One of the hardest things as an administrator has been that of a server installation. A user has a well established profile with desktop settings that they do not want to lose. What do you do? Well, in the past you would have clicked on user profiles in the advanced system properties and clicked on "Copy Profile" with moderate success. Did you know that it skips the "Local Settings" folder? So much for that user's PST file! Or, god forbid, you see "Account Unknown" in there, when you know that you need that account? Perhaps the picture to the right is all too familiar... Well, when you're done reading you'll realize that hope is not lost and you might kick yourself in the butt for not thinking of this earlier (I definitely did!)
There are three key steps which I will explain momentarily. They are:
What the hell does all that mean? Let me explain for the purposes of this document.
This tutorial is not for anyone unfamiliar with the Windows Registry and general file permissions. If you don't understand all of the below, you really should hire a professional to do it for you.
Every user account in a Windows environment has something called a SID, or Security Identifier. There are only two parts of this number that we care about, the 28 (or so) number string in the middle, and the last set of three or four numbers, called the Relative ID (RID).
An example of a Windows SID is S-1-5-21-746137067-1425521274-725345543-1003. Don't let that scare you. The computer/domain identifier in this string is 746137067-1425521274-725345543, and the RID is 1003.
The domain/local string is generated when you install windows or promote a domain controller. The RID corresponds to a user account. A RID of 500 is the built-in Administrator account, and anything above 1000 is a normal user account.
This process can be adapted to many situations. Here are a few that I can think of:
For this tutorial, I am going to walk through converting a local account to a domain account, as it's one of the most common things I run across.
Here's our problem: I've just sold a new customer a Windows 2003 Server to replace their aging Windows 2000 Professional Workgroup Server. They have more than 10 computers now, and are getting licensing errors when connecting to their shared drives. Each user has an expansive Desktop and My Documents, and they have their desktop icons arranged in a way that they just can't part with.
When you join the computer to the domain and reboot, they need to be able to log back in and pick up where they left off as if nothing ever happened. Sound difficult? Impossible?
The old way would be to join the computer to the domain, log in as their new network user account, log out, log in as administrator, go to system properties, click advanced, click user profiles, select theirs in the list, click copy profile, select the location of their new user profile (user.DOMAIN), add them (or Everyone) to the "allowed to use" list, click "go" and pray. Wait three hours because of their iTunes collection, reboot and hope for the best. GOD FORBID one of their files has too many characters in the file name, you'll have to start all over again. For shame.
Herein, the better way.
First thing is first, join the computer to the new domain and create the user's new account in Active Directory. Log into their workstation as their new user and let it generate its new profile. Log out.
This does a couple of things for us. First, you've established the new account in the domain so the user can log in. Secondly, you've established the domain account as active on that workstation, and it has generated a new profile corresponding to that user's new SID.
Find the user's original profile. Look in "C:\Documents and Settings". If the user was James, it's probably called james. In that case, the new profile folder would be called james.domain. Right click the old profile folder, go to properties, and click the security tab. You should see "Administrators" "SYSTEM" and the old user account in the list. If the old user account is deleted, you'll see the SID, similar to the picture to the right.
Click the "Add" button, and add the user's new account to the list. Click the box to allow "Full Control". Click Advanced, then check the box for "Replace permission entries on all child objects with entries shown here that apply to child objects". Click Apply, then OK and OK. Don't click anything else. Seriously. You can (and should) remove the old user/SID from the list when you add the new one in. That is only semi important, but it will prevent confusion later.
The most important step to get right is this one.
Open the registry editor. You need to be able to edit permissions, so in XP run regedit.exe and in 2000 run regedt32.exe. If you're on windows 2000 you'll have to figure out this step for yourself, as I'm only going to illustrate the XP method. Expand the HKEY_LOCAL_MACHINE key but leave it selected. Click on the file menu, then click "Load Hive".
Navigate to the old (target, the one we want to use) profile directory. Double click the NTUSER.DAT file. If you don't see it, type it in. It's hidden, but it will work. The registry editor will ask you to give it a name... I use something like "asdf" or "chickenfucker" -- be creative.
Right click our new creation, and go to Permissions. You're going to follow suit with exactly what you did earlier. Click Add, type in the new domain user name, give it full control, click advanced, and check the box for "replace" all the child permissions. Apply, OK, OK, and remove the old user.
VERY IMPORTANT: When you're done, select the hive again, click file, and then "Unload Hive". Don't forget to do this, really.
And finally, The Last Step (can you tell I've activated windows by phone?)
This part is so easy and it makes so much sense. Remember those SIDs I was talking about?
Navigate your registry editor to the following key:
Look at the list beneath ProfileList. Does it look familiar? Notice my list of SIDs, and you can easily divide them into two groups. One set were the local accounts, and one set are the new domain accounts. This part is tricky, but if you screw it up you can probably recover from it.
You'll want to look through each of the items in the list, but you're looking for two inparticular; our old user account and our new user account. Keep in mind that we're pairing the new user account with the old profile, and we're ditching the old user account and the new profile. Get it?
Look at the subkey called ProfileImagePath in each of the SID keys. You'll find one matching the old profile directory and one matching the new profile directory. In our scenario, the 28ish digit number in the SID should be different for each account. Look in ProfileImagePath for username, and for username.domain. The one without the .domain is the old profile SID. Ignore it or delete it! (Microsoft recommends backing up your registry. Don't say I didn't warn you!) The one with the .domain attached is the NEW account, that we're about to point to the OLD folder. Don't delete it. Instead, modify the ProfileImagePath subkey and remove the .domain. So, %SystemDrive%\Documents and Settings\james.domain will become %SystemDrive%\Documents and Settings\james.
See what we did there? Now you can log in as that user and you'll see the old desktop with all the icons in the right spots. You didn't even have to reboot! (you might want to though, I've had an issue with the new account's "new" hive not unloading correctly, so it had the old path with the new registry until a reboot. Don't let that happen to you)
Yes, why, yes you did.
If all went as planned, your new SID will be using the old SID's information. If you decide to do this in real life, pay attention to the SID and RID numbers. Try to understand what they mean. In reality, it's a lot simpler than you would think: We gave the new user permission to control the old user's stuff, and we told windows that their profile was in a different spot. How hard should that be? Yet, I could not find a single web page documenting the process. This really beats the File Settings and Transfer wizard.
You can use this technique to recover "Account Unknown" Profiles as well. Just think about it.since 7/23/2008.