Just about everything in a Windows NT\2000\XP\Vista environment is assigned a unique “security identifier” (SID). Every user on a machine and every computer in a domain has a long string of numbers and letters that make a each account or machine unique. This is great for security – for example, it prevents someone from installing Windows Server 2003 on a laptop and creating a “ghost domain” with the same users as your work domain. Because the SIDs are different between your work’s real domain and the hacker’s ghost domain, the fake accounts cannot get into the CEO’s email account or sensitive network shares.
However, this has long been a problem for IT folks when it comes to changing network configurations. If a company’s workstations need to be moved from a workgroup to a domain, or from an old domain to a new one, or even if the old domain controller crashed and had to be replaced… all of these instances cause the computer’s SID to change. And any “new” accounts will get a new SID. So this means that when you convert John Doe’s computer from a workgroup to a domain, he will have a new domain account and SID… which means that he will get a new profile on his computer… which means that all of his documents, bookmarks, settings, Start Menu entries, email, wallpaper(s), browsing history, saved passwords, and even his desktop will be different.
Traditionally, IT folks solved this problem by copying most of this data to a file server or USB drive and restoring it to the new account. But there’s just so much stuff that it becomes a pain. It’s easy to copy someone’s desktop, favorites and “My Documents” folders to a server, but copying email account settings, saved browser passwords and other minutiae is much more difficult. Microsoft has provided tools such as the User State Migration Tool to ease the pain of manipulating user profiles, but these tools generally require a fair amount of research and testing before they can be implemented. Isn’t there an easier way to deal with user profiles when you change a computer’s configuration?
Actually, there is – with a couple of permissions changes and registry tweaks, you can just re-use the profile that the user already has. So while he or she might have to log in to a new account, they’ll still have the same desktop, documents, bookmarks, saved passwords, browsing history, email settings… everything!
Although this method is not officially supported by Microsoft, I’ve used it several times and have never had a problem with it. However, please make sure that you follow the instructions in order and to the letter. Even skipping a single step can make things go haywire!
1) Log in to the computer as a local or domain admin.
2) Join the computer to the new domain and reboot when asked.
3) Log in as the target user with the new domain credentials. Log out as soon as the desktop appears; all you’re doing in this step is creating a new (blank) profile.
4) Log in as a domain admin on the machine; make sure that “Show Hidden Files and Folders” is enabled, then start RegEdit.
5) Go to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
Look through the SIDs and find the entries for the old and new profiles. Change the value of ProfileImagePath in the new profile to match that of the old profile. For instance, the old profile path was c:\documents and settings\jschmoe; the new path is c:\documents and settings\jschmoe.domain. Change the value of the new ProfileImagePath setting to c:\documents and settings\jschmoe. Minimize RegEdit when you’re done with this step.
6) Open Windows Explorer, give the new domain account Full Control over the “old” profile’s folder, and then close Windows Explorer.
7) Back in RegEdit, click on HKEY_USERS in the left pane, then click File > Load Hive. Navigate to the old profile’s folder and select the NTUSER.DAT file in the root of the profile. You will be prompted for a “key name”; this can be anything you want, but for convenience’s sake just give it the same name as your user profile (e.g. “jschmoe”).
8) Right-click on the “jschmoe” entry under HKEY_USERS and select “Permissions”. Give full control to the new domain user account.
9) Go to File > Unload Hive, then close RegEdit.
10) Reboot the computer.
The user can then log on to the machine using his\her new domain username and password, but *all* profile-related settings will be exactly the same as before – because it is the same profile as before! Although this method takes a bit longer for you (it might take 20 minutes for the first computer, by the third you can get it down to around 8 minutes), I find that it really cuts down on silly user complaints like “where’s my wallpaper?” or “what’s my Amazon password?”, so it actually saves you time in the long run.
This worked great but soon after I discovered that any web pages using https or involving usernames which had been used *before* were now not working. Internet Explorer simply displays a generic “cannot display webpage” error.
Sites that were never visited before do not have this problem.
My guess is this is a permissions issue and there’s a step missing here. I say this because if I give Administrator rights to one of these users then all the sites work. Take Administrator rights away and they cease to work again.
I did not skip any steps. I’ve tried RIES (http://support.microsoft.com/kb/923737) to no avail.
Any ideas? I’d be most appreciative. Thanks!