Managing User Profiles
A slap-dash solution for transferring profiles in toto. Anyone with a more elegant method?
- By Bill Boswell
- March 16, 2004
Bill: I'm setting up a new Windows Server 2003 terminal
server to replace an existing Windows 2000 terminal server running Citrix.
I need to copy more than 70 user profiles from the existing server. Both
servers are in the same domain.
I've tried copying the profiles using Explorer, but when the user logs
on, instead of getting the copied profile, they get a default profile
and I see a duplicate profile in Documents and Settings called Username.Domain.
For example, if the copied profile is John, the new profile is John.DOMAIN.
I assume this is a permission problem, in that the user is not getting
access to the profile folder to write or access the ntuser.dat file, but
how do I get around it?
John
John and Readers: I'm going to go through what I suggested
to John and then I want your input.
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
|
|
|
First, some quick background. A user profile consists of a folder in
Documents and Settings that contains the user's profile folders along
with a Registry hive called Ntuser.dat. The profile is protected in a
couple of ways:
- The profile folder has an Access Control List (ACL) that grants access
only to the user, the System account, and members of the domain Administrators
group.
- The registry hive inside Ntuser.dat has security permissions that
allow access only by the user, the System, and the Administrators group.
The system maintains a pointer to the user profiles in HLKM | Software
| Microsoft | Windows NT | CurrentVersion | ProfileList using the SID
of the user as the name of the Registry key containing the profile information.
Here's a quick example for a user named avguser:
Key Name: HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ProfileList\S-1-5-21-
3862616078-362906602-1993679999-1015
Value: ProfileImagePath
Data: %SystemDrive%\Documents and Settings\avguser
If a user logs on and the ProfileList key has no entry for the user's
SID, the system creates a new profile for the user by copying the Default
User profile, either from the local machine or from the NETLOGON share.
If the system needs to a create a new profile but a folder with the user's
logon name already exists in Documents and Settings, the system creates
a new folder and gives it an extension that matches the user's domain.
Okay. With all that in mind, I recommended that John do the following:
- Use xcopy /o to copy the profiles from
the old server to the new one. This retains the ACLs of the files so
that the user retains full control access to the profile. (Actually,
you'd need to use xcopy /o /e /h to copy
empty files and hidden files.)
- Use Regedit to dump the entries in the ProfileList key to a REG file.
- Edit the REG file to remove any profile entries, such as the Administrator
profile, that would also exist at the new machine.
- Import the REG file into the Registry of the new machine.
- Verify that users log on and get their original profiles.
Although this works, frankly, it seems a bit inelegant to me. So here's
what I'd like you to do. If you have a better way to do profile transfers
and profile management in general, whether it be a cool script you developed
or a favorite Microsoft tool or a third-party utility or whatever, send
it to me. at [email protected]; put "Profile Transfers"
on the subject line of your message. I'll print the best submissions in
a future column and I'll acknowledge the name of anyone who sends an idea,
whether or not it gets printed.
As for the example I've provided, hope this helps.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.