How to Migrate User Profiles in Windows XP Quickly and Easily!

One of the hardest things as an administrator has been that of a server installation. A user has a well established profile with desktop settings that they do not want to lose. What do you do? Well, in the past you would have clicked on user profiles in the advanced system properties and clicked on "Copy Profile" with moderate success. Did you know that it skips the "Local Settings" folder? So much for that user's PST file! Or, god forbid, you see "Account Unknown" in there, when you know that you need that account? Perhaps the picture to the right is all too familiar... Well, when you're done reading you'll realize that hope is not lost and you might kick yourself in the butt for not thinking of this earlier (I definitely did!)

There are three key steps which I will explain momentarily. They are:

  1. Give the new SID full permissions on the target profile directory.
  2. Give the new SID full permissions on the target registry hive.
  3. Change the ProfilePath of the new SID to the target profile directory.

What the hell does all that mean? Let me explain for the purposes of this document.

This tutorial is not for anyone unfamiliar with the Windows Registry and general file permissions. If you don't understand all of the below, you really should hire a professional to do it for you.

Account Unknown!

How Profile Creation works in Windows XP/2000

Every user account in a Windows environment has something called a SID, or Security Identifier. There are only two parts of this number that we care about, the 28 (or so) number string in the middle, and the last set of three or four numbers, called the Relative ID (RID).

An example of a Windows SID is S-1-5-21-746137067-1425521274-725345543-1003. Don't let that scare you. The computer/domain identifier in this string is 746137067-1425521274-725345543, and the RID is 1003.

The domain/local string is generated when you install windows or promote a domain controller. The RID corresponds to a user account. A RID of 500 is the built-in Administrator account, and anything above 1000 is a normal user account.

Practicalities

This process can be adapted to many situations. Here are a few that I can think of:

Our Scenario

For this tutorial, I am going to walk through converting a local account to a domain account, as it's one of the most common things I run across.

Here's our problem: I've just sold a new customer a Windows 2003 Server to replace their aging Windows 2000 Professional Workgroup Server. They have more than 10 computers now, and are getting licensing errors when connecting to their shared drives. Each user has an expansive Desktop and My Documents, and they have their desktop icons arranged in a way that they just can't part with.

When you join the computer to the domain and reboot, they need to be able to log back in and pick up where they left off as if nothing ever happened. Sound difficult? Impossible?

The old way would be to join the computer to the domain, log in as their new network user account, log out, log in as administrator, go to system properties, click advanced, click user profiles, select theirs in the list, click copy profile, select the location of their new user profile (user.DOMAIN), add them (or Everyone) to the "allowed to use" list, click "go" and pray. Wait three hours because of their iTunes collection, reboot and hope for the best. GOD FORBID one of their files has too many characters in the file name, you'll have to start all over again. For shame.

Herein, the better way.

Preparation

First thing is first, join the computer to the new domain and create the user's new account in Active Directory. Log into their workstation as their new user and let it generate its new profile. Log out.

This does a couple of things for us. First, you've established the new account in the domain so the user can log in. Secondly, you've established the domain account as active on that workstation, and it has generated a new profile corresponding to that user's new SID.

Step One: Profile Directory Permissions

Find the user's original profile. Look in "C:\Documents and Settings". If the user was James, it's probably called james. In that case, the new profile folder would be called james.domain. Right click the old profile folder, go to properties, and click the security tab. You should see "Administrators" "SYSTEM" and the old user account in the list. If the old user account is deleted, you'll see the SID, similar to the picture to the right.

Click the "Add" button, and add the user's new account to the list. Click the box to allow "Full Control". Click Advanced, then check the box for "Replace permission entries on all child objects with entries shown here that apply to child objects". Click Apply, then OK and OK. Don't click anything else. Seriously. You can (and should) remove the old user/SID from the list when you add the new one in. That is only semi important, but it will prevent confusion later.

properties on the profile

Step Two: User Registry Hive Permissions

The most important step to get right is this one.

Open the registry editor. You need to be able to edit permissions, so in XP run regedit.exe and in 2000 run regedt32.exe. If you're on windows 2000 you'll have to figure out this step for yourself, as I'm only going to illustrate the XP method. Expand the HKEY_LOCAL_MACHINE key but leave it selected. Click on the file menu, then click "Load Hive".

Navigate to the old (target, the one we want to use) profile directory. Double click the NTUSER.DAT file. If you don't see it, type it in. It's hidden, but it will work. The registry editor will ask you to give it a name... I use something like "asdf" or "chickenfucker" -- be creative.

Right click our new creation, and go to Permissions. You're going to follow suit with exactly what you did earlier. Click Add, type in the new domain user name, give it full control, click advanced, and check the box for "replace" all the child permissions. Apply, OK, OK, and remove the old user.

VERY IMPORTANT: When you're done, select the hive again, click file, and then "Unload Hive". Don't forget to do this, really.

expand HKLM but leave it selected

file, load hive

permissions on loaded hive

And finally, The Last Step (can you tell I've activated windows by phone?)

Step Three: ProfileList Key

This part is so easy and it makes so much sense. Remember those SIDs I was talking about?

Navigate your registry editor to the following key:

HKEY_LOCAL_Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Look at the list beneath ProfileList. Does it look familiar? Notice my list of SIDs, and you can easily divide them into two groups. One set were the local accounts, and one set are the new domain accounts. This part is tricky, but if you screw it up you can probably recover from it.

You'll want to look through each of the items in the list, but you're looking for two inparticular; our old user account and our new user account. Keep in mind that we're pairing the new user account with the old profile, and we're ditching the old user account and the new profile. Get it?

Look at the subkey called ProfileImagePath in each of the SID keys. You'll find one matching the old profile directory and one matching the new profile directory. In our scenario, the 28ish digit number in the SID should be different for each account. Look in ProfileImagePath for username, and for username.domain. The one without the .domain is the old profile SID. Ignore it or delete it! (Microsoft recommends backing up your registry. Don't say I didn't warn you!) The one with the .domain attached is the NEW account, that we're about to point to the OLD folder. Don't delete it. Instead, modify the ProfileImagePath subkey and remove the .domain. So, %SystemDrive%\Documents and Settings\james.domain will become %SystemDrive%\Documents and Settings\james.

See what we did there? Now you can log in as that user and you'll see the old desktop with all the icons in the right spots. You didn't even have to reboot! (you might want to though, I've had an issue with the new account's "new" hive not unloading correctly, so it had the old path with the new registry until a reboot. Don't let that happen to you)

ProfileList key

Holy Hell Batman, have I just done something in 5 minutes (with practice) better than what I used to do in one to three hours?

Yes, why, yes you did.

Wrapping Up

If all went as planned, your new SID will be using the old SID's information. If you decide to do this in real life, pay attention to the SID and RID numbers. Try to understand what they mean. In reality, it's a lot simpler than you would think: We gave the new user permission to control the old user's stuff, and we told windows that their profile was in a different spot. How hard should that be? Yet, I could not find a single web page documenting the process. This really beats the File Settings and Transfer wizard.

You can use this technique to recover "Account Unknown" Profiles as well. Just think about it.

hit counter since 7/23/2008.
ray@raygibson.net Valid XHTML 1.0!