);
            }
            else //List had no unique permissions, inherit from above
            {
                list.ResetRoleInheritance();
            }
        }
        else
        {
            Debug.WriteLine("LIST NOT FOUND: PROBLEM");
        }
    }
}
Joren Vandamme
  • 381
  • 2
  • 5
  • 17
0

The process you would follow is:

$user = Get-SPUser -Identity "DOM\john.smith" -Web https://siteCollectionUrl

Move-SPUser -Identity $user -NewAlias "i:0#.w|IDD\142909" -IgnoreSid

This will migrate the user farm-wide. You do not need to call EnsureUser.

If you're using the User Profile Service App, make sure your user account has explicit Full Control over the UPSA to migrate users. I also provided the example above if using Windows Claims auth. On the Get-SPUser, you don't have to specify it, but on the Move-SPUser, you do.

https://social.technet.microsoft.com/Forums/en-US/2703f6de-7a79-46b8-9184-01279a845c4b/migrating-all-users-to-a-new-domain?forum=sharepointadmin

Pieter
  • 359
  • 3
  • 14