Migrate users from forms based authentication to SharePoint 2010 claim based

During migration from SharePoint 2007 to 2010 you will need to migrate the users as well. the most “unclear” part is how to migrate Forms based users to claim based authentication. The internal names stored in SharePoint are different so you will be unable to use the old names and passwords to login unless you migrate. ASP .Net users use the format “providername:username” while the claim based authentication uses the format “i:0#.f|providername|username”.

After setting-up your web application and finalize the configuration, run the following powershell script. I highlighted where you will need to change certain strings to correctly work in your environment…

#here, you will need to change the URL to that new portal, old provider name and new provider name
$url =”http://myformsbasedportal.com

$oldprovidername = “myoldprovidername”

$newprovidername = “mynewprovidername”

# get all users in the site, this includes iwindows users
$users = get-spuser -web $url -Limit ALL

foreach($useriteration in $users)
     $userlogin = $useriteration.UserLogin

    # Skip if the user login contains “\” for windows users, and skip also if the user  login starts with “i:0#.f|” which is either new user or already migrated
    if( $userlogin.StartsWith(“i:0#.f|”) -or $userlogin.Contains(“\”) -or $userlogin.Contains(“|”) )

    # get the user login name
    $a = $userlogin.split(“:”)
    $username = $a[1] 
    # perform the actual migration by getting the user and Move the user
    $user = Get-SPUser -web “$url” -Identity “$oldprovidername:$username”
    Move-SPUser -IgnoreSID -Confirm:$false -Identity $user -NewAlias “i:0#.f|$newprovidername|$username”

    # Log
    Write-Host “converted user kacstmp:$username to i:0#.f|$newprovidername|$username”




Comments (8)

  1. Ahmed Nagy says:

    Hi Krishh, this is because each provider has its own format for users login names. so, if you are using AD for example, the names should change from "OldDomainUserLogin" to "NewDomainUserLogin". You need to know the format of the login names and change the lines in the script to use such formats.

  2. Anonymous says:

    I ran the script and changed the values as suggested and still my users name shows with oldmembership provider name in sites.

  3. Ahmed Nagy says:

    This does work for ASP .Net membership users only, you will need to change it if your users are active directory based

  4. shobs says:

    I ran the script and changed the values as suggested and still my users name shows with oldmembership provider name in sites.

  5. Krishh Koilada says:

    Hi Ahmed,

    Thank you very much for your blog post. We are using AD LDS as our membership provider and we were planning to use this script to migrate users from FBA to CBA. However we were stuck by some other problems.

    Meanwhile, I found your comment about changing the script for non ASP.NET membership providers. Could you please tell me why and what kind of changes I should make?

  6. shilezi says:

    Very useful script. I edited it to suit my needs though here


  7. shilezi says:

    This might work for LDAP users

    # FileName: spMigrateUser.ps1

    # Name: spMigrateUser.ps1

    # Version: 1.0

    # Author: Lognoul Marc (lognoulm@hotmail.com)

    # Description: Reproduces the behavior of the command STSADM -o migrateuser. More added value to come (batch migration and subsequent updates.

    # Tested with: Windows 2003 SP3, Windows 2008 SP2, WSS SP2, MOSS SP2

    # Dependencies: Assemblies Microsoft.SharePoint and Microsoft.SharePoint.Administration



    $OldLogin = "DOMAINUSER"

    $NewLogin = "DOMAINUSER"

    $EnforceSidHistory = $False

    $spFarm = [Microsoft.SharePoint.Administration.SPfarm]::Local

    $spFarm.MigrateUserAccount($OldLogin, $NewLogin, $EnforceSidHistory)

  8. Siddiqali says:

    Hi Ahmed,

                      I have been working on this from couple of days ,Please view the link and if possible contact me on siddiqali87@gmail.com.Hope you reply me


Skip to main content