You are viewing limited content. For full access, please sign in.

Question

Question

If a Participant LDAP Forms user Gets Moved to a New OU, Does it Change the SID?

Forms
Updated August 15, 2024
asked on October 27, 2015

Our Active Directory admin has been doing some adjustments with OUs and has created new OUs and moved existing users into them from other OUs. Some of these user accounts were being synched in Forms.

When one of these users is moved from one OU to another, does that change the SID that is stored in the Forms database for that user?

If so, does that mean that user loses all of their history?

2 0

Answers

APPROVED ANSWER
replied on November 30, 2015 Show version history

Following are the full list of queries you need to run to migrate data to new user:

1. view data in Tasks list/My History list/Drafts lists and perform task

update [dbo].[cf_user_snapshot] set sid=[new_user_sid],user_id=[new_user_sid] where username=[old_username]

2. update process access right to be able to view process from start dialog/submit form/save draft

update [dbo].[cf_users_in_role] set user_id=[new_user_id] where user_id=[old_user_id]

3. update time zone and signature

delete [dbo].[cf_user_profile] where user_id=[new_user_id]
  
update [dbo].[cf_user_profile] set sid=[new_user_sid],user_id=[new_user_id] where user_id=[old_user_id]

For process modeler user task and email service task, you need to manually remove the old user from the dialog then add new user for there is no simple query to achive this. 

4 0
SELECTED ANSWER
replied on February 18, 2022

The behavior has been changed since Forms 10.4: For LDAP server profile configured prior to 10.4, there will be an option of "Retain Active Directory SIDs" to allow you switch to use the SID from Active Directory instead of generating the SID based on distinguished name, so the SID will no longer change if the LDAP participant is moved to new OU. For LDAP server profile newly configured with Forms 10.4 or above, it will just use the SID from Active Directory. 

2 0
View 2 previous replies
replied on August 3, 2023

Hi

Can you advise if these scripts are still valid for current Laserfiche 11 releases?

We need to migrate from Repository to Directory Server users but do not want to use the Account Migration Utility as there are some net changes that occur with this tool that we do not desire.

Thanks in advance

0 0
replied on August 14, 2023

Hi William,

It's best if you reach out to Laserfiche Support with the exact scenario you have in mind and the specific changes the Account Migration Utility makes that you're concerned about. They may have the latest scripts on-hand and/or can connect with the Forms team about the best way to address the use case.

0 0
replied on April 19, 2024

Hi Xiuhong,

 

What impact will this have if enabling this option with existing users?  Do we need to run the provided script to update their SID?

0 0
replied on August 15, 2024

To clarify on this statement

"allow you switch to use the SID from Active Directory instead of generating the SID based on distinguished name"

Does it update existing users SIDs to the one from Active Directory so that they can be moved to a new OU or only apply to newly created accounts?

0 0
replied on August 15, 2024

Hey Chad, the people who know the answer to this aren't going to be a notification ping on this old thread. Please open a support case asking the question, linking to this thread, and saying that I said to have them ask the Forms team to publicly respond here. A bit roundabout, but that's going to be the best way to get an answer.

0 0

Replies

replied on October 28, 2015 Show version history

Hi there,

For LDAP participant, Forms generate its SIDs based on the distinguished name as Laserfiche Server did for LDAP named user, the SIDs will become different if distinguished name is changed and it will be recognize as different user.

0 0
View 7 previous replies
replied on October 28, 2015 Show version history

How does LF Forms determine when to make a new user_id for a user in the Users table of the Forms database?

The reason I am asking is because we had 2 users that were in an OU in Active Directory and were using Forms. Someone moved them to a new OU and they were given new user_id's in the Forms database, but now all of their history is not showing up because it is linked to their old user_id value. We are trying to figure out a way to get it back for them.

0 0
replied on October 30, 2015

Yes, you can find the SID for the new user from cf_users table and update the SIDs of snapshots for the old users, the all the data will be linked to the new user, use sql as following:

 

update [forms901migration1].[dbo].[cf_user_snapshot] set sid='S-1-9-12246189-803618998-1278549980-2955788692-861692740-6' where username='forms'

0 0
replied on October 30, 2015 Show version history

I ran the update query for our users and it worked great. All history items are there and they even see a few items in their My Tasks.

The items in their My Task do not work when clicked on. It gives an error message saying Forms has encountered a problem. I'm guessing something needs to be updated with the tasks as well to get them working correctly.

Is there another query to run to fix the problem tasks?

0 0
replied on October 31, 2015

Did you get "You do not have permission to perform this action" this error when approve task from My Task? If so, there is one more query you need to run. Find the user_id for the new user from cf_users table, then update the user_id for the snapshots of the old user use SQL query as following:

update [dbo].[cf_user_snapshot] set user_id='[new_user_id]' where username='[username]'

1 0
replied on November 30, 2015

What would be the query to run in order to update drafts o the new user?

1 0
APPROVED ANSWER
replied on November 30, 2015 Show version history

Following are the full list of queries you need to run to migrate data to new user:

1. view data in Tasks list/My History list/Drafts lists and perform task

update [dbo].[cf_user_snapshot] set sid=[new_user_sid],user_id=[new_user_sid] where username=[old_username]

2. update process access right to be able to view process from start dialog/submit form/save draft

update [dbo].[cf_users_in_role] set user_id=[new_user_id] where user_id=[old_user_id]

3. update time zone and signature

delete [dbo].[cf_user_profile] where user_id=[new_user_id]
  
update [dbo].[cf_user_profile] set sid=[new_user_sid],user_id=[new_user_id] where user_id=[old_user_id]

For process modeler user task and email service task, you need to manually remove the old user from the dialog then add new user for there is no simple query to achive this. 

4 0
replied on August 17, 2018

Xiuhong Xiang,

Is there any update to this as I have been informed that the scheme has been changed? Does this apply to all users in the list or just for ones specified and changing them 1-by-1?

1 0
replied on October 23, 2020

Please let me know if this type of procedure can still be outlined for Forms 10.4.4.444. I believe we have a use case for migrating data from one SID to another.

0 0
replied on December 19, 2021

The scripts I provided can still work with newer version of Forms to migrate data from one user to another user, but it will only migrate the tasks/access rights/time zone/signature data, we are evaluating making this as a built-in feature to support migrate all history data/settings from one user to another, please share with us your use cases such as:

1. You want to migrate data from what type of user to what type of another user?

2.  How many users you want to migrate?

3.  Do you mind to migrate them one by one or you want to bulk migrating?

0 0
replied on July 13, 2022

@████████In response to your request for use cases:

  1. We're finding a very common need to migrate from Windows Accounts (AD users) to SAML Accounts. 
  2. Our largest thus far is 700+ users. 
  3. A phased approach is best, we currently take an approach similar to this: 
    • Phase 1: 5-10 users to test the process, iron out any wrinkles and for the client to understand the process and necessary communications and tasks. 
    • Phase 2: 25 users, getting our feet wet with performing a larger batch. 
    • Phase 3-N: 50-100 user batches until complete, just to reduce the risk of impacting all users if there's some hiccup. 
1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...