Moving users between domains in BPOS

You can attach several domains to your BPOS account. For example, if you’re running a corporation called Contoso, you might want contoso.com and contoso.net. Your user accounts would then be created under one of these domains, e.g. joe@contoso.com. But what if you need to move users between domains?

The unfortunate fact is that you can’t do that. Once you’ve created joe@contoso.com, you cannot change it to joe@contoso.net. You don’t necessarily care either – you can certainly set up aliases to make both email addresses work. The user will, however, use his real credentials to log in.

If you really need to move users, there are a few things you need to work on. The only approach to this is to delete/recreate the accounts. Most importantly, all Exchange data will be nuked, and you should use appropriate backups to handle the move.

Fixing everything in SharePoint

Also, your SharePoint identity will change. There are two key things you need to look into:

First, making permissions right again. If you’re using SharePoint groups (see the fine intro for on-premise SharePoint security in SharePoint Blues), assigning the proper permissions isn’t usually a big task; if you have assigned permissions directly into user accounts, you may be in for lots of checking and clicking.image

Second, references to users (typically, in list columns with the type of user/group) stop working correctly; even though joe@contoso.com and joe@contoso.net indicate the same person, they are two very separate users. You could end up in a situation where you have two user identities with imagethe same name, but only the active one shows e.g. presence status.

You can fix this by manually resetting the user references in each of the list items. Of course, this is more than a little cumbersome, and you probably end up in a scenario pictured to the left: The same user name appears twice, and it’s really hard to tell which one to pick.

So yeah, the next step is to remove the superfluous user accounts from SharePoint.

Getting rid of your ghosts

image Go to the People and Groups view in your site collection root. You will likely see something like the adjacent image, with dual copies of your user accounts. As long as these duplicates exist, your user selectors keep showing dual copies of all the users – and deleting users from the BPOS admin does not remove them from SharePoint.

imageYou can clean up the ghosts manually by checking the users related to old domain accounts and then choosing Actions > Delete users from Site Collection. If your users are online, you can usually spot the entries to be removed by the presence status. For non-online users, click the user name and check the domain name the user is associated to.

What if you have lost your adminhood?

image What if you don’t have the Delete users from Site Collection option available in the Actions menu? This is probably because you are not the site collection admin. This could happen reasonably easily if you also moved the administrator account between domains.

BPOS sets you as the site collection administrator when you create the collection. You can also change it later from the administrative portal at admin.microsoftonline.com. Pick Service Settings / SharePoint Online and click the name of your Site collection (note: not the Site Settings link). Select the Site collection permissions tab and use the provided tools to make yourself the owner. After that, you should have the Delete option available.

Avoid the whole trouble if you can

Perhaps the most obvious scenario where you can hit this is if you use the default domain created with the BPOS account. The default domain is of the format accountname.region.microsoftonline.com. The moment you start your BPOS trial you may be inclined to start working with the default domain, but do realize that getting rid of it later on isn’t exactly trivial.

I would recommend registering your production domain with BPOS right from the start. Registering a domain only requires setting up a CName in the DNS records. It takes more work to configure email to work, but you don’t have to do that immediately. However, having the domain registered enables you to create the user accounts into it, avoiding much of the hassle involved with “moving” them later on.

September 18, 2010 · Jouni Heikniemi · No Comments
Tags:  · Posted in: Cloud, Windows IT

Leave a Reply