Using SharePoint Server 2010, 2 WFE 1 APPserver and 1 DBServer.
After migrating our webapplications and users to claims (using NTLM authentication).
I am wondering what changes the migration has done with SharePoint groups if any?
The users in the groups change their loginname with claims prefix, but are there other changes to the groups?
Reason why i am asking is that i am testing a revert-back-to-windows based authenthentication script. I have set the code for reverting back webapplications and users (option of using move-spuser or $farm.MigrateUserAccount($user.LoginName, $newLogin, $false)).
In the VAriable $newLogin I basically just removed the claims prefix from the loginname.
Though I have not decided how to treat the groups yet.
The code I am thinking about using for groups for now is: $farm.MigrateGroup($oldlogin,$newlogin).
Do i even need to do changes to the groups as the move-spuser changes the sharepoint user in sharepoint, the sharepoint group should adapt?
One group with a single member:
As you can see above, the only claims information I can see is the single user in the group.
Script so far:
#Script for migrating SharePoint claims to windows based authentication
#Set webapplication back to windows based authentication
$Webapplication = "http://portal.com"
$Webapp = Get-SPWebApplication $Webapplication
$Webapp.UseClaimsAuthentication = 0;
$Webapp.Update()
#-------------------------
#Make sure web.config file is:
#<authentication mode="Forms">
# <forms loginUrl="/_login/default.aspx" />
#to
# <authentication mode="Windows" />
#-------------------------
#All users in the contentdatabase has claims prefix.
#Now we need to migrate users back to windows based authentication.
#Store farm in variable
$farm = get-SPFarm
#Storing all sharepoint users in the variable $allusers
$allUsers = Get-SPUser -Web $Webapplication -limit all
#Migrate users back to Windows based authentication
Foreach ($user in $allUsers)
{
#If user has claims prefix in loginname then do this.
if($user.UserLogin -like "*i:0#.w|*")
{
#creating a new loginname
$newLogin = ""
$newLogin = $user.UserLogin.TrimStart("i:0#.w|")
$farm.MigrateUserAccount($user.LoginName, $newLogin, $false)
#Move-SPUser –Identity $user –NewAlias $newLogin
}
}
I do know that this is not supporten by MS. But any help would be greatly appreaciated!
Other notable things I have come across is that this must be run with the farmadmin account and i will have to add cache-object accounts after, in additions to some web.config differences between claims based webapplications and windows based authentication.
brgs
Bjørn
![Alice In Chains – Sap – EP [iTunes Plus M4A]](http://is1-ssl.mzstatic.com/image/thumb/Music/47/35/c7/mzi.ljwsgbez.jpg/592x592bb.webp)
![Chad Lawson – Awakening: The Stillness Within (2026) [FLAC 24bit/48kHz]](http://imghd.xyz/images/2026/05/09/x5d03jw9bi367_600.jpg)
