Re: windows 2000 domain rebuilt, how to keep local user profiles?

From: Dan (anonymous_at_discussions.microsoft.com)
Date: 08/08/04 

Date: Sun, 8 Aug 2004 02:26:47 -0700

Kevin,

Doubt you'll come back and read this....i've read it
about 8 hours too late :) haha

Same issue, not as bad. Installed new server manually
creating the same AD, DNS, DHCP etc config. Stupid me
didn't think that all the systems would see it as a "new"
domain and "new" users (even though same name) so
presented the same issue you had.

I gave up in the end and hooked backup the old server :)
haha

Im gonna attack it tommorrow differently. Im gonna do a
complete backup of the old server and restore on the new
and hope it works.....seems perhaps the quickest way.
There is the option of setting up as a Backup DC and then
transferring roles etc but i think this could be just as
messy.?
>-----Original Message-----
>klevie@sp.nl (Kevin Levie) wrote in message
news:<ae2f769d.0408050603.b4aa70a@posting.google.com>...
>> At work, I've got a problem that I've been stuck with
for almost an
>> entire day, but I really can't figure out what's going
on. (...)
>
>Unfortunately, no-one posted a possible sultion for my
problem. Might
>me my bad for posting to the wrong group, or something.
Anyway, I'll
>post the solution I found myself here for future
reference by others
>who have weird permission and conversion problems like I
had. Or
>rather:
>
>---
>** How do I link an existing local user profile with a
new domain
>user, avoiding possible permission problems if I already
demoted my
>old domain? **
>
># Log in as the domain user whose profile you want to
copy, so that a
>new local profile is being created. Check what the old
and new local
>profile paths are (e.g. username.DOMAIN and
username.DOMAIN.000). Then
>log out and log in as domain administrator.
>
># Look for the new profile's key in
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current
>Version\Profile List (you know that from the
ProfileImagePath option
>that shows the profile path, as the option's name
suggests). Change
>the ProfileImagePath in this key to the old profile's
path. Save the
>SID that belongs to this profile (which is identical to
the key name)
>to the clipboard by clicking your right mouse button and
selecting
>Copy Key Name.
>
># Make sure you have the Microsoft tool subinacl at hand
(it's got an
>msi installation, but once extracted you can use
subinacl.exe
>separately without any problems). This tool is very
useful for setting
>ownership and permissions on directories recursively.
>Use the following commands to correct the permissions
for the old user
>profile:
>
> subinacl /subdirectories "c:\documents and
>settings\username.DOMAIN\*" /setowner=DOMAIN\username
> subinacl /subdirectories "c:\documents and
>settings\username.DOMAIN\*" /grant=DOMAIN\username=F
>
># Start regedt32 (which differs quite a lot from regedit
in Windows
>2000, though you can simply use regedit in Windows XP).
Click on
>HKEY_USERS and then click File -> Load hive. Browse for
the file
>oldprofilepath\ntuser.dat and load it with the SID as
the keyname.
>(Remember, you just saved the SID on the clipboard - the
only thing
>you have to do after you pasted it is chopping of the
first part, so
>that only S-1-5-etc is left)
>
># Select the key and click Security -> Permissions...
Give Full
>Control for this key to Everyone (don't forget clicking
advanced and
>selecting 'Reset permissions on all child objects').
This does not
>imply a security risk - at least on my systems the
permissions were
>automatically set correctly when the user logged on next
time.
>
>The steps regarding ntuser.dat aren't necessary if the
user in
>question is a local administrator. If he's not though,
he'll have
>insufficient rights to access his old user registry
(ntuser.dat): only
>his old domain user account has access to that file.
Therefore, a user
>will not be able to log in or will experience
difficulties using
>applications such as Outlook (Express). Apparently,
registry
>permissions are in no way related to file permissions
for ntuser.dat
>(which I find slightly illogical, though I suppose it is
by design).
>---
>
>As an alternative, you can also try to avoid having to
go through all
>these steps by making sure you never end up with a
f**cked up
>situation like I described above ;-)
>
>Cheers,
>Kevin Levie
>.
>