Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, February 20, 2018 1:11 PM
I am facing this problem, that inside some site collections the user information inside the "_layouts/15/userdisp.aspx?ID=" is not correct, or represents old information. here are some cases:-
1. Inside a site collection i have a user with all his info inside the "_layouts/15/userdisp.aspx?ID=" being wrongly shown. these info include ; Account, Name & Work Email. but when i added this user inside a sharepoint group, i found that the Account for the user got correctly updated inside the "_layouts/15/userdisp.aspx?ID=" while his Name & Work Email are still showing old values.
2. on a newly added site collection i found that the info for this user is correctly showing inside the "_layouts/15/userdisp.aspx?ID=".
Now in our case we are not using any sync settings inside our User Profile service.so my question is there a fast way i can do the following using power shell:-
1. Update the Account, Name & work email for all the users on all the site collections to match what is correctly defined inside AD? as i mentioned adding a user to a sharepoint group, have automatically updated his Account info on the "_layouts/15/userdisp.aspx?ID=" but did not change the Name & Work Email, so can i automate this process for all users on all site collections for all the properties?
Thanks
All replies (4)
Tuesday, February 20, 2018 3:17 PM | 1 vote
You can use Set-SPUser -SyncFromAD on a per-Site Collection basis, but I'd just suggest implementing AD sync via the UPSA.
Trevor Seward
Office Servers and Services MVP
Author, Deploying SharePoint 2016
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Tuesday, February 20, 2018 3:54 PM
Thanks for your email.
now i run this command, to update the users' info:-
Get-SPUser –Web "http://servername/sites/WikiSite" | Set-SPUser –SyncFromAD
Where i can see that some users got their display name and email address updated. while i got many exceptions as follow:-
Set-SPUser : Cannot get the full name or e-mail address of user "i:0#.w|ad-****\****.****".
At line:1 char:60
+ Get-SPUser –Web "http://servername/sites/WikiSite" | Set-SPUser –SyncFromA ...
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Share...SPCmdletSetUser:SPCmdletSetUser) [Set-SPUser], SPException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletSetUser
on all the users who left the company but have accessed the site collection before. also in addition to the leaver users, i go the above exception on these users:-
c:0(.s|true
i:0#.w|ad-*****\fromeveryone
c:0!.s|windows
NT AUTHORITY\LOCAL SERVICE
SHAREPOINT\system
My questions are:-
First question. is there a way i can modify my power-shell script, to avoid these exceptions?
Second point. now how does the `Set-SPUser -SyncFromAD ` match users between SharePoint and Active Directory? will it base the match on Account or on the GUID ? as if the sync is based on the Account name (AD\user.name), then in our case we have some users whom account names have been updated on AD.. so does this mean that the -SyncFromAD will fail to sync these users?
Tuesday, February 20, 2018 3:57 PM | 1 vote
You can't use Set-SPUser with a user who is disabled or deleted from Active Directory. The match is based on the sAMAccountName (technically an ambiguous resolution, you can see the exact LDAP query by running a package capture on the SharePoint server where the query is performed).
The list of users you provided are not really users you cannot update. This is by design.
Trevor Seward
Office Servers and Services MVP
Author, Deploying SharePoint 2016
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Tuesday, February 20, 2018 4:42 PM
You can't use Set-SPUser with a user who is disabled or deleted from Active Directory. The match is based on the sAMAccountName (technically an ambiguous resolution, you can see the exact LDAP query by running a package capture on the SharePoint server where the query is performed).
The list of users you provided are not really users you cannot update. This is by design.
Trevor Seward
Office Servers and Services MVP
![]()
![]()
Author, Deploying SharePoint 2016
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Thanks for your reply and hrlp.
So you mean if I run the following command:-
Get-SPUser –Web "http://servername/sites/WikiSite" | Set-SPUser –SyncFromAD
then it is normal to get the exceptions on leaver users? so i do not have to modify the script?
second point. now let say the user's Sam Account got changed on AD, so in this case the following command will fail to sync the user:-
Get-SPUser –Web "http://servername/sites/WikiSite" | Set-SPUser –SyncFromAD
is this correct? now based on my test when i run the above command, and there is a user whose Account on SP does not match his account on AD, i got the following exception on the user:-
Set-SPUser : Cannot get the full name or e-mail address of user
so this mean that the above script will only be valuable if the Accounts inside AD and SP are the same, while if it is not the case, then the above command will fail to sync the users. so my question is if there is a way using powershell which can allow me to first update the users' account on SP to match the accounts on AD, then i can run the :-
Get-SPUser –Web "http://servername/sites/WikiSite" | Set-SPUser –SyncFromAD
to update the Display Name and work email for the user?
now i find this appraoch by chance, where i use to have a user whose Account on SP is different from AD, and when i add the user to a sharepoint security group,i noted that his Account value on the `userdisp.aspx` page got updated to match what is defined on AD. so can i benefit from this to have a wider appraoch to update the Accounts on SP to match the Accounts on AD???