So, most of you might be knowing that SharePoint (MOSS 2007 and SP 2010) provides a stsadm commandlet called "stsadm -o migrateuser" to migrate an user from old domain account to new domain account. While the command is a blessing, it also comes with a curse..

the stsadm –o migrateuser cmdlet does the following things (in the order specified below) when executed.  

  • Marks the “new login id” for deletion (if the “new login id” already has some permissions set)
  • Replaces the “old login id” to the “new login id” (when the “old login id” already has some permissions set)

Look at the following for example,

The following records are pulled from UserInfo table where there is a duplicate NTID present for a particular user. The actual NTID with number (73263) bears the UserID 427 while the duplicate id (i:0#-73263) has the user id as 1719.

After running the stsadm -o migrateuser on the above mentioned user, below is the status of the UserInfo table for the same records..

So what this means..

Lets say, for example, if the actual NTID is associated to a group with Full Control permission and the duplicate NTID is associated to a group with Limited Access. After running the stsadm –o migrateuser on the user NTID, the actual NTID is
removed from the group with Full Control permission and the duplicate NTID is replaced with the actual NTID in the group with Limited Access permission there by causing access related issues for the user.

Bottom line, be vary of the above before running stsadm -o migrateuser cmdlet :)