This post will show a couple ways to get the identity claim for Active Directory groups that are being used in SharePoint 2013. We are going to need this identity claim for migrating Active Directory groups in SharePoint 2013. This makes it easy to migrate the permissions from one group to another if you change your Active Directory group structure.
I will explain how to migrate an Active Directory group account in SharePoint 2013 using the following blog posts:
- Get identity claim for AD groups in SharePoint 2013
- Migrating AD groups in SharePoint 2013
- Renaming an AD group in SharePoint 2013
Scenario
We have two AD groups and we want to migrate the permissions from one group to the other.
- Domain\GroupWillBeMigrated (Full control on root site)
- Domain\MigratedGroup (no entry in User Information List)
We are going to use the PowerShell command get-spuser to return the user account we are going to migrate. We will be needing this for the actual move of the group.
Ways to get the identity claim
1. PowerShell
We can user PowerShell to return the User Login for a specific display name.
We know that the display name is peet\groupwillbemigrated and we can use the following command:
Get-spuser –web https://portal.sharepointfire.com | Where-Object {$_.displayname -eq “peet\groupwillbemigrated”} | fl UserLogin
This will give us the identity claim for the group in SharePoint, but this can’t give us the identity claim for peet\migratedgroup because this group isn’t in the User Information List.
2. By checking effective permissions
You can do this by checking effective permissions or another people picker. Navigate to the root site and click on “check permissions” at the link “Site Permissions”
Fill in the group account and click on check now
You can now copy the claims token for this group.
3. Active Directory
The identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections
c:0+.w|<SID>
- “c” for a claim other than identity
- “+” for a group SID
- “.” for a string
- “w” for a Windows claim
You can get the SID using the Active Directory PowerShell commands or by using the GUI.
PowerShell
import-module ac*
Get-ADGroup migratedgroup -properties * | fl name, objectsid
GUI