ADFS 賬戶同步到 SharePoint
曆盡千山萬水,ADFS 到SharePoint 配置成功。還有很多工作要做。感覺微軟是如來佛啊,非讓要讓你經曆81難,才算完畢。 這裡又要涉及問題是,使用ADFS登入sharepoint 成功之後的ADFS賬戶問題。
參加位址:https://blogs.msdn.microsoft.com/sambetts/2014/09/03/how-to-migrate-sharepoint-users-to-adfs/
https://blogs.msdn.microsoft.com/pranab/2012/06/27/sharepoint-user-migration-ad-to-adfs/
檢查使用者
Get-SPUser -web "https://xxx.xxx.com.cn" | ?{$_.userlogin -like "*test*"}
- 遷移
單個使用者遷移示例
$groupprefix = "c:0-.t|awesome adfs|" //前面是示例代碼。我是用的下面的代碼執行成功的。$groupprefix = "c:0-.t|adfs|awesome
$userprefix = "i:05.t|awesome adfs|" //$userprefix="i:05.t|adfs|awesome"
$usersuffix = "@awesomespaceships.com"
示例抓圖
- 周遊替換所有使用者
參考一,一直出問題懶得調。
$users = Get-SPUser -web "https://xxx.xx.com.cn"
foreach($user in $users)
{
$a=@()
$userlogin = $user.UserLogin
$username = “”
if($userlogin.Contains("i:"))
{
$a = $userlogin.split(‘\’)
$username = $userprefix + $a[1] + $usersuffix
}
else if($userlogin.Contains("c:"))
{
$a = $displayname.split(‘\’)
$username = $groupprefix + $a[1]
}
if ($userName -Like ("*" + [Environment]::UserName +"*"))
{
Write-Host "Skipping this user ‘$user’ so as to not loose SPA full-control rights…"
}
else{
if ($userName -ne ”)
{
Write-Host "Moving ‘$user’ to ‘$username’…"
Move-SPUser –Identity $user –NewAlias $username -ignoresid -Confirm:$false
}
}
}
- 參考二,執行成功。
參考:https://social.technet.microsoft.com/Forums/en-US/d6c31ee4-c341-4ebd-b5b1-20b8fb918659/ad-to-adfs-user-migration-movespuser-error?forum=sharepointadmin
$srvr = 'https://xxx.xxx.com.cn'
$users = Get-SPUser -Web $srvr -Limit ALL | where {$_.UserLogin -like "i:0#.w|*"}
$groups = Get-SPUser -Web $srvr -Limit ALL | where {$_.UserLogin -like "c:0+.w|*"}
function getMemberMail($strName)
{
$strFilter = "(&(objectCategory=User)(samaccountname=$strName))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$result = $objSearcher.FindOne()
return $result.Properties.mail
}
function ProcessItems($items)
{
foreach($item in $items)
{
$encode = $item.Name.Split("|")[1]
# check for groups
if ( $item -like "c:0+.w|*" )
{
if ( $item.Name -like "domain\*" )
{
$login = $item.Name.Split("\")[1]
}
else { $login = $item.Name }
$alias = "c:0-.f|role|$login"
}
# check for user
if ( $item -like "i:0#.w|domian\*" )
{
$login = $item.UserLogin.Split("\")[1]
$login = getMemberMail($login)
$alias = "i:0#.f|member|$login"
}
Write-Host "Moving: $item"
Move-SPUser -Identity $item -NewAlias $alias -IgnoreSID -Confirm:$false
Write-Host "Moved: $alias"
}
}