Problem: Migrated an Extranet site with a large user base, and multiple users have the same name. When a user is removed from AD, and running migration to the new farm, the AD automatically picks a different user and gives them the user that lefts permissions.
Example:
John Smith (john.smith@contoso.com) has been added to a site collection.
John Smith (@contoso) is removed from AD but still exists in the site collection permissions.
Ran Sharegate to move the content including user permissions to a new farm.
John Smith is added to the same SharePoint groups however, it has added john_smith@clientA.com
Initial Hypothesis: Sharegate tries to resolve the user and is incorrectly resolving the user's name and not the name in AD. As the user has left the firm, the other user is being resolved and we end up with permission inconsistency.
I got this reply from Sharegate and can see that my issue happens at step 8.
"How Sharegate resolves users
from the source to the destination"
Somewhat related:
https://sharegate.com/blog/unresolved-user-when-preserving-created-modified-sharepoint-migration
Example:
John Smith (john.smith@contoso.com) has been added to a site collection.
John Smith (@contoso) is removed from AD but still exists in the site collection permissions.
Ran Sharegate to move the content including user permissions to a new farm.
John Smith is added to the same SharePoint groups however, it has added john_smith@clientA.com
Initial Hypothesis: Sharegate tries to resolve the user and is incorrectly resolving the user's name and not the name in AD. As the user has left the firm, the other user is being resolved and we end up with permission inconsistency.
I got this reply from Sharegate and can see that my issue happens at step 8.
"How Sharegate resolves users
from the source to the destination"
"We look at the whole account name available, for matches to
users at the destination through the SharePoint people picker.
Once we have a list of potential matches for your user, we go
through the list of values below (in the specified order). We consider the
account a match when we find the same values for one of these properties:
1.
Exact same account
name
2.
Same normalized
account name (without claims header)
3.
Same login and domain
4.
Same login
5.
Same login and domain
(source login read from display name - this can happen when importing from file
system because the account name is set as the display name)
6.
Same login (source
login read from display name - this can happen when importing from file system
because the account name is set as the display name)
7.
Same email address
8.
Same display name
9.
PrincipalType is not
set or is a Security Group and same display name without domain"
Somewhat related:
https://sharegate.com/blog/unresolved-user-when-preserving-created-modified-sharepoint-migration