How to remove “orphaned” users from a site collection?

Question

We recently performed a domain migration where we migrated several forests and domains into a single domain. From speaking to the AD admins, this was done using a tool from Quest and it maintained SID history or something to that effect. The old domains and forests still exist (there are still other systems that have not yet migrated) and everything has a full trust.

We migrated our users and service accounts within SharePoint without a problem. This also worked well.

The issue we have now is with the People Picker. It is returning users from the old domains. Since there is a full trust between forests, people picker by default will search all domains. We solved this by using the stsadm operation setsiteuserdirectorypath, though there are still some users who appear from other domains. Upon inspection of the dbo.UserInfo table in the content database, there are entries for the old users that are not deleted (tp_Deleted = 0) and most of them are inactive (tp_IsActive = 0).

Attempting to list users in the site collection through the object model only displays active users though the people picker will still display these inactive users. We would like to stop this from happening, as this is confusing to the end users ("Which account do I select?")

Obviously direct modification of the content database is not supported. Is there a tool/API call that will delete these inactive users?

Answer 1

I have been through the same scenario as you described (also with the Quest tool). We cleaned it up by running the stsadm -o migrateuser command. This will migrate all of the content associated with the old account to the new account and remove any references of the old account in the site collection. It needs to be run once per user, per farm.