Occasionally I run into issues where an employee leaves a company and then comes back, this is especially true of companies that use a lot of contractors who come and go. There are times when a user exists in the User Information List and not the User Profile, and then when they come back the SIDs for their accounts are different. This usually happens either due to timing issues on when the AD/UPS was set up or when the User Profile/AD sync has broken at some point and needed to be recreated. The end result is that we’re stuck with an account that looks like it has the right permissions, but when a user tries to access the site they have permissions for they keep getting an access denied.
Normally this synchronization happens with the “User Profile to SharePoint Full Synchronization” timer job, defined as:
Synchronizes user information from the user profile application to SharePoint users and synchronizes site memberships from SharePoint to the user profile application
However, even though the NT ID was the same, since the SIDs were different as they created a new account instead of just disabling and re-enabling the old one, SharePoint was not recognizing their account as having access when they tried to access any of the sites they had been added to. This is normal secure behavior as we don’t want people being able to recreate admin accounts and getting into places they shouldn’t without really being the person they are supposed to be. This does however lead to some awkward issues such as permissions when an employee rejoins a company after they’ve left.
So the fix is to delete their record from the User Information List, this removes all their permissions from the site collection and they’ll need to be provisioned, but sometimes you need to nuke them from orbit because it’s the only way to be sure…
From the UI
Generally, user information list can be seen using this page:
http://[site collection]/_catalogs/users/simple.aspx
However, there’s no delete function there. Instead you’ll want to use the following:
http://[site collection]/_layouts/people.aspx?MembershipGroupId=0
Since this is a tabular view, we can now go to the appropriate account, select the checkbox next to their name and use the “Delete Users from Site” option in the actions menu:
From PowerShell:
If you want to get fancy with PowerShell, here is how you would remove the user from the User Information List for a site collection:
Add-PSSnapin microsoft.sharepoint.powershell -ea continue $site = Get-SPSite "http://[site collection]" $web = $site.RootWeb $list = $web.Lists["User Information List"] $i = $list.Items | where {$_["Account"] -eq "<Account You Want To Delete>"} $i.Delete() $web.Dispose() $site.Dispose()
And now you can go back into all the sites and re-add the user and the correct information and SID should come over. Added bonus is that the User Information List and User Profile Service should now be synchronizing again for this account and everyone is happy.
EDIT [2/29/2012]: If you want to perform regular maintenance on Orphaned Accounts and don’t mind the tactical nuke approach, the –PurgeNonImportedObjects may also be for you, check out: http://iedaddy.com/2012/02/sharepoint-2010user-information-lists-and-user-profile-cleanup/ for details….
Thanks for your blog post. This was really helpful
Thanks! I’m glad to see that some of these older posts are still useful!