If you are using a migration tool (ADMT, Quest, NetIQ etc ) to migrate workstation and user profile, it will automatically translate the SID and assign the same profile to the target user account. The following procedure is used in the background to achieve this:
· The C:\Documents and Settings\UserName originally has Source SID listed in the ACL. Target SID is added or Source SID is replaced with Target SID depends on your migration tool configuration.
· The Target SID is added under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList and ProfileImagePath key is assigned the same value that ProfileImagePath has under Source SID. This ensures both source and target users will receive the same profile which is stored under C:\Documents and Settings\UserName.
For some reason, if a migrated user gets a new profile (or lost the old profile) you can use the following procedure to re-assign the old profile back to the target account:
1. Ask the user to log off from the user workstation.
2. Run Regedit from your computer. Connect Network Registry to the user workstation.
3. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
4. Go through the Profile list and identify the Source account. Copy the value from the ProfileImagePath key.
5. Again go through the Profile list and identify the Target account. Paste the ProfileImagePath key value there.
6. Restart the user workstation.
The ProfileImagePath key will be same value for both Source and Target user accounts. This ensures both source and target users will receive the same profile which is stored under C:\Documents and Settings\UserName.
16 comments:
Not always change profileimagepath value is enough: if new profile is a result of ADMT mistake, then you must also add new SID ACL to old user profile folders and to NTUSER.Dat Hive in regedit. I obscure this ADMT v3.0 mistake when many users have profiles on the same PC
I mentioned these two steps in the blogs: ACL and ProfileList
• The C:\Documents and Settings\UserName originally has Source SID listed in the ACL. Target SID is added or Source SID is replaced with Target SID depends on your migration tool configuration.
FYI- If you have many profile on the workstation, make sure the user information is in the ADMT database otherwise ADMT won’t update the profile.
Hi, it works for windows 7 too ??? thanks 4u reply.
It should. Are you seeing any issues?
I see how to go from one domain to anither, however, lets say you do an interforest migration of a workstation and want to turn it back, how would you go about doing that???
It depends on your migration process. Which migration tool are you using?
ADMT 3.2. I know that on the manual it says to just join the computer back to the original domain, however the user profile settings are not showing up. I need to come up with a procedure to roll back the interforest type migration for workstations.
If you are using “Add” option, you can safely join the computer back to Source Domain.
If you want the old profile, you need to update (depends on the configuration) the ProfileImagePath registry as described in this blog.
So many places speak to an agent being deployed during a workstation migration. But, my admt 3.2 doesn't have any referece to this. What am I missing?
Dear Santhosh
I am up against this situation - your advice is much appreciated:
Current: Domain A and domain B are in Forest F1 with full trust.
Target: break domain B out of Forest F1 to a new Forest F2. The new F2 will have domain B with all it's current AD objects. The ideal migration/ move will happen o er weekend ( 20 users with laptops). Would like to have change transparent to the 20 users, i.e, user should come to work after migration, dock their laptop to, now, new F2 forest and domain B (domain name not changed) and be able to login using old credential (login name and password). I plan to use ADMT 3.2 to migrate accounts, workstations, groups, GP, services, etc. Is this, user not noticing changes, possible? Would like to avoid visiting workstations/users to do carry out any changes in their Laptops or login credentials? Please advice steps and any useful relative articles.
Many thanks,
YOUSIF
Unknown,
ADMT will deploy an agent as part of the computer migration.
>>>ADMT 3.2 to migrate accounts, workstations, groups, GP, services, etc. Is this, user not noticing changes, possible?
Yes. Use ADMT
>>>GP, services
GP – It is better to manually create GPs in F2.
Services – What are you trying to do here?
Hi Santhosh, despite having the user information in the DB, we face profile translation issues.
Is there a way we can identify if the user will get the same profile or a new one?
I must mention that we see the security permissions for the target domain user on the profile.
vadimp has mentioned something about NTUSER.DAT hive in REGEDIT, but I can't find it there :-(
Santhosh,
What happens when you have multiple profile on computer? Does the ADMT migrate all of the users profiles on that machine?
Thank you for your best info regarding to admt. I have an issue where roaming user profiles (appdata) still pointed to old domain server after user, computer migrated.
Any idea or help is really appreciate.
John
We ran into an issue where the new SID was applied to the profile but the user couldn't logon to the profile. The profile permissions had not been updated to the new SID and so had to be manually overwritten. To achieve this we had to take ownership of the profile first and then add the users account and give full permission. we then made the user the owner.
Following this we had a group policy error which prevented the user logging on at all.
the work around was as follows:
1. Logon to PC with admin account
2. Open explorer and change view settings to show hidden files and untick hide operating system files.
3. Run Regedit
4. Click on HKEY_USERS
5. Click file, Load Hive
6. Browse to c:\users\username\NTUser.dat (file won’t be visible if step 2 missed) click ok
7. Enter Test in the name box that pops up.
8. Right Click Test key and grant user full permissions
9. Click file and unload Hive. Very Important .or user will keep getting temp profile
10. Log off and get user to login.
I hope this helps aomeone with similar issues.
If anyone knows wha this is happening and how to prevent it please post.
Post a Comment