migrated users lose permissions after User Profile Synchronisation

Hi there,

I have a customer who decided to work with a 2nd Active Directory (AD) domain. We have a SP2010 Farm running for years using User Profile Service (UPS) in domain-A. Step by step user accounts where copied (cloned, duplicated) from domain-A to domain-B on AD side. As now we have to deal with two domains we added the new domain-B-connection to the User Profile Service Application (UPSA) "Configure Synchronization Settings".

On SharePoint side we migrate users using the "$Farm.MigrateUserAccount( $oldLogin, $newLogin, $false )" commandlet (which is part of the "migrate-users-groups-powershell-script" (see: http://blogs.msdn.com/b/sowmyancs/archive/2012/01/07/migrate-users-groups-powershell-script.aspx) Powershell script. For some internal reasons we clone the access rights from domain-B-user back to domain-A-user using a "Clone SharePoint User Permissions using PowerShell script" (see: https://gallery.technet.microsoft.com/office/Clone-SharePoint-User-3632f7dc). At this moment everything seems to be okay: the user has access rights (can work fine) with both accounts and because we used the "MigrateUserAccount" commandlet the user has his "mySite" in-place with his migrated domain-B-account.

But if something changed in the Active Directory (AD) for a specific user, all access rights switch back to his domain-A-account after the (nightly) incremental user profile synchronization. The same behavior we see after a full synchronization for all users.

In "Resolve accounts across multiple forests (SharePoint Server 2010)" (see: https://technet.microsoft.com/en-us/library/dd279546(v=office.14).aspx) we read we'd have to "use the distinguished name (ms-ds-Source-Object-DN) attribute in the user object to create an association between the user’s accounts" and it exists a "relationship between multiple accounts that belong to a single user, one account is considered the primary account, and all other accounts are considered alternates of the primary".

Can someone give us hints, please? What could be wrong in that configuration? What should we check and/ or change?

Thanks in advance, Jens