Introduction
If you work in a large organization with multiple domains and/or high turnover, you may run into issues where duplicate user accounts start stacking up in your SharePoint User Information List.
Examples
- Let's say Joe Dirt works at your company and his Active Directory account is corp\joe.dirt. When Joe Dirt accesses the portal for the first time a new entry is created in the SharePoint User Information List. This entry contains things like display name, login ID and Security Identifier (SID). Joe Dirt gets fired. His Active Directory account is deleted upon termination. Time passes and Joe Dirt gets re-hired. His Active Directory account is created (again) as corp\joe.dirt. When he accesses the portal, SharePoint will notice a security identifier (SID) mismatch between his newly created Active Directory account and the existing (old) entry in the SharePoint User Information List. The old entry will be marked as deleted and a new entry created.
- You have an Active Directory Forest with multiple domains. User Billy Bob has an account at the New York office: NewYork\Billy.Bob. When Billy Bob accesses the portal for the first time a new entry is created in the SharePoint User Information List. Billy Bob goes on a trip to the San Diego office and an account is created for him there: SanDiego\Billy.Bob. Billy Bob accesses the portal for the first time and a new entry is created in the SharePoint User Information List because SharePoint sees SanDiego\Billy.Bob as a new account. Now there are two accounts for Billy Bob in SharePoint.
- You have an Active Directory Forest with multiple domains. User Billy Bob has an account at the New York office: NewYork\Billy.Bob. When Billy Bob accesses the portal for the first time a new entry is created in the SharePoint User Information List. Billy Bob goes on a trip to the San Diego office and his account is migrated to the SanDiego domain. Now his Active Directory account is SanDiego\Billy.Bob. Billy Bob accesses the corporate portal. SharePoint will see this as a new account because SharePoint doesn't know/understand/support security identifier (SID) history and add SanDiego\Billy.Bob into the SharePoint User Information List. Now there are two accounts for Billy Bob in SharePoint.
Resulting Issues
Duplicate accounts can create various issues such as "The user does not exist or is not unique" errors, permissions applied to the wrong account, wrong person selected from the people picker, etc.
Finding Duplicate Users
The following PowerShell script will query the SharePoint User Information list and export a list of duplicate accounts to DuplicateUsers.csv. Accounts are considered to be duplicate when they share the same email address.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ea 0
$ErrorActionPreference = "SilentlyContinue"
# Get Web Application and root URL
$WA = Get-SPWebApplication
$RootURL = $WA.Url
$Site = Get-SPSite $RootURL
$RootWeb = $Site.RootWeb
$DuplicateUsers = @{}
$RootWeb.SiteUsers|Group-Object -Property Email | Where-Object {$_.count -ge 2} | Select Name, @{Name='Group';Expression={[string]::join(",",($_.Group))}} | Export-CSV DuplicateUsers.csv -NoTypeInfo
Removing Duplicate Users
Once you determine which accounts to keep and which accounts to remove, utilize the SharePoint Management Shell and the Remove-SPUser cmdlet to get rid of the accounts. For example, let's say we found duplicate accounts NewYork\Billy.Bob and SanDiego\Billy.Bob. Billy.Bob is in San Diego and we want to get rid of the New York account. From the SharePoint Management Console, enter Remove-SPUser NewYork\Billy.Bob -Web http://your.portal.url and press enter.