Re: windows 2000 domain rebuilt, how to keep local user profiles?

From: Kevin Levie (klevie_at_sp.nl)
Date: 08/07/04 

Date: 7 Aug 2004 16:30:13 -0700

klevie@sp.nl (Kevin Levie) wrote in message news:<ae2f769d.0408050603.b4aa70a@posting.google.com>...
> At work, I've got a problem that I've been stuck with for almost an
> entire day, but I really can't figure out what's going on. (...)

Unfortunately, no-one posted a possible sultion for my problem. Might
me my bad for posting to the wrong group, or something. Anyway, I'll
post the solution I found myself here for future reference by others
who have weird permission and conversion problems like I had. Or
rather: 

---
** How do I link an existing local user profile with a new domain
user, avoiding possible permission problems if I already demoted my
old domain? **
# Log in as the domain user whose profile you want to copy, so that a
new local profile is being created. Check what the old and new local
profile paths are (e.g. username.DOMAIN and username.DOMAIN.000). Then
log out and log in as domain administrator.
# Look for the new profile's key in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current
Version\Profile List (you know that from the ProfileImagePath option
that shows the profile path, as the option's name suggests). Change
the ProfileImagePath in this key to the old profile's path. Save the
SID that belongs to this profile (which is identical to the key name)
to the clipboard by clicking your right mouse button and selecting
Copy Key Name.
# Make sure you have the Microsoft tool subinacl at hand (it's got an
msi installation, but once extracted you can use subinacl.exe
separately without any problems). This tool is very useful for setting
ownership and permissions on directories recursively.
Use the following commands to correct the permissions for the old user
profile:
  subinacl /subdirectories "c:\documents and
settings\username.DOMAIN\*" /setowner=DOMAIN\username
  subinacl /subdirectories "c:\documents and
settings\username.DOMAIN\*" /grant=DOMAIN\username=F
# Start regedt32 (which differs quite a lot from regedit in Windows
2000, though you can simply use regedit in Windows XP). Click on
HKEY_USERS and then click File -> Load hive. Browse for the file
oldprofilepath\ntuser.dat and load it with the SID as the keyname.
(Remember, you just saved the SID on the clipboard - the only thing
you have to do after you pasted it is chopping of the first part, so
that only S-1-5-etc is left)
# Select the key and click Security -> Permissions... Give Full
Control for this key to Everyone (don't forget clicking advanced and
selecting 'Reset permissions on all child objects'). This does not
imply a security risk - at least on my systems the permissions were
automatically set correctly when the user logged on next time.
The steps regarding ntuser.dat aren't necessary if the user in
question is a local administrator. If he's not though, he'll have
insufficient rights to access his old user registry (ntuser.dat): only
his old domain user account has access to that file. Therefore, a user
will not be able to log in or will experience difficulties using
applications such as Outlook (Express). Apparently, registry
permissions are in no way related to file permissions for ntuser.dat
(which I find slightly illogical, though I suppose it is by design).
---
As an alternative, you can also try to avoid having to go through all
these steps by making sure you never end up with a f**cked up
situation like I described above ;-)
Cheers,
Kevin Levie