Convert my sites Primary Site Collection Administrators to ADFS
-
07-01-2021 - |
Question
We converted our SharePoint 2013 environment to ADFS. I forgot to copy the prod versions of the my sites content DBs to the staging before the conversion. I was able to get the DBs copied over via this post here:
However, when I access the site collections in Central Admin, they have the NTLM user account as the Primary Site Collection Administrators instead of the ADFS account. When I try to access the my site url, I get "user not found". When I update the Primary Site Collection Administrators to the ADFS account, I can access the my site.
My question is, how to I change the primary site collection admins in central admin to the ADFS account without having to manually do each one? We have thousands. I have already converted the UPA to pull in the ADFS accounts and migrated all the users in the standard site collection to ADFS. I don't know if copying the my site DBs over after the conversion is the issue or if I am missing a step.
Thanks.
Solution
You can either use Convert-SPWebApplication
to convert from Windows Claims to SAML Claims, or you can use Move-SPUser
. Convert-SPWebApplication
is probably the best route.
OTHER TIPS
You can run the move-spuser against all users, here is nice script which will get the users from web application then convert them as required claims. (please test it first before directly applying to prod).
$groupprefix = "c:0-.t|awesome adfs|"
$userprefix = "i:05.t|awesome adfs|"
$usersuffix = "@awesomespaceships.com"
# Get all of the users in a web application
$users = Get-SPUser -web "https://sfb-sp15-wfe1:8080/"
# Loop through each of the users in the web app
foreach($user in $users)
{
# Create an array that will be used to split the user name
$a=@()
$userlogin = $user.UserLogin
$username = “”
if($userlogin.Contains("i:")) # for users
{
$a = $userlogin.split('\')
$username = $userprefix + $a[1] + $usersuffix
}
elseif($userlogin.Contains("c:")) # for groups
{
$a = $displayname.split('\')
$username = $groupprefix + $a[1]
}
if ($userName -Like ("*" + [Environment]::UserName +"*")) {
Write-Host "Skipping this user '$user' so as to not loose SPA full-control rights..."
}
else{
if ($userName -ne '') {
Write-Host "Moving '$user' to '$username'..."
Move-SPUser –Identity $user –NewAlias $username -ignoresid -Confirm:$false
}
}
}