Cause of Orphaned Users in Sharepoint

This isn't really a problem. More of a question for best practices.
We have a number of Orphaned users in our SharePoint environment. We have a way to remove orphaned users already. However, we want to prevent so many orphaned users from occurring again.
I know accounts become orphaned when the user has been disabled or removed from Active Directory. Will we always have orphaned accounts or is there a best practice to prevent this.
I ask because we inherited a bad security practice. Many users were given access to sites directly or they were added to multiple SharePoint groups. We are changing this to have Active Directory security groups inside of SharePoint groups. We set all permissions via
Active Directory groups. When a user is disabled or deleted, their user account is removed from the AD group, thus updating the SharePoint permissions. Will this prevent the orphaned account problems.
I think it would but then I wonder about sites or items created by the deleted user. Will this cause the orphaned account in SharePoint. I hope I am making sense. ultimately, i would like to know what exactly causes an account to become orphaned and how
to best prevent it.
thanks for any input.
LSTalbot

Item in sharepoint would not get effected when you remove the users
However make sure that orphan users are normally older then 30 days old as per your AD policy before removing him. because after removing orphan from site incase if you require them in future, it is not possible to add him back with exact same permission.

Similar Messages

  • Powershell Script to find out Orphan Users ( Who are no longer available in AD but SharePoint) in SharePoint 2013

    Hi,
    Can you please on the above issue? I have one script which works fine for sp2010 but not sp2013 below,
    Script
    function Check_User_In_ActiveDirectory([string]$LoginName, [string]$domaincnx)
    $returnValue = $false
    #Filter on User which exists and activated
    #$strFilter = "(&(objectCategory=user)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(samAccountName=$LoginName))"
    #Filter on User which only exists
    #$strFilter = "(&(objectCategory=user)(objectClass=user)(samAccountName=$LoginName))"
    #Filter on User and NTgroups which only exists
    $strFilter = "(&(|(objectCategory=user)(objectCategory=group))(samAccountName=$LoginName))"
    $objDomain = New-Object System.DirectoryServices.DirectoryEntry($domaincnx)
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    $objSearcher.Filter = $strFilter
    $objSearcher.SearchScope = "Subtree"
    #$objSearcher.PropertiesToLoad.Add("name")
    $colResults = $objSearcher.FindAll()
    if($colResults.Count -gt 0)
    #Write-Host "Account exists and Active: ", $LoginName
    $returnValue = $true
    return $returnValue
    function ListOrphanedUsers([string]$SiteCollectionURL, [string]$mydomaincnx)
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") > $null
    $site = new-object Microsoft.SharePoint.SPSite($SiteCollectionURL)
    $web = $site.openweb()
    #Debugging - show SiteCollectionURL
    write-host "SiteCollectionURL: ", $SiteCollectionURL
    Write-Output "SiteCollectionURL - $SiteCollectionURL"
    $siteCollUsers = $web.SiteUsers
    write-host "Users Items: ", $siteCollUsers.Count
    foreach($MyUser in $siteCollUsers)
    if(($MyUser.LoginName.ToLower() -ne "sharepoint\system") -and ($MyUser.LoginName.ToLower() -ne "nt authority\authenticated users") -and ($MyUser.LoginName.ToLower() -ne "nt authority\local service"))
    #Write-Host "  USER: ", $MyUser.LoginName
    $UserName = $MyUser.LoginName.ToLower()
    $Tablename = $UserName.split("\")
    Write-Host "User Login: ", $MyUser.LoginName
    $returncheck = Check_User_In_ActiveDirectory $Tablename[1] $mydomaincnx 
    if($returncheck -eq $False)
    #Write-Host "User not exist: ",  $MyUser.LoginName, "on domain", $mydomaincnx 
    Write-Output $MyUser.LoginName 
    $web.Dispose()
    $site.Dispose()
    function ListOrphanedUsersForAllColl([string]$WebAppURL, [string]$DomainCNX)
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") > $null
    $Thesite = new-object Microsoft.SharePoint.SPSite($WebAppURL)
    $oApp = $Thesite.WebApplication
    write-host "Total of Site Collections: ", $oApp.Sites.Count
    $i = 0
    foreach ($Sites in $oApp.Sites)
    $i = $i + 1
    write-host "Collection N° ", $i, "on ", $oApp.Sites.Count
    if($i -gt 0)
    $mySubweb = $Sites.RootWeb
    $TempRelativeURL = $mySubweb.Url
    ListOrphanedUsers $TempRelativeURL $DomainCNX
    function StartProcess()
    # Create the stopwatch
    [System.Diagnostics.Stopwatch] $sw;
    $sw = New-Object System.Diagnostics.StopWatch
    $sw.Start()
    #cls
    ListOrphanedUsersForAllColl "http://portal" "LDAP://DC=Srabon,DC=com" 
    ListOrphanedUsersForAllColl "http://portal/sites/Test" "LDAP://DC=Srabon,DC=com"  
    $sw.Stop()
    # Write the compact output to the screen
    write-host "Time: ", $sw.Elapsed.ToString()
    StartProcess
    # Can be executed with that command : "Check-SharePoint-Orphaned-Users.ps1 > orphaned_users.txt"
    srabon

    Hi Srabon,
    Try this it works in SP2007, SP2010, and SP2013.
    Mod line 70: $WebAppURL="http://intranet.contoso.com" to your "http://WebApp"
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
    #Functions to Imitate SharePoint 2007, 2010, 2013
    function global:Get-SPWebApplication($WebAppURL)
    return [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup($WebAppURL)
    function global:Get-SPSite($url)
    return new-Object Microsoft.SharePoint.SPSite($url)
    function global:Get-SPWeb($url)
    $site= New-Object Microsoft.SharePoint.SPSite($url)
    if ($site -ne $null)
    $web=$site.OpenWeb();
    return $web
    #Check if User exists in ActiveDirectory
    function CheckUserExistsInAD()
    Param( [Parameter(Mandatory=$true)] [string]$UserLoginID )
    #Search the User in ActiveDirectory
    $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
    foreach ($Domain in $forest.Domains)
    $context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $Domain.Name)
    $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context)
    $root = $domain.GetDirectoryEntry()
    $search = [System.DirectoryServices.DirectorySearcher]$root
    $search.Filter = "(&(objectCategory=User)(samAccountName=$UserLoginID))"
    $result = $search.FindOne()
    if ($result -ne $null)
    return $true
    return $false
    $WebAppURL="http://intranet.contoso.com"
    #Get all Site Collections of the web application
    $WebApp = Get-SPWebApplication $WebAppURL
    #Iterate through all Site Collections
    foreach($site in $WebApp.Sites)
    #Get all Webs with Unique Permissions - Which includes Root Webs
    $WebsColl = $site.AllWebs | Where {$_.HasUniqueRoleAssignments -eq $True} | ForEach-Object {
    $OrphanedUsers = @()
    #Iterate through the users collection
    foreach($User in $_.SiteUsers)
    #Exclude Built-in User Accounts , Security Groups & an external domain "corporate"
    if (($User.LoginName.ToLower() -ne "nt authority\authenticated users") -and
    ($User.LoginName.ToLower() -ne "sharepoint\system") -and
    ($User.LoginName.ToLower() -ne "nt authority\local service") -and
    ($user.IsDomainGroup -eq $false ) -and
    ($User.LoginName.ToLower().StartsWith("corporate") -ne $true) )
    $UserName = $User.LoginName.split("\") #Domain\UserName
    $AccountName = $UserName[1] #UserName
    if ( ( CheckUserExistsInAD $AccountName) -eq $false )
    Write-Host "$($User.Name)($($User.LoginName)) from $($_.URL) doesn't Exists in AD!"
    #Display Orphaned users
    $OrphanedUsers+=$User.LoginName
    # <<<UNCOMMENT to Remove Users#
    # Remove the Orphaned Users from the site
    # foreach($OrpUser in $OrphanedUsers)
    # $_.SiteUsers.Remove($OrpUser)
    # Write-host "Removed the Orphaned user $($OrpUser) from $($_.URL) "
    $web.Dispose()
    $site.Dispose()
    -Ivan

  • We have a long list of disabled/deleted users in AD Somehow, they are still appeared as active user in Sharepoint Online. How do we get rid of those list? Hope you can advice. Thanks.

    we have a long list of disabled/deleted users in AD
    Somehow, they are still appeared as active user in Sharepoint Online.
    How do we get rid of those list?
    Hope you can advice. Thanks.

    SharePoint does not remove users from SharePoint permissions just because they were deleted/disabled in AD. This is to maintain referential integrity. In fact, when you delete a user from SharePoint, that user remains in the SharePoint content database,
    just marked as deleted.
    They do not have access to SharePoint given their account is deleted/disabled. But as far as automatically managing this, I'm not aware of a tool. On-prem there is Metalogix ControlPoint which does a great job of this, I haven't explored the O365 options.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • How to resolve a windows authenticated orphaned user in Sql Server 2008 R2?

    Hi,
     We have some orphaned windows authenticated  users(domain) in the database while it had been
    migrated from Sql Server 2005 to Sql Server 2008 R2, because there are no corresponding
    logins for the users. Will just adding the logins would be sufficient or after adding the
    logins should we also run sp_change_users_login @Action='update_one' to resolve any sid
    conflict. Thanking you in advance,
    With regards
    Binny Mathew

    Binny
    You have issue with orphaned users if you use Mixed Authentication.  If you use Windows and move the db to the new server the Windows Login should be exist on the new server already.
    Best Regards,Uri Dimant SQL Server MVP,
    http://sqlblog.com/blogs/uri_dimant/
    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting:
    Large scale of database and data cleansing
    Remote DBA Services:
    Improves MS SQL Database Performance
    SQL Server Integration Services:
    Business Intelligence

  • Automatically create users in SharePoint based on Active Directory OU

    Hi,
    This is one of our client's requirements.
    Is it possible to automatically create a user in SharePoint and assign him/her read privileges on the portal when ever a new user is created in Active Directory?
    To re-iterate the above question in a different way; when a new employee joins the organization, a user is created in the Active Directory OU. Is it possible to automatically create this user in SharePoint without any manual intervention?
    If yes, how? Is it a third party synchronization tool or does SharePoint has a sync feature / service?
    Thank you,
    Regards,
    Gagandeep Singh
    My CRM blog |
    My SharePoint blog

    Hi,
    user profile synchronization is responsible for that, once user are created in active directory you have syn service running on certain schedule and all users are grabbed the only left step is to either grant permission on SharePointor you have a generic
    access to grant to all authenticated users or certain active directory groups that the user is assigned to
    More about user profile :
    https://technet.microsoft.com/en-us/library/ee721049.aspx
    http://social.technet.microsoft.com/wiki/contents/articles/12545.sharepoint-2013-setting-up-user-profile-synchronization-12.aspx
    https://technet.microsoft.com/en-us/library/ff382639.aspx
    http://blog.sharedove.com/adisjugo/index.php/2012/07/23/setting-user-profile-synchronization-service-in-sharepoint-2013/
    Kind Regards,
    John Naguib
    Senior Consultant
    John Naguib Blog
    John Naguib Twitter
    Please remember to mark this as answered if it helped you

  • Add user to sharepoint group using REST API

    I am trying to add a user to sharepoint group with following code
    serviceUrl= Appweb + "/_api/SP.AppContextSite(@target)/web/sitegroups("+GroupId+")/users?@target='host web'";
        $.ajax({
            url: serviceUrl,
            type: "POST",
            contentType: "application/json; charset=utf-8",
            dataType: 'json',
            body: "{'__metadata': { 'type': 'SP.User' },'LoginName':'i:0#.f|membership|'+email }",
      headers: {"accept":"application/json;odata=verbose",
        "content-type": "application/json;odata=verbose",
        "X-RequestDigest":$("#__REQUESTDIGEST").val()
        async: false,
      success: function (data) {
               alert('success');
      error: function (data) {
                 alert('fail');
    The request goes to error function. Response of the request is Microsoft.SharePoint.Client.InvalidClientQueryException and message is A node of type 'EndOfInput' was read from the JSON reader when trying to read the start of an entry. A 'StartObject' node was
    expected
    I tried the sample from following link but fail it
    https://msdn.microsoft.com/en-us/library/office/dn531432.aspx

    Hi,
    Per my understanding, you might want to add an user to a SharePoint group in host web from a SharePoint Hosted App using REST API.
    Here is a working demo for your reference:
    var hostweburl;
    var appweburl;
    $(document).ready(function () {
    //Get the URI decoded URLs.
    hostweburl = decodeURIComponent(getQueryStringParameter("SPHostUrl"));
    appweburl = decodeURIComponent(getQueryStringParameter("SPAppWebUrl"));
    // Resources are in URLs in the form:
    // web_url/_layouts/15/resource
    var scriptbase = hostweburl + "/_layouts/15/";
    // SP.RequestExecutor.js to make cross-domain requests
    $.getScript(scriptbase + "SP.RequestExecutor.js", loadPage);
    // Utilities
    // Retrieve a query string value.
    // For production purposes you may want to use a library to handle the query string.
    function getQueryStringParameter(paramToRetrieve)
    var params = document.URL.split("?")[1].split("&");
    for (var i = 0; i < params.length; i = i + 1)
    var singleParam = params[i].split("=");
    if (singleParam[0] == paramToRetrieve) return singleParam[1];
    function addUsersInGroup() {
    var executor;
    // Initialize the RequestExecutor with the app web URL.
    executor = new SP.RequestExecutor(appweburl);
    executor.executeAsync({
    url: appweburl + "/_api/SP.AppContextSite(@target)/web/sitegroups(8)/users?@target='" + hostweburl + "'",
    method: "POST",
    contentType: "application/json; charset=utf-8",
    dataType: 'json',
    body: "{'__metadata': { 'type': 'SP.User' },'LoginName':'i:0#.f|membership|[email protected]'}",
    headers: {
    "Accept": "application/json; odata=verbose",
    "content-type": "application/json;odata=verbose",
    "X-RequestDigest":$("#__REQUESTDIGEST").val()
    success: addUsersInGroupSuccessHandler,
    error: addUsersInGroupErrorHandler
    function addUsersInGroupSuccessHandler(data)
    console.log(data);
    var jsonObject = JSON.parse(data.body);
    console.log(jsonObject);
    function addUsersInGroupErrorHandler(data)
    console.log(data);
    var jsonObject = JSON.parse(data.body);
    console.log(jsonObject);
    Thanks 
    Patrick Liang
    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected].

  • Search suggestion not working for anonymous user in sharepoint 2013

    Hi ,
    Please help on this search suggestion not working for anonymous user in sharepoint 2013
    shaik

    You can create a search center site, and set the search center site to
    allow anonymous access.
    Also see this link - http://blog.mastykarz.nl/search-query-suggestions-anonymous-users-sharepoint-2013-mavention-query-suggestions/ 
     (As this is regarding a 3rd party tool, I suggest that you direct it to the  provider support.)
    Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

  • How to hide the Columns and Views for Login user in SharePoint 2013

    Hi Friends,
    How to hide the Columns and Views for Login user in SharePoint 2013? Is it possible using OOB features? If not possible how can we hide the Columns and Views for Login user?
    Could you please help on this.
    Thanks,
    Tiru
    Tiru

    Hello Tirupal,
    There is no OOB way to do this.
    Please check this codeplex solution to achieve the same.
    https://sp2013columnpermission.codeplex.com/
    My Blog- http://www.sharepoint-journey.com|
    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

  • Asking authentication window for annonymous users enable bi site when view dashboards or (deploy dashboards to view by anonymous users in sharepoint 2013 )

    Hi
    in sharepoint 2013 i created bi center site
    1) and i followed best practices from Technet for how to create Secure store service,performance Point service applications
    2) and added Unattended service account permissions in SSAS data sources,
    3) given db_owner permissions for performance point service  application pool account in content database.
    4) and my requirement is that deployed dashboards and pointers can be viewable by any users , who without login to
    sharepoint web application,
    so i enable anonymous access for whole web application and bi site.
    but even when i open bi dashboards without login  by view permission user, it asking authentication window.
    i open dashboard designer and deployed using spfarm user in sharepoint webfront end server.
    adil

    PerformancePoint generally does not support Anonymous access, as is the case when using Excel Services data connections:
    https://technet.microsoft.com/en-us/library/ff191193.aspx
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • How to get spuserid of login user in sharepoint 2013

    i want to retrive the spuser id of login user in sharepoint 2013. using sp services

    Hello,
    Here is the code to get current user id:
    $().SPServices({
    operation: "GetUserInfo",
    async: false,
    userLoginName: $().SPServices.SPGetCurrentUser(),
    completefunc: function (xData, Status) {
    $(xData.responseXML).find("User").each(function() {
    curUserId = $(this).attr("ID");
    curUserName = $(this).attr("Name");
    http://yalla.itgroove.net/2011/12/sharepoint-2010-get-current-username-logged-in-user/
    Hope it could help
    Hemendra:Yesterday is just a memory,Tomorrow we may never see
    Please remember to mark the replies as answers if they help and unmark them if they provide no help

  • Import AD users to SharePoint online

    Hi, I need a help in import active directory users in to SharePoint online. So that the authentication will be done with imported users on SharePoint online. Please help me with procedure to integrate/import on premise AD to SharePoint online.
    Thanks in advance,
    Sai

    Hi Sai..
    I understand that you want to Import local AD users to SharePoint online.
    Please download DirSync from office 365 admin center
    it will sync all users from AD to office 365 then you need to assign licence.
    please have a look on bellow blog
    Mukesh

  • Apple cause the disabled user identity?

    apple cause the disabled user identity?

    If your account is disabled then depending on the reason why, you might be able to re-enable it via this page : http://appleid.apple.com, then 'reset your password'
    Or you might need to contact Apple : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page
    If it then works on your computer's iTunes but not your iPad then try logging out of your account on the iPad by tapping on the id in Settings > Store and then log back in and see if that 'refreshes' the account on it

  • Remove SP User from SharePoint subsite

    Hello All,
    I am trying to remove a user account form all sub sites except few.
    I am making use of following command.
    Remove-SPUser "Contoso\jdoe" -web http://webapp/sites/site1/web1/
     But this command is removing the user from all the sub sites including the site collection.
    Can anybody please help to delete the user from specific subsite only.
    Thanks & Regards
    MD Liakath Ali
    MD.Liakath ali

    Hi,
    You can try to delete user from specific SharePoint group at sub site level using Power shell script as below .
    #Remove
    user from SP Group
        $theGroup.RemoveUser($theUser);
    Fine
    more details on below blog
    http://markimarta.com/sharepoint/add-remove-user-to-sharepoint-groups-with-powershell/
    Regards
    Soni
    K

  • Orphan users and deleting logins but not users

    Hello there,
    First off I'm sorry if this was already posted. I've researched for the last two hours and can't seem to find the answer I'm looking for.
    So its to my understanding then when you delete a Server Login, if you have a user that uses that Login and THAT LOGIN only, once you delete the login the user is now an orphan user.
    I've been running the orphan user sp (
    USE <database_name>;
    GO;
    sp_change_users_login @Action='Report';
    GO;
    but recently I've deleted a login, the user still exists on the database, but it should now be an orphan user right? I know for a fact this user is not in any other group, and it should be an orphan user. So why isn't it? :(

    Hi Krystina,
    Your question may be that sp_change_users_login didn't detect an orphan user scenario? If so, I would recommend checking sys.server_principals and sys.database_principals to verify for certain (and if you have a reproduction of the exact issue, please post
    here).
    Here is a demo that walks through the by-design behavior (dropping login will not equate to dropping a user, and that user will be an orphaned user).  
    USE [master]
    GO
    -- Create the login
    CREATE LOGIN [TestUser] WITH PASSWORD=N'Test!!1234',
    DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF;
    GO
    -- Create a database
    CREATE DATABASE [Test];
    GO
    -- Create the user in that database
    USE [Test]
    GO
    CREATE USER [TestUser] FOR LOGIN [TestUser] WITH DEFAULT_SCHEMA=[dbo];
    GO
    -- Drop the * login * (not user)
    DROP LOGIN [TestUser];
    -- You should no longer see this long at the SQL Server instance (server) scope
    SELECT [SP].[name], [SP].[principal_id], [SP].[sid], [SP].[type],
           [SP].[type_desc], [SP].[is_disabled], [SP].[create_date],
           [SP].[modify_date], [SP].[default_database_name],
           [SP].[default_language_name], [SP].[credential_id]
    FROM sys.[server_principals] AS [SP]
    WHERE name = 'TestUser';
    -- But we didn't drop the user, so you * should * still see it within the database (by-design)
    USE [Test];
    GO
    SELECT [DP].[name], [DP].[principal_id], [DP].[type], [DP].[type_desc],
           [DP].[default_schema_name], [DP].[create_date], [DP].[modify_date],
           [DP].[owning_principal_id], [DP].[sid], [DP].[is_fixed_role]
    FROM sys.[database_principals] AS [DP]
    WHERE name = 'TestUser';
    -- And your orphan proc call will report it as well
    EXEC sp_change_users_login @Action='Report';
    Best Regards, Joe Sack, MVP, SQL MCM | SackHQ.com

  • Access denied error for Read user in sharepoint 2010

    Hello,
    In sharepoint 2010 subsite a user with Read permission getting Access Denied error while login.
     Few points:
       1. Master pages are approved not in pending status.
       2. Site permissions are not inherited.
    Please suggest the way to resolve it.
    Thank You,
    Santosh_09

    Check below threads for troubleshooting access denied issue. You can use fiddler to trace what is causing access denied.
    http://sharepoint.stackexchange.com/questions/75263/user-has-correct-permissions-for-subsite-but-access-is-denied
    http://sharepoint.stackexchange.com/questions/41225/user-permissions-access-denied-sharepoint-2010
    My Blog- http://www.sharepoint-journey.com|
    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

Maybe you are looking for

  • Is there is a way to have a link from purchase order to cost center report.

    Is there is a way to have a link from purchase order to cost center report. I am meaning kind of: Standard way to customized this link? or User exit to have this link in place or Any other solution Thanks

  • All iPhone Music is Greyed out in iTunes

    Hi, Probably something simple but I just connected my iPhone and started up iTunes (9.0.1) to find that all the music and many of the menu items are greyed out. I can't edit any of the iPhone playlists or drag new music to the iPhone's library and ye

  • ALV Reporting with drill down capabillities

    I'm creating a abap custom report using the ALV.  I want to drill down to CJ03 which is projects.  I know how to do it in regular custom reporting, but I don't seem to be able to get it to work using the ALV.  Can anyone help? Thanks. Linda

  • Task List flow configuration

    Is there a way in Planning 11.1.2 to configure the Task List flow in such a way that it is not possible for a user to go to the next task if the Web form in the current task has any validation errors? Regards, Pablo

  • Movie trailer server times out

    Hi I have a new Intel Mac and my the Movie server seems to time out from time to time. Is there a way to adjust this setting to improve palyback? Another problem is that my Video's seem to open in Itunes and not in Quicktime. How do I change this? Th