Transferring User-accounts to or from a Domain.
(without losing access to the user's settings and data)
Issue:
When a Windows 2000 or XP Pro computer joins or leaves a domain, the user's settings are lost,
and the locally-stored files such as "My Documents" become
inaccessible.
Reason:
A domain-user has a different SID (Security Identifier) from a local
user, and is thus allocated a completely new user-profile folder --
even if the account already exists in the new domain.
Resolution:
On first logon of the user in the new domain, Windows is going to
create a new profile, like it or not. Therefore, before logging-on for
the first time after the domain change, we need to move the existing
files 'out of the way' so that Windows can create the new profile in
the same location as was previously used. Then, once this
new-profile-creation process is over, we put the original files back.
If we do it this way, Windows is happy. Any other way,
Windows 'sidesteps' the exsiting data, creating an alternative
folder with a different name instead.
We shall need:
A file-manager. Explorer will suffice, provided that it has been set to
"show hidden files." A better alternative might be Altap Salamander,
which again must be set to show hidden files.
An Administrative logon, other than that of the account we're trying to
repair. 'Administrator' will do fine, provided this isn't the account
which needs repairing. It should be a local account on this computer,
NOT the domain administrator's account.
The Domain Admin password, if the computer is to be joined to a domain.
The passwords to the accounts we wish to transfer. Or, the users standing-by patiently, to logon for us when prompted......
-OK, the passwords.
Preliminary:
Profiles (on XP) are under "C:\Documents and Settings" and the
ownership of each may be obvious..
... or may not be, depending just how
many there are. If it's not obvous, then to establish where a user's
profile is stored:
íLog on as the user.
Open a commandprompt (type 'cmd' into a Run... box)
Now type 'set' and press Enter.
You will see a large amount of information scroll by.
Backscroll to find the line:
USERPROFILE=....
- and you have the information you need.
The Transfer itself:
Before you change the computer's domain:
Log on as Administrator.
Launch your file-manager, and navigate to "C:\Documents and Settings"
Here you should see a list of folders, which are the user-profiles
themselves. Look for a folder with the same name as the one you
identified as being the userprofile folder.
Rename this folder. Any name will do, so long as you can remember what
it is, and it's highly unlikely to match the name of any other user.
For example 'john-realprofile' would do.
Repeat this for any other userprofiles you wish to survive the domain-transfer.
Next, check that the required accounts exist within the domain, if
joining one, or locally if leaving one. If they do not exist then
create them, but do not yet try to log-on with these accounts.
Now join the computer to the domain, or extract it from the domain as required.
Restart the computer when prompted.
Next, you must log-on once as each user whose settings you wish to preserve, and then log off again. DO NOT OMIT THIS STEP.
Reason is, the profile will be created when the user first logs-on, and
if the target folder already esists, then it will be 'sidestepped' and
a new folder created, named 'user.computer' or 'user.domain' -once this
has happened, correcting it is quite tricky. Logging-on once before we
do any profile-tranfer avoids this issue.
Once you have logged-on once as each ordinary user, return to being
Administrator, and rename the profile-folders back as they were
originally. You should see a warning to the effect that you are
over-writing the files in the (near-empty) profile which was created by
way of first-logon for the user. Say Yes. We're almost there!
One final step, if the drive is using NTFS and users have permissions
which make their profiles 'private' then we need to change these
permissions. Reason again is that the new user will have a different
SID, and so will not be recognised as the 'owner' even though
identically-named. You would typically do this by right-clicking in
Explorer and selecting the Security tab. In here, you will probably see
permissions that are owned by 'a huge number' instead of a username.
This is the user's old SID, which the new domain no longer
recognises as matching a user-account.
Two options exist; you can
selectively (and painstakingly) set each profile to have the correct
permissions for its own user, or -if you do not need to keep users
isolated, then simply (and much more quickly) assign Full rights to
"Documents and Settings" for Everyone, ensuring that the files and
subfolders box is ticked. This will effectively remove the security
from all of the profiles.
That done, log on as an ordinary user, and you should now see that
user's original desktop and files, just as before the domain-change.
Job done.
In Brief:
Make sure all other users are logged-off (or preferably, restart)
Logon as the local Administrator.
Rename the existing profile-folders.
Extract the computer from (or join it to) the domain.
Ensure that equivalent accounts exist under the new situation.
Log-on once as each new user, then off again.
Rename the profiles back, over-writing the empty profiles created by first logon.
Adjust the permissions, if necessary.
Do a test logon for each user in the new domain.
FAQ:
Q: What to do if a profile gets 'sidestepped' instead of being opened?
A: If the existing profile is still in its normal place when the new
account is logged-on for the first time, then a new (and largely
useless) profile will be
created, named 'user.computer' or 'user.domain' - as below:
Getting out of this situation is sometimes a mite tricky as
Windows will doggedly persist in using this alternative folder from
then on, instead of the right one. It will do so even if the original profile is renamed, and the account removed and re-created.
First, log on as Admin, and delete
the junk profile. The go into compmgmt.msc, and (for a local user)
remove the user account. Now go into the System control-panel applet,
and on the "User Profiles" tab, remove the reference to the bad profile. Now
re-create the user. Having done this, go back to the point where the
computer has just joined or left the domain, and repeat the second half
of the process for this account. This time, don't forget to logon
as the user once BEFORE you rename the original profile.
Q: Can we not just rename the existing folder to match the
alternative profile Windows creates when it does its 'sidestepping'
trick for example, rename it from 'lisa' to 'lisa.computer'? Would that
not be simpler and quicker?
A: No. Initially this will appear to work, but will give rise to all
sorts of odd problems. Reason is that many programs make direct
references to folders within the user's profile, therefore it is highly
indavisable to change the folder-name of the profile once it's been
in-use. The only surefire approach is to persuade/convince Windows to
continue using the profile from its original folder.
Q: Will this transfer the user's settings, e.g. Wallpaper, Word page-settings, Internet history, etc. as well as files?
A: Yes. Most of the user's settings are stored in that file called
NTUSER.DAT, in the root-folder of the profile. A very few programs
(mostly old ones) store settings outside of the profile, and these will
need transferring manually.
Q: I don't see any 'Security' tab on the profile-folder's Properties page.
A: This could be because:
You're using a FAT32 disk, which does not support permissions. If so, skip this step.
You need to (temporarily) turn off Simple File Sharing, which hides the permissions tab.
You're using XP Home. This cannot join a domain,
but you might encounter similar situations for other
reasons. Restart in Safe Mode.
