The greatest challenge to any thinker is stating the problem in a way that will allow a solution

Bertrand Russell

By

On 30 Apr 2013

Tech Notes

Tags: ,


This article covers how to keep the same desktop profile, the look and feel, when a user logs in, when changing the user’s login name.  This would commonly occur when migrating machines (workstations, desktops, laptops) between domains, or when moving a standalone machine into a new domain.

To be clear, what we’re actually talking about is retaining a profile when the user’s underlying security ID (SID), needs to change. If a user’s login name is changing, but they’re staying in the same domain, you can just rename the login name, as the actual user account doesn’t change, the impact is purely the cosmetic login name change, everything else stays the same.

The Theory

When you log into a Windows machine, the OS loads up a profile for the user.  In Windows 7 and later profiles are normally found in C:\Users, in earlier versions C:\Documents and Settings.  If a user is logging into a machine for the first time, a new profile is created based on the default local profile, normally in a folder based on the username (eg C:\Users\Name).  From then on, the user is directed to that profile at each login.

The machine keeps a mapping list, of SID’s to profile paths, in order to allow this to happen.  Which is stored in the registry.  If you edit this list, you can control what profile path a user is directed to at login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The Profiles List registry key that determines the path that gets loaded when a user logs in

The Profiles List registry key that determines the path that gets loaded when a user logs in

The Practice

Small Scale

If you’re only worried about redirecting one or a handful of users to their old profiles then its easiest to get the user to login with their new username and allow a new profile to be created.  Then log back in as an Admin, and edit the SID key created in ProfileList, and update the ProfileImagePath value to direct the user to their original profile path.

Large Scale

If you’re performing a mass migration of many users its easier to script this, and pre-create a new SID key in the registry, with the ProfileImagePath that the user was using previously.  This requires you to know the new SID of user before they login.  But if you do this saves forcing the user to login, get a default profile, and then having to login as an Admin to redirect their new SID to their old profile.

Problems

In practice you may get occasions where its seemly impossible to direct a new SID to an old profile.  The simple truth is that you are trying to circumvent basic user profile security.  Depending on the build of user machines it may be unreliable to assume that you successfully retain a users profile during a SID change.  If you’re performing a large scale migration its recommended that you perform a pilot with a good selection of different users and machine builds.

If you’re migrating lots of users, expect there to be cases where their profile effectively gets lost, and so you’ll need to copy data from their old profile into their new profile.

User needs admin access

The user will need local admin access when they first log into that machine, so as to ensure they can access the original profile, which is only accessible to original user account’s SID and administrators.

Providing admin access may breach local security policies, or otherwise present too high a risk.

Encrypted content in profiles becomes inaccessible

Some applications may store encrypted content in the users profile (for example passwords).  Once the user is accessing their profile using their new account they will be unable to decrypt the data (as they won’t have the same key as with their previous account).

Different applications handle this is different ways.  Some detect the problem, dump the cached data that is no longer of use, and carry on (re-asking for data that was previously encrypted). Some may fail, but indicate what to do to resolve.  Others may just fail.

Temporary / default profiles

If things don’t go to plan your user may end up with a default or temporary profile.

Check that the new user account does have admin rights over the old user profile path.  In some cases this won’t be enough and the user will still fail to login properly.

If you can only get the user into a default profile, copy their data across from their old profile.

If the user is going into a temporary profile, login as an admin and delete the .bak registry key for the user in the ProfileList

 


Leave a Reply

XHTML: You can use these tags if you know what they are: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.