From P2P to Domain - Keep and use existing local profile?

[adminassistant]

Hi everyone, good evening! Long time lurker, first time post.

I have quite a task ahead of me. My company has recently decided to move to a Win2K3 domain environment. We've been running as a corporate workgroup for several years. Now that our AD structure has been built and I've created a domain account for every employee, it's time to join the massive amounts of XP Pro machines to the domain. I'd like to make the migration as seamless as possible, where "Suzie Smith" logs onto the domain and hardly notices a difference. (besides maybe the rearrangement of her desktop icons) From all of my reading, this is my plan of action. Can someone lend me a 2nd set of eyes? I'll use Suzie Smith as my example. Her domain account will be ssmith.

1) Log onto the workstation as local admin.

2) Join workstation to the domain. Reboot.

3) Logon as ssmith to the domain.

4) Log off ssmith. (ensuring a domain profile of say, ssmith.EXAMPLE is created)

5) Logon as local admin again. (possibly domain admin?)

6) Right-click My Computer | Properties | Advanced tab | Under "User Profiles", click Settings button

7) Highlight Suzie's local profile, and click "Copy To". Under "Copy Profile To", browse to the path of her newly created domain profile and click OK, effectively overwriting the newly created domain profile, with her local profile.

8) Click Permitted to Use button, and enter in Suzie's domain account.

9) Click Start | Run | Type regedt32

10) Navigate to HKEY_Local_Machine\Software\Microsoft\WindowsNT\Cu rrentVersion\ProfileList and go down the list of SID's until I find her domain profile. (looking in the right-hand pane as I'm going down the list of SIDs, for specifically ProfileImagePath = \....\ssmith.EXAMPLE and changing the value so that it points to her original and local profile.

11) Exit and reboot.

When Suzie logs on, do you believe she will be happy for the most part? How about when she launches Outlook 2002 or 2003 with massive PST? (LOL) Or additional modifications to necessary? Change of permissions anywhere? Take ownership of something? Move on to next workstation? I've been reading a lot about loading and unloading a HIVE in the registry somewhere in the above process. Would that apply to my situation?

Thank you so much in advance for taking time to read my post. Any and all suggestions are certainly most appreciated.

-Tin

[adminassistant]

Hey Everyone,

Update on the above. After the final step (#11), I logged on as ssmith to the domain, and found that I had pulled the default domain profile! Instead of ssmith.EXAMPLE, I found that ssmith.EXAMPLE.000 was created. So I went back into the registry, found EXAMPLE.000, and pointed the profileimagepath to the original profile again. I then gave the domain user Full Control of her original profile. (not sure why I did this, does it make a difference?) Logged off and back on, and was not able to launch Outlook 2002, nor did her custom background appear, nor any of her desktop shortcuts. I logged her off again, and back on as domain admin. I then chose to add her domain user account apart of the local administrators group. Logged back on as her, and FINALLY all was well. Everything was in perfect working order.

My question is, could I have simplified all of this? Why the ssmith.EXAMPLE.000 creation? And equally as important, do I have to make all domain users local administrators to get everything to work, as that was the last thing I did to make things work.

Thanks again so much. I hope my experiences help others facing the same dilemma.

- Tin

[adminassistant]

Tried the exact same steps for another user in the office. This time, no EXAMPLE.000 created after Step 11, however had to make his domain user account a local administrator. Works perfect then. But would still like to avoid making domain users local admins. Please help

Thanks again,

Tin

[Eric]

What were the permissions each user had on their systems prior to the creation of a domain? If suzie had admin rights, and you copied over her profile, and she no longer has admin rights, I beleive the ACLs on the files will retain her original rights, and inherit any new rights.

You can try changing the permissions on the profile after doing the profile copy. Be sure you change the settings on all the subfolders as well. Then I would try it again.

[adminassistant]

Hey Eric! Thanks so much for the reply!

Suzie was part of the local administrators group, as well as the local users group prior to joining the domain.

I gave her domain user account Full Control of both her original profile folder "ssmith" as well as her new domain profile "smith.EXAMPLE".

However, I was just wondering something.....could it be an ownership problem? When I logged on as Domain Admin, I checked the "Ownership" tab of both her profile folders. Both show that "Administrators" have Ownership, and the only other option I can select is "Administrator".

Knowing that my final step to get this to all work, was to drop her domain user account in the Local Administrators group, effectively making her an Owner of those profile folders, I'm wondering if it's possible to just make her an owner of her own profile folder, and all subfolders and files.

But again, only Administrators and Administrator are my ownership options. Would she be able to take ownership of those profile folders, if she were logged on?

Thanks so incredibly much!

-Tin

[Eric]

You might want to try this utility to change the ownership of files to the user you want to have ownership:

http://www.microsoft.com/downloads/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

I would think that someone with local administrator rights could take ownership of files on a local system, but I really don't know the answer to that.

Hope that helps!

Eric

[Jeffrey Wilcox]

Operation of taking an ownership can be automated with some console utilities (partially) and third-party products like Scriptlogic's Security Explorer. The last one also usefull for resolving and repairing problems with broken inheritance. It can be fixed with a single command in batch mode.

[dpage]

I've just gone through this (albeit much smaller) and tried three different approaches....the first, similar to yours was painful and time consuming, the second (using moveuser.exe from the 2003 support tools) didn't work but showed promise. The third, a third-party tool from ForensIT worked like a charm. It's .exe can be run from pretty much anything and can join the computer to the domain, migrate profiles to be used by domain logins (and delete or disable the old local profile) and voila. Finished. Again, ours was much smaller but we could do a machine in about 5 minutes using their free version. They do have an enterprise version which is scriptable and can be done via remote server. Check it out. www.forensit.com

[adminassistant]

Wow, before coming back to this post and reading dpage's reply, I actually went through the EXACT same things dpage recommended. I tried, but had limited success with the moveuser tool, and can't say enough about ForensIT's user profile wizard! It's been working perfectly, and has saved me countless hours. The only thing I had to do afterwards, was enter in and save a few passwords when the user logged onto the domain. (ie Outlook) I highly recommend the free download to anyone in the same situation. Thanks again everyone!

Tin