locked
SharePoint doesn't delete leavers from site collection RRS feed

  • Question

  • Hi

    I have been facing this problem for quite some time with my SharePoint 2007 environment where any leaver is not dealt with by SharePoint and the user stays in the site collection whereas it is deleted from AD . If for a new user, a new user is created in AD using the same user name (which is technically fine with AD as the user name is not taken), however, as the site collection already keeps the old user, this new user (having same user name) starts causing the problem. SharePoint gets confused with this as soon as user tries to log in. 

    For example there was a user called JMurphy who left the company and was deleted from AD but stayed in the site collection. A new user recently joined, her user name was created as 'JMurphy' in AD. Now when this new user logs on to Intranet SharePoint for some reason gets confused and it blocks the intranet completely. 

    Can anyone please let me know why this is happening and how this can be fixed.

    This is very urgent!!

    Thanks

    • Moved by Xue-Mei Chang-MSFTModerator Monday, October 8, 2012 2:58 AM sharepoint 2007 issue (From:SharePoint 2010 - General Questions and Answers)
    Monday, October 1, 2012 12:26 PM

Answers

All replies

  • What do you mean it blocks the intranet?

    SharePoint doesn't use the user name ("JMurphy") to distiguish between two accounts, rather it uses the account's AD security identifier (SID). In this case you can technically have one or more users with the same username and they will all be able to use SharePoint. Technically the only way to do this is as you've described -- the original account is deleted in AD and a new account is created with the same name.

    To be certain that the account has been deleted, you can use the Remove-SPUser cmdlet (for best results, run this after the user has been deleted in SharePoint and before you have created a new user with the same name):

    $deleteduser = Get-SPUser -Identity "DOMAIN\deleteduser" -Web "http://path/to/site"
    Remove-SPUser -Identity $deleteduser


    Jason Warren
    Infrastructure Architect

    Monday, October 1, 2012 12:47 PM
  • Hi Jason

    Thanks for your reply. What I meant to say by 'Blocks the internet' is under the situation explained above when the user tries to log on to Intranet the following SQL query runs which blocks other SQL queries and that's how the intranet hangs completely and not accessible at all. 

    (@P1 uniqueidentifier,@P2 int,@P3 int,@P4 int,@P5 varbinary(19),@P6 bit,@P7 bit,@P8 bit,@P9 nvarchar(6),@P10 int,@P11 varbinary(19),@P12 nvarchar(11),@P13 nvarchar(11),@P14 nvarchar(24),@P15 nvarchar(1),@P16 nvarchar(1),@P17 nvarchar(1),@P18 nvarchar(1),@P19 nvarchar(1),@P20 nvarchar(1),@P21 nvarchar(1),@P22 nvarchar(1),@P23 nvarchar(1),@P24 nvarchar(1),@P25 nvarchar(1),@P26 bit,@P27 bit,@P28 nvarchar(35),@P29 bit,@P30 nvarchar(1),@P31 nvarchar(1),@P32 nvarchar(1),@P33 nvarchar(1),@P34 nvarchar(1),@P35 nvarchar(1),@P36 nvarchar(1),@P37 nvarchar(1),@P38 nvarchar(6),@P39 int,@P40 int OUTPUT)SET NOCOUNT ON; DECLARE @DN nvarchar(256),@LN nvarchar(128),@@DocUIVersion int,@@S uniqueidentifier,@@Level tinyint; DECLARE @ItemId int; DECLARE @@iRet int; DECLARE @ExtraItemSize int; SET @@Level = 1; SET @@S=@P1; BEGIN TRAN EXEC @@iRet = proc_SecRemoveUserFromSite @@S, @P2, @P3  SELECT @ItemId = @P4  IF @@iRet <> 0 BEGIN ROLLBACK TRAN; GOTO DONE; END IF NOT EXISTS( SELECT tp_ID FROM UserData WHERE tp_ListId = 'E477331C-C6C9-46C9-8907-7A91D1CF425D' AND tp_ID = @ItemId  AND tp_Level = 1 AND tp_RowOrdinal =0) BEGIN SELECT @ExtraItemSize = 0  EXEC @@iRet = proc_AddListItem @SiteId = 'CA4D17A9-D2E0-4314-95D9-CE9DD82A2ED1',@WebId='407AFC22-532C-4ABC-A87B-5CFB2ECA9A23',@ListID = 'E477331C-C6C9-46C9-8907-7A91D1CF425D',@RowOrdinal = 0,@ItemId = @ItemId OUTPUT,@ItemDirName=@DN OUTPUT,@ItemLeafName=@LN OUTPUT,@UserID = 1,@TimeNow = '20121001 12:11:38',@ServerTemplate = 112,@Basetype= 0,@Level= 1,@tp_GUID =NULL,@AddNamespace=1,@CheckDiskQuota=1, @tp_ContentTypeId = @P5, @bit2 = @P6, @bit3 = @P7, @bit4 = @P8, @tp_ContentType = @P9, @tp_ModerationStatus = @P10, @Size = 16, @ExtraItemSize = @ExtraItemSize ,@acl=0xF3FE0000010000000000000000000000; IF @@iRet <> 0 BEGIN ROLLBACK TRAN; GOTO DONE; END  END  ELSE BEGIN  SET @@Level=1; SELECT @ExtraItemSize = 0  EXEC @@iRet = proc_UpdateListItem @SiteId='CA4D17A9-D2E0-4314-95D9-CE9DD82A2ED1',@WebId='407AFC22-532C-4ABC-A87B-5CFB2ECA9A23', @ListID = 'E477331C-C6C9-46C9-8907-7A91D1CF425D', @ItemID=999, @RowOrdinal = 0,@ReturnRowset = 1,@ItemDirName=@DN OUTPUT,@ItemLeafName=@LN OUTPUT,@UserId=1,@TimeNow = '20121001 12:11:38',@SystemUpdate=1,@MajorVersionsLimit=0,@MajorMinorVersionsLimit=0, @NewUIVersion = @@DocUIVersion OUTPUT,@Level=@@Level OUTPUT,@IsDocLib=0, @tp_ContentTypeId = @P11, @nvarchar1 = @P12, @nvarchar3 = @P13, @nvarchar4 = @P14, @ntext2 = @P15, @int1 = @P16, @int2 = @P17, @int3 = @P18, @int4 = @P19, @bit1 = @P20, @int5 = @P21, @int6 = @P22, @int7 = @P23, @int8 = @P24, @int9 = @P25, @bit2 = @P26, @bit3 = @P27, @nvarchar9 = @P28, @bit4 = @P29, @nvarchar10 = @P30, @nvarchar11 = @P31, @nvarchar12 = @P32, @nvarchar13 = @P33, @nvarchar14 = @P34, @nvarchar15 = @P35, @ntext3 = @P36, @nvarchar17 = @P37, @tp_ContentType = @P38, @tp_ModerationStatus = @P39, @tp_ItemOrder = 99900.0000000000, @Size = 186, @ExtraItemSize = @ExtraItemSize ,@acl=0xF3FE0000010000000000000000000000; IF @@iRet <> 0 BEGIN ROLLBACK TRAN; GOTO DONE; END

    EXEC proc_ClearLinks @@S,@DN,@LN,@@Level,'E241F186-9B94-415C-9F66-255CE7F86235';

    EXEC proc_ClearLinks @@S,@DN,@LN,@@Level,'82B26987-3381-4B90-9FE8-5630C8ACA7FA';

    EXEC proc_ClearLinks @@S,@DN,@LN,@@Level,'A49AE959-3D4E-477B-AB68-5ED6705AEAA9'; END ; COMMIT TRAN; DONE: SELECT @P40 = @@iRet

    You said it uses SID and not the user name to distinguish between two users but it does cause the problem in this situation (I have faced this 3 times so far) which sounds like it does get confused with the user name. 

    Anyways I have tried the above command that you mention to delete the user but it doesn't recognize Get-SPuser command. 

    Atif

    Monday, October 1, 2012 1:45 PM
  • Anyways I have tried the above command that you mention to delete the user but it doesn't recognize Get-SPuser command. 

    Can you provide the command and output from your attempt?

    Jason Warren
    Infrastructure Architect

    Monday, October 1, 2012 1:54 PM
  • Monday, October 1, 2012 2:26 PM
  • agsiddiqui

    You seem to be running Windows PowerShell, you need to run SharePoint 2010 Management Shell, which has the SharePoint PowerShell modules, or run this in Windows PowerShell Add-PSSnapin Microsoft.SharePoint.PowerShell, which adds the SharePoint 2010 modules to Windows PowerShell though you need to do this everytime you use Windows PowerShell to manage SharePoint 2010.

    Hope this helps

    Kevin

    Monday, October 1, 2012 2:45 PM
  • Hi,

    I believe the reason of command not running is

    a) The sharepoint powershell snapin is not registered. To do that add run the following command first

     Add-PSSnapin Microsoft.Sharepoint.Powershell

    b) if this command also doesnot run make sure you use 64 bit Powershell window.

    For your previous query check the command which jason provided and see if it works, else we can look into it.

    Monday, October 1, 2012 2:50 PM
  • When I run this 'Add-PSSnapin' command it says 

    "Add-PSSnapin : Windows PowerShaell snap-in Microsoft.SharePoint.Powershell is not installed on the machine"

    Monday, October 1, 2012 3:05 PM
  • You'll need to run this on one of the SharePoint servers in the farm.

    Jason Warren
    Infrastructure Architect

    Monday, October 1, 2012 3:19 PM
  • Hi,

    See the below screenshot and use the either of the below option 1 and 2 and of those use the underline one

    Note dont use x86 one . The 1st option can be found under accessories under start >> AllProgram >> Accessories >> windows powershell. The 2nd option start >> AllProgram >> Microsoft sharepoint 2010 product

    Monday, October 1, 2012 3:36 PM
  • Hi 

    Please have a look at the screenshot below. The one highlighted in yellow is what I am using and still not working. Just to let you know I am using SharePoint 2007 on Server 2003. 

    Thanks

    Atif

    Monday, October 1, 2012 3:58 PM
  • Forgive me for misunderstanding, SharePoint 2007 does not have the SharePoint Management console and the PowerShell script I posted above will not work.

    I've flagged this thread to have it moved to the pre-2010 forum.


    Jason Warren
    Infrastructure Architect

    Monday, October 1, 2012 4:09 PM
  • Hi Jason

    Is there a way to delete user from a site collection in SharePoint 2007? I have tried the code below and it didn't work. The user is still appearing in the site collection

    using(SPSite sps = new SPSite("http://yourSite"))
    {
        using(SPWeb spw = sps.OpenWeb())
        {
              spw.AllUsers.Remove("domain\\user");
        }
    }

    I have also tried deleting it using STSADM command but no joy.

    Thanks

    Atif

    Wednesday, October 3, 2012 9:00 AM
  • How did you use that code? It looks like C# and would need to be compiled into an application and run on one of the servers in the farm.

    Jason Warren
    Infrastructure Architect

    Wednesday, October 3, 2012 12:04 PM
  • Thanks for the post. Just like to mention that this exact same issue was experienced by one of our customers as well, on SharePoint 2010. The query isn't failing but there are too many records to update (caused by too many unique permissions within the site collection) and it keeps spinning for hours not able to finish, blocking other users' requests in the meantime. We ended up creating a new AD account for the returned user as some other attempts failed to remedy the situation. Things we've tried:

    1. Using a script to remove this particular user's unique permissions from all individual libraries didn't speed up the procedure

    2. Using a script to synchronize the user's SID to the AD one, encountered error with that process.

    We did not have enough time to fully investigate why the above approaches didn't succeed.

    Another approach others reported working but not feasible due to security implication is to remove unique permissions from all sites by resetting them to inheriting permissions, using scripts.

    Sunday, September 18, 2016 11:55 PM