How to Migrate Local Profiles to Domain Profiles in 5 Minutes Using Registry Tweak - Windows XP and 7

Printer-friendly versionPDF version
Profile Migration

Don't waste hours using time consuming profile migration tools when you can do it in minutes using a simple registry tweak. This technique can be used to migrate local profiles to domain profiles, as well as domain profiles to local profiles. It simply involves modifying a registry value and changing the permissions on the user directory. In my example, I will be migrating a local profile on Windows XP to a domain profile. This method has also been tested on Windows 7, however, if you are using Windows 7 (turn off UAC), please see the notes at the bottom.

 *** Windows 7 - Use this revised tutorial *** 

To begin, if you haven't ever logged in with the domain user account, you will need to do that first. The rest of the steps I recommend performing as a domain admin. Log out of the domain user's account and log in as a domain admin, open up Explorer, and browse to the Documents and Settings folder (Windows 7 would be the "Users" folder). Now right click on the local users profile and choose Properties. Click Add to add the domain user to the list of users with permissions. Now select Allow Full Control for the domain user and click Apply:

profile2

Click the Advanced button to open the Advanced Security Settings Window. Select the “Replace permission entries on all child objects with entries shown here that apply to child objects” checkbox and click Apply and OK (depending on the number of files in the users directory, it may take a couple of minutes to apply the permissions). Optionally, remove the local user from the permissions list. I recommend removing the local user account, but it is not required.

profile3

We will now perform the same actions on the users NTUSER.DAT file while it's loaded in the registry. Go to Start > Run > regedit to open the registry editor. Select HKEY_LOCAL_MACHINE, then open the File menu and choose Load Hive. Now browse to the local users direcotry and load the file NTUSER.DAT. You may have to type the filename “NTUSER.DAT” in the File Name box if you can’t see the file in the directory, due to it being hidden. In my case, this file is located at C:\Documents and Settings\user\NTUSER.DAT (Windows 7 would be C:\Users\user\NTUSER.DAT). It will ask you to give it a name. You can give it any name, as this is only used so you can recognize it under the HKEY_LOCAL_MACHINE key. In my example, I named it “ntuser”.

profile4

You will now see “ntuser” as a key. Right click it and select Permissions. Just as before, add the domain user and select full control. Click Apply.

profile5

Click Advanced, check “Replace permission entries on all child objects with entries shown here that apply to child objects”. Click Apply  and OK.

profile6

While the “ntuser” key is selected, open the File menu and select Unload Hive:

profile7

That’s it for the permissions. Now we will move on to how to modify the registry. Expand this registry key: 

HKEY_LOCAL_Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

profile8

You will find a registry key for each user on this system. If you select each key, under ProfileList, look at the value for ProfileImagePath. It will show you the path to each to the user directory. You will be looking for the key that belongs to the local user. Copy the value from ProfileImagePath for the local user.

profile9

Now simply paste that value into ProfileImagePath for the domain user. You should then delete the key for the local user to prevent the local user from logging in. As with any registry modifications, backup the ProfileList key before performing these steps.

That’s it. Restart your computer and log in as the domain user. You will be greeted by the original profile of the local user, including: background, documents, Outlook profiles, programs, start  menu, and any other settings.

Notes: I’m not sure why (if you know, please leave a comment), but the saved passwords from Outlook will be lost. Once you open Outlook, it will ask you for your password, so make sure you have any Outlook passwords before you migrate profiles. Also, if you are trying to migrate a domain profile to a local profile, you basically alter the steps listed above accordingly.

For Windows 7, make sure you have UAC disabled. I'm not saying it won't work if you leave it enabled, but I tested it with UAC disabled. If you encounter any of these errors: "NTUSER.DAT This file is in use" or "Registry Editor could not set security in the key currently selected, or some of its subkeys", simply restart the computer and login only as a domain admin to ensure none of the local users resources are in use. Then perform the permission steps again.

profile_win7-1

profile_win7-2

If you have any questions or concerns, please leave a comment.

 

Hi,  i followed your step.  It works well in windows xp but not window 7.  In windows 7, after profile migrate.  Domain user can get back everything but cannot double click anything in desktop and cannot get IP.  Any idea?

I've tested this method successfully on Windows 7, so it will work. However, several people seem to have had issues on Windows 7. Make sure UAC is disabled, and reapply the permission settings to the users directory. If you get any errors while applying the permissions, then that is likely where the problem is coming from.

Are you getting a specific error when trying to click anything in the desktop? If so could you post that. Also, right click an icon on the desktop and verify that the domain user has full permissions for it.

Howdy would
you mind sharing which blog platform you're using? I'm going to start my own blog in the
near future but I'm having a hard time deciding between
BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your
layout seems different then most blogs and I'm looking for
something completely unique. P.S Apologies
for being off-topic but I had to ask!

it worked in xp but won't in win 7,getting error while giving permissios in registry.

i disabled UAC, log in as domain admin still no luck

Please suggest

 

 

Even if you get errors in the registry, changing the permissions on the users folder will still be enough for this to work. However, I will run some more tests and post the results. 

Any update on this? Works well in XP, but like the poster above. When in Windows 7, even local profile to local profile, unable to click on anything on start menu. Cannot Search and run explorer. Even changed ownership of Windows Folder from Trusted Installer to local user.

Any update? Works in XP like the other user stated, however in Windows 7 clicking on start menu generates and error, cannot even search for a process to run. It did work properly when I enabled the Administrator account and pointed the profile list from Administrator to "john doe", but the reverse does not.

*** UPDATE FOR WINDOWS 7 ***
After doing some more test on Windows 7 systems, you need to perform the following actions in order for the process to completely work in Windows 7:
Before you add Full Control for the domain user's account on the local user's home folder, change the ownership of local user's home folder to the local Administrators group (Right click on local user home folder > Properties > Security > Advanced > Owner > Edit) . Check Replace owner on subcontainers and objects.
Now you can add Full Control for the domain user's account on the local user's home directory as described in the article (Add full control and replace the permissions on all child objects).
Now change the ownership of the local user's home folder back to system (in case you didn't check, it was originally set to System). Do not check Replace owner on subcontainers and objects.
If you follow these steps, you should be able to follow the rest of the article without any problems. Let me know if you experience any more issues.

Still getting the error messages with the new steps introduced above. UAC is turned off and when applying full control to even a local user, was receiving warnings that the permissions could not be applied to app data\local\...

I tried the Windows 7 instructions and it works like a champ! Thanks!

Thanks for the great guide. I ran it through on a test machine and it worked great. Unfortunately I then ran it on one of team lead's machines and everything looked great...until we tried to open Windows Explorer. Refused to open it. Went back to the first system I tried it on and sure enough: "Windows cannot access the specified device, file or path. You may not have the appropriate permissions to access the item." Logged on as admin, no issues.

I made him a power user, a local user, changed the permissions on the file, changed permissions and ownership on the entire Windows folder. No dice. Only after making him a local administrator (Way against my policies) was he able to use explorer. Any suggestions for the future would be great, but as it stands I'm forcing all users to create new profiles.

Hoping there's a quick fix to this I'm missing, but I'm a bit baffled. All the security settings suggest it's set properly. I did run into the issue in the registry permission issue "Registry Editor could not set security in the key currently selected, or some of its subkeys" but restarting and logging in only as admin didn't fix this. Perhaps this is causes this issue?

This tutorial missed an important part for Windows 7 profiles, maybe all profiles but I haven't tested this on XP. You need to open "%USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat" with regedit & modify the registry permissions just like you did for ntuser.dat. Only after I did this change was I able to open explorer with even with UAC on.

Thank you! I spend hours documenting and testing this procedure for our Domain migration and was stuck with Explorer.exe not being able to run or show folders. Loading UsrClass.dat and setting permissions fixed this and I'm good to go!

After changing the permission of the local home folder, I kept getting this message "Error applying security 'An error occured while applying security information to C:\user\user name\file or folder'".

Does this have anything to do with UAC? I temporarily disabled it but didn't restart the computer. Is it required to restart the computer after disabling the UAC? If so, do you think that's what's giving me the error message?

Domain to Domain migration using this technique in a windows xp sp3 environment. Receiving Error Userenv Event ID 1058 Logon Failure: Unknown User name or bad password

From time to time, I am having users experience the NTUSER.DAT file is in use when they are trying to log onto their machine. Rebooting the machine obviously fixes it, however they rely on using gotomypc and rebooting the computer can be difficult.

To resolve issue with error opening explorer.exe you need to copy AppData/Local/Microsoft/Windows/* from clean domain to local profile (especially UsrClass.dat file).

The methods listed below have been verified in a non AD domain, And in a virtual AD test environment. So if you use Domain level GPOs you may need to do further testing to make sure that the local gpo settings listed below are not over written by the domain policies. Also, if there is a Default User.v2 share in your netlogon shares you may need to set the permissions to that folder to "deny all" so that the windows 7 client won't pull whatever profile is there.

Non sysprep method (sysprep method follows)

Make group policy changes (these are what causes win 7 to not look toward the server for a default profile)
• Computer Config > Administrative Templates > System > User Profiles >
o Only Allow User Profiles = Enabled
o Set Roaming Profile Path for all users logging onto this computer = Disabled
o Prevent Roaming Profile changes from propagating to the server = Enabled
• Customize the Test or Setup account
• Enable built-in Administrator account
• Log on as Administrator
• Install RichCopy from Technet
• Use Explorer to unhide system files and folders
• Use RichCopy to copy the profile from the account used to implement customizations to "Default User"
• Join machine to the domain
• Reboot
• Log on domain user and all customizations that can be transferred should be applied to the users' profile

Sysprep Method - You may want to use this method because this method should be fully supported by MS
• Login as the setup account
• Enable Administrator Account - log off
• Log on as Administrator
• Go to Manage Users
• Delete Setup account and any other accounts that have a profile folder and choose "delete files"
• Make group policy changes
• Computer Config > Administrative Templates > System > User Profiles >
• Only Allow User Profiles = Enabled
• Set Roaming Profile Path for all users logging onto this computer = Disabled
• Prevent Roaming Profile changes from propagating to the server = Enabled
• Complete all customizations
• Copy validated answer file to C: root
• Go to windows\system32\sysprep
• Right click while holding shift and choose "open command window here"
• run "sysprep.exe /oobe /generalize /unattend:c:\yourunattendfile.xml
• Once the system reboots go through whatever portion of mini-setup your answer file dictates
• Join machine to the domain
• Log on as a domain user
• Basic look and feel customizations should have been applied from the local Defaul User profile

And as long as the local policies that we set above remain intact, any domain user that logs onto the machine will receive the look and feel that you want for your organization.

Because MS has not published a comprehensive list of items/settings that cannot be applied to a default profile, you will have to experiment with that. I did find a doc that made it clear that the quick launch as well as the area of the start menu where you "pin" shortcuts do not persist when copying customizations to the default profile.

So far in my testing, what I have found by using RichCopy is that none of the symlink/join folders get copied to default user and therefore there are no permissions to reset. I am still testing the various permissions but so far there are no leftover folders that have the wrong permission.

Because when the profile is propagated the first time for a new user all of the folders that don't copy are populated the way MS intended and because I haven't "forced" anything with bad permissions, the OS is able to set the proper permissions on for example "history" folder, the OS will take care when the structure is propagated from default user to the user logging on for the first time.

I do have 1 important piece of info to add, it seems that blocking access to the Netlogon share is what forces the client machine to propagate the local default user profile to the first time domain user and not the GPO's as I originally thought. I should be able to verify that by early next week.

If someone tests that prior to me please post your results. I know up til 6-9 months ago this was a huge issue for desktop admins and especially deployment techs. And even though the posts about this have died down, I don't know if people just adjusted their deployment process to use Netlogon for domain user profiles or found another solution that isn't posted or is on some obscure website, but for the organization where I work, using the Netlogon share for default domain user profiles is not flexible enough. And I didn't get good results when trying to reset the permissions on ntuser.dat in the registry nor taking ownership of the entire profile structure for the profile that I wanted to use. So to sum it up, there are still little details I don't fully understand but the way(s) that I have listed above have not left me with no access to "computer" or temp profiles being loaded - try it and let me know how it goes - appreciate it.

You guys are really rockstar...I was looking for this since last 15 days and finally it took me to this page and got the solution.
This is what exactly we were in need of....

I m just surprised to see the way you guys have solved the migration problem with windows7......

Hats off to you guys.......

Best Regards,
Farhan Ziya
Pepperfry.com

Hi .. done all - but somewhere two functions got lost or cut out:
1.) power options: they´re all set yet the machine does not entertain any of them!
2.) screen saver is also set BUT does not start; merely a flash - as if it wants to start - then the screen is showing normal operation.

Anyone out there who has a clue?
Thanks,
Gerd

A great set of instructions. there is a note by the original submitter about saved Outlook passwords being lost. I found several instances of the user's GUID being used inside of the ntuser.dat file itself. One of these "ProtectedStorageSystemProvider" which I think holds the Outlook passwords. So my question is, shouldn't all of the user's GUID references inside the ntuser.dat be changed as well?
Jon

Actually, these all can be done by one fine software called User Profile Wizard.
Download it here>> http://www.forensit.com/Downloads/Profwiz3.zip

Congratulation!! you have found the solution!! thanks to the developer. \m/

if I use Profwiz to try to migrate a user that has cached Domain access (for a company that went out of business & no longer exists) to a local user -it asks which user I want to migrate from -if I choose the user DomainName\DomainUser -it says it can't login to the Domain controller for DomainName -which of course is impossible because it doesn't exist -that was the whole reason we were trying to migrate this profile to a local one.

In step 1, you must choose the computer name as the Domain and use the local account for the account name. Then you only need to choose the domain user profile stored in that computer in step 2. If the credential is asked in step 3, use the local admin account.

btw, could someone incorporate all the fixes discovered along this post into one process? I admit I can't quite follow where I am supposed to make the corrections/updates. I am particularly interested in a step-by-step process to move the cached Domain user profile into a local user.

Currently working on a revision... Will notify when published.

Gold star to all who have contributed - love your work !

This process has worked great for me. But I have had two users whose Chrome and Safari cannot access HTTPS sites once the switch is made. I will uninstall Chrome, reinstall it, and it works. But once the user shuts chrome down and opens it back up, the same thing happens, no access to HTTPS sites. Any ideas?

I will look into this, but for now, I recommend installing Chrome using the msi installer. This will install it for all users, instead of in the users directory:

http://www.google.com/intl/en/chrome/business/browser/

Hello all. I know this discussion is a year old, but I am going to be doing a big project where I need to migrate almost 20 local user profiles to domain profiles when we switch one of our client's P2P to a domain network.

I tried this in XP and it worked fine, but in Win. 7, when I get to the step where you replace the permission entries on child objects for the domain user, I get a notification:

"Registry editor could not set security in the key currently selected, or some of its sub keys"

Before I got that, after I clicked apply after selecting the Child Entries box, I got this message:

"This will replace explicitly defined permissions on all descendants of this object with inheritable permissions from ntuser"

I get the above message in Win. XP too (I'm doing this in Win. 7 Pro). Has anyone else had this happen? Is it normal? I am doing this on my VM (Win. 7 Pro 4 bit). I did the XP on my desktop PC (not VM). Could this be happening because I'm doing it on a VM? I don't think it should make a difference.

I'd really like this to work because it would be a huge project that would take a long time to do. It would save a lot of time and expense for our customer.

Thanks!

Nick.

Cool, works fine, you save my life, thanks!!

THIS TOOL WIPED ALL OF MY PROFILES CLEAN! DO NOT USE!!!!!

The first time I logged on to each profile, all was fine. The next I logged on, everything was gone. Months and months of work GONE! What a piece of CRAP!

This is not a tool, it is a technique, and it did not "WIPED ALL OF MY PROFILES CLEAN". The only thing you delete, is a registry key, which it clearly says to backup first. Even if you deleted the registry key without backing it up, everything in the users home folder is still there and it is still possible to resetup the registry keys

I used this technique on both Win 7 Pro and Win XP pro 32 and 64 bit without any problems. Emails, desktop, documents, settings, configs, everything transferred over. The only thing you need to document is the Outlook email passwords and I even did the username to be safe.

As was stated, the only thing that you delete or alter is the permissions and a reg key that tells Windows to look for the domain profile and not the local account. That's it. If you follow ALL of the instructions to a T then you won't have any problems. It's important to do the optional steps too, and take note of the usrclass.dat AND ntuser.dat files for Win 7. This is awesome and saves a lot of time for us (I work for an IT contractor) and money for our customers, especially when you have to migrate 18+ profiles.

This helped me a lot with migrating non-domain users to a domain, but I'm running into an issue with Outlook. After doing all of this on a Windows XP environment, I have managed to get everything to work except Outlook. Outlook will open on any user I launch it with except the one that I migrated the profile for. Upon opening, it gives an error that says "Cannot open Microsoft Outlook". I tried removing all Outlook files for the user, but that didn't work. I also tried to open up Mail in Control Panel, but it won't open when logged in as that user. It gives some memory error saying too many windows are open. I've also tried a repair on Office as well as uninstalling and reinstalling with no success. Any help with this would be greatly appreciated.

I had the same issue with about a third of my users. I had to make them an admin on their box. That fixed it for most of them. For a few, I literally had to do the permissions steps multiple times until it worked. But, again, for most it took just making them an admin.

 

Thanks for adding windows 7 updates to my guide, I think.  No credit to the original author though??  Unless you came up with this 100% on your own, in which I applaud your ingenuity. :)
 
http://www.raygibson.net/kb/profile_migration/
 

FYI, I've been working on and testing a revised tutorial that specifically targets migrating profiles on Windows 7. All of the issues that were brought up in the comments are addressed in the new tutorial and it is much more simple and easy to follow.

I will post a follow up comment this week once it is published

thanks for your continued work on this. it is most appreciated.

 

*** Windows 7 Update ***

Here is the revised tutorial for Windows 7. It addresses the issues that were brought up in the comments from this article, such as Explorer not opening, Google Chrome not working, and usrclass.dat. It also has a quick 5 step guide, and a full guide.

Will this work for migrating a Domain to a different Domain.We will be moving two stores from a Domain to our Domain. We purchased the stores and now we want to put them on our company Forest Domain.We will setup the servers first with new accounts then manually move the users. When we are done getting them on our Domain we will move their mail to our Exchange server. I have done this manually many times but this could save serious time.

I followed these steps and now all of the files are gone from My Documents. They are nowhere and I can't find them. Not in the original location, not in the new, just gone. Help would be appreciated. Sigh… maybe I did something wrong : /

Post new comment

Error | http://www.itswapshop.com

Error

The website encountered an unexpected error. Please try again later.