Windows 7 - Migrate Local Profiles to Domain Profiles in 5 Steps and 5 Minutes Using Registry Tweak



Don't waste hours using time consuming profile migration tools when you can do it in minutes using a simple registry tweak. This technique can be used to migrate local profiles to domain profiles, domain profiles to local profiles, and domain profiles to domain profiles. It simply involves modifying a registry value and changing the permissions on the user directory and registry hives. In my example, I will be migrating a local profile on Windows 7 to a domain profile. My local user's account name is "user" and my domain user's account name is "tuser". The local user is part of the Local Administrators group. The Domain User is not part of the Local Administrators group, but it won't matter if it is (This tutorial was tested with UAC turned off.) If you or your company finds this tutorial useful, helpful, or time saving, please consider making a donation with the paypal link on the right. This helps with the authors time and hosting bills. Thanks
This has been tested on many production and test environments. In our test environment, here is a list of customizations and software installed and configured on the local user's account:
- Microsoft Outlook (Outlook Anywhere Account)
- Microsoft Outlook (POP Account)
- Google Chrome (All user version and user directory version)
- Microsoft Office
- Personalized profile (Custom background, Desktop Shortcuts, Favorites, Start Menu and Taskbar)
***PLEASE NOTE***
It is important to note that after you migrate the profile, the saved passwords in Outlook will be lost. This is not a big deal because Outlook will prompt you to enter the password when you launch it (and you do remember your email password, right???). You can use a tool like SIW.exe to retrieve the email passwords before you migrate. You should not receive any errors during or after these steps. If you do, leave a comment and we can try to help. If you are seeking professional remote or on-site support with this, we offer support as an hourly or project charge, depending on your setup. Contact us at support at itswapshop dot com for more info.
I have simplified the entire process into 5 easy steps. I also have a much longer step-by-step guide with pictures below. If this is your first time, I recommend following the full guide. If you are looking for a refresher, follow the quick guide.
Quick Guide - 5 Step Local to Domain Profile Migration:
- Join to Domain, restart, and then login as local user.
- Grant full permission on c:\users\local_user to domain user and make sure to check "Replace all child object permissions with inheritable permissions from this object".
- While still logged in as local user, open regedit and grant full control on the HKEY_CURRENT_USER key to domain user. Make sure to check "Replace all child object permissions with inheritable permissions from this object".
- Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Each key here is associated with a user account on this computer. Go through each key and look at the "ProfileImagePath" string. Find the string for the local user and copy it. Paste it into the same string for the domain user. Now delete the entire key for the local user under the ProfileList key.
- Restart and login as the domain user.
It's as simple as that. If you want more details, here is the full guide:
Full Guide - Migrate Local Profile to Domain Profile in 5 Minutes:
1.) To begin, join the computer to the domain, reboot, and login as the local user (if you're not sure how to login as the local user after it's been joined to the domain, add the .\ prefix to the local users account name).
2.) In Explorer, right click on c:\users\local_user and choose properties. On the Security tab, click advanced:
3.) On the permissions tab, click Change Permissions. Click Add and enter the domain user account name (Since you are logged in as the local user, you need to provide domain admin credentials to assign the domain user full control permissions. Enter the domain admin credentials and click OK):
4.) Check Allow Full Control and click OK. Only check "Replace all child object permissions with inheritable permissions from this object" and click OK again. Click Yes on "This will replace explicitly defined permissions on all descendants of this object with inheritable permissions from local_user". Click OK on the "Advanced Security Settings for local_user" window and then on the "local_user Properties" window.
5.) Hold down the Windows Key and press "R" to open the run box. Type "regedit" in it and click OK:
6.) Right click on HKEY_CURRENT_USER and choose permissions. On the Security tab, click Advanced
7.) On the Permissions tab, click Add. Enter username of domain user and click OK (Since you are logged in as the local user, you need to provide domain admin credentials to assign the domain user full control permissions. Enter the domain admin credentials and click OK):
8.) Check Allow Full Control and click OK. Only check "Replace all child object permissions with inheritable permissions from this object" and click OK. Click Yes on "This will replace explicitly defined permissions on all descendants of this object with inheritable permissions from HKEY_CURRENT_USER". Click OK on the Permissions for HKEY_CURRENT_USER window:
9.) Expand the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" key (I recommend right clicking on the ProfileList key and clicking export to make a backup of it). Each Key under ProfileList corrosponds to a user account. If you select one of the keys, the Value of the String "ProfileImagePath" will show you what user account it is for. Find the local user and the domain user keys:
10.) For the local user's key, copy the ProfileImagePath String value, and paste it into the ProfileImagePath String Value for the domain user:
11.) Right Click on the local user's key and click Delete. Click Yes to confirm the deletion:
12.) You are finished. Restart and login as the domain user.
- Add new comment
- 55 comments
Do I have to delete the local
Do I have to delete the local user's key if I need to switch accounts betweeb local and domain?
If you want to switch between
If you want to switch between being a local and domain user (I can't think of a reason you would want to), then I recommend backing up the "ProfileList" key before and after do the migration. You would still delete the local users key, but if you needed to go back to being a local user account, just restore the "before migration" registry backup. Then when you want to go back to being a domain user, restore the "after migration" registry backup.
Hi, this is because there
Hi, this is because there some restrictions under domain account, therefor I need to switch.
"before migration" registry backup, do you mean only the ProfileList key of the original local account? or I also need to backup the domain account which I altered?
Do I have to delete the local
Do I have to delete the local user's key if I need to switch accounts between local and domain?
This is really helpful.
This is really helpful.
It mostly works for me (on a Windows 8 slate) except I get a crash in Internet Explorer Control Panel when exiting Internet Explorer (IE 10)
My IE config is set to delete all cached files on exit, and with some judicious changing of options, it is the deletion of "Cookies And Website Data" option that causes the error (does not occur when unchecked). Seems to point to some sort of permissions problem somewhere in the IE browser cache. Have dug around and changed a few things but the problem does not go away.
Problem signature:
Problem Event Name: APPCRASH
Application Name: rundll32.exe_inetcpl.cpl
Application Version: 6.2.9200.16384
Application Timestamp: 50109cdd
Fault Module Name: Flash.ocx
Fault Module Version: 11.3.378.5
Fault Module Timestamp: 50bdbb8b
Exception Code: c0000005
Also, just an observation, but I think that the bulk setting of the permissions on the local users profile overwrites the read permission for "NT Service\WMPNetworkSvc" on any Music folders that have been shared in WMP so would make the files invisible to the WMP sharing service and so not visible to other PCs / media devices.
Tried resetting teh IE
Tried resetting the IE settings, and fiddling with the WebCache permissions, neither worked.
The problem only went away after I de-installed and reinstalled IE10
Thanks, I plan on doing some
Thanks, I plan on doing some in-depth testing of this method on Windows 8 in the future. I will post a revised tutorial when I do.
Any update on the Win8 method
Any update on the Win8 method? I did this for a user and ran into registry errors. Looks like Win8 is more locked down than win7.
Do you have to log in as the
Do you have to log in as the domain user before you start the process? When I expand HKEY_LOCAL_MACHINE down to the profile list, I can't find a profile for the domain user, only for the local users.
Yes, Step 1 of the 5-Step
Yes, Step 1 of the 5-Step guide should be this:
Join to Domain, restart, login as domain user, restart and then login as local user.
I used RunAs from a CMD
I used RunAs from a CMD prompt to start an arbitrary application as the domain user while logged in as the local user. This created the domain user's profile folder and ProfileList subkey...no multiple login required
Thanks for the tip. This
Thanks for the tip. This should make the process even quicker!
Wonderfull mate! this works
Wonderfull mate! this works perfect for windows 8!!
I suppose that for migrating
I suppose that for migrating domain profile to a local profile a should do a reverse procedure? I tried but it didn`t work. As a result I ve got the domain prifile looks like local and other way around. Please advice what should I do to make this work?
I want to create local user profile from domain user profile. I dont have connection to the domain but I have domain admin password. After I do that I want to unjoin coputer from the domain. Never mind the replication, network drives etc. I only need all applications and their settings, e mail account and data to be reachable...
Thanks in advance
Regards,
Lazar
This method should work if
This method should work if you reverse the local/domain user order, as long as you follow it exactly. If you have any trouble with it, check out this older tutorial for XP:
http://itswapshop.com/tutorial/how-migrate-local-profiles-domain-profiles-5-minutes-using-registry-tweak-windows-xp-and-7
There were problems with it on Windows 7, so this newer tutorial was written to correct the issues. The older tutorial may help you out in your situation.
I've done this several times,
I've done this several times, but got stuck on a permissions issue. For some reason it's not setting the permissions for my domain user on the App Data hidden file or any subfolder for that matter during step 2 of the quick steps. I had to manually edit the permissions for each subfolder and set the domain user to full control in order for it to take effect. I could see it working when I did it your way, but when I double checked it, nothing was getting set. Very weird, but once I manually overwrote the permissions, everything was golden.
Thanks, I will go back over
Thanks, I will go back over it in my test environment and see if I can find the problem.
On Step 6, what do I do if I
On Step 6, what do I do if I am accessing the Registry from the local Admin account? Do I still edit the properties on HKEY_CURRENT_USER even though the current user is my admin account, not the local profile that I am changing into a domain profile? There are issues that prevent me from logging on as the local user.
No, you only edit HKEY
No, you only edit HKEY_CURRENT_USER if you are logged in as the local user's profile that you are trying to covert to a domain profile. If you can't log in as the local user, you can take a look at this older tutorial for XP:
http://itswapshop.com/tutorial/how-migrate-local-profiles-domain-profiles-5-minutes-using-registry-tweak-windows-xp-and-7
It shows how to load the users ntuser.dat and usrclass.dat files without being logged in as that user. But you will likely have issues if you do it this way. This older tutorial wouldn't work right on Windows 7, so I revised it using the methods outlined here. If it's just an issue of you don't have the password to login, or they aren't there right now, I suggest waiting on them to give you the password so you can follow the tutorial.
The main issue is that
The main issue is that explorer crashes whenever I log into their local user account, and I'm using this as a last ditch effort to see if I can save their data.
Will this procedure work with
Will this procedure work with moving a profile from one domain to another?
Yes, but in addition to this
Yes, but in addition to this tutorial, you may want to take a look at this tutorial for XP. It shows how to change the permissions on the ntuser.dat & usrclass.dat files from another user account.
Thanks for the posting. In my
Thanks for the posting. In my case a domain user account had been deleted and then recreated using the original username. I still had a copy of the data profile files for the original user profile and came across the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" fix described in microsoft's KB947215. But although all the security permissions for the files and sub directories in "C:/user/username/"were updated correctly with the new userID, the recreated user could not access anything.
It was your reference to granting full control on Advanced security settings on HKEY_CURRENT_USER key to the domain user that was the fix.In my case the domain user existed, and I needed to elevate them to administrator before updating the HKEY_CURRENT_USER key, but after that all was well. Thank you.
Hi, thanks for this very
Hi, thanks for this very useful tutorial!
I've some question about it. Starting from XP tutorial, and comparing with this Win7 tutorial, I'm asking myself:
1) why is no more needed to take ownership of the user folder and then give it back to SYSTEM??
2) changing user permissions on HKEY_CURRENT_USER registry key (and childs) is the same to load hives from ntuser.dat and usrclass.dat and change manually permission on both?
3) changing permissions from inside regedit on HKEY_CURRENT_USER is *NOT* the same that changing permission on filesystem for files ntuser.dat and usrclass.dat, right?
Thanks
If in step 4 I copied the
If in step 4 I copied the "ProfileImagePath" string to the "Default" profile, it would then clone that profile to any new profiles created on that machine right? Both local and Domain?
Thank you for this helpful
Thank you for this helpful guide.
I'm in the process of adding new machines to a domain at a remote office. Some of these machines are stand-alone and others are members of a soon-to-be-retired legacy domain.
Is a local account a necessary intermediate step for allowing a new domain's user account access to the user account and profile settings of the old domain?
(e.g. Give local access to old domain account -> remove PC from old domain -> add PC to new domain -> add new domain user -> give new domain user rights to local account -> new domain user has access to old domain account profile, data, etc.)
Doesnt work on windows 8
Doesnt work on windows 8 windows store apps dont work and log on issues with taksbar and desktop
actually, there is an even
actually, there is an even easier way:
1. once you've set up the local account the way you want it, go to C:\Users\ and rename Default to Default.bak
2. copy the local profile there and rename it to Default. don't forget to hide it (just the folder, not the contents)
any new accounts will use the settings from this new Default folder :)
you can always change the original Default folder back afterwards if you so choose.
Can you explain the Domain to
Can you explain the Domain to Local approach? you say reverse the local to domain process. So I would
1. unjoin domain, restart and then login as local user
2. grant full permission to the c:\users\domain_user
3. while still logged inopen regedit
4. Expand the HKLM\software
5. login as local user
Then from Domain to Domain
1. Join new domain, restart, login as new domain user
2. Grant Full Permission to c:\users\olddomain_user
3. while still logged in as new domain user open regedit and grant full control
4. Expand HKLM\
5. Restart and login as new domain user?
We are starting a big migration project and we are removing from current domain and making local user on half our machines and then on the other half we are Unjoining old domain and joining new domain...Thanks in advance for all your support in this subject. Could save us days of work, if it works...
From Domain to Local would go
From Domain to Local would go something like this:
1. Create local account & login with it
2. Login with the domain account you will be migrating.
3. Change permissions on user & registry hive like in the article
4. Login with administrative account, & change the profile key like in the article (make the local users profile path point to the domain user's user folder), and then delete the key for the domain user.
5. Unjoin from domain, reboot, and login with local user
This is essentially the process
Migrating a profile from
Migrating a profile from domain to another domain should be very similar to the steps I listed in my comment about going from a domain profile to a local profile. However, you will likely have to join the computer to the new domain, log in with the new account, assign your new domain account permissions over the old domain user's home folder, then load the old users to registry hives, as described somewhere in this article, I believe in the comments, and assign the new domain user permission on them, then modify the profile list key like normal.
I have not done this before, so I may be missing a step, or that may not be entirely accurate, but it will work, and those are rough steps on how to do it.
I have been having a problem
I have been having a problem where the migration works, but Chrome will no longer allow the user to go to any pages that were book marked when they were logged in as the local user. Has anyone had similar issues?
thank you verry much for this
thank you verry much for this tips....
I searched far and wide on
I searched far and wide on the Internet for a solution to this problem and spent hours trying to do this exact thing. Thank god I finally found this blog because it saved me so much time and headache. Quick, and easy to follow guide, definitely a huge help. Thanks so much to the poster!
Just tested this on Windows 8
Just tested this on Windows 8.1 and it seems to have worked flawlessly! Thanks!
Did a couple of extra things;
Had to change owner on both users\[local] and HKCU to apply permissions properly.
Deleted users\[local]\AppData\Local\Microsoft\Internet Explorer because permissions weren't applying to this folder.
This was a fairly fresh install of Windows so not a TON of apps.
Chrome, Steam, 7-Zip, Skype, CCCP, etc.
Many thanks for the info! I
Many thanks for the info! I'll be migrating about 60 computers in the coming weeks. I've tried the Windows 7 migration wizard before with limited success. I look forward to seeing how this works out for us. Thanks again!
I have read all of this and
I have read all of this and the comments . . . am I wrong, isn't this simply storing the domain profile on the local "C" drive of the client machine? Should not the user profile be stored on the server in the "profiles" directory? What happens when the 'domain user' (tuser) logs into a different W7 client? Will the domain know to go to "that" client machine to get the profile? (This would be fine if tuser only logs in and out of his/her machine?)
Please do not miss understand. This situation should work fine for some people however, if I am looking to have a roaming profile this does not seem to be correct for my use. Am I wrong?
Bob, this is for local - not
Bob, this is for local - not roaming - profiles.
I have come to understand
I have come to understand this, now. Thank you for you comment.
I tried this procedure and
I tried this procedure and damn, what I can say?
YOU ARE AWESOME!!! YOU'RE THE MAN, DUDE!!!
I tried this in Windows 8.
This totally messed up my
This totally messed up my windows 8.1 install.
First of all, the fact that there was no domain user in the registry as the instruction did not mention a reboot and login with the domain user was a problem.
I did the following:
1. added the computer to the domain, lets call it COMPUTER
2. Rebooted and logged in as local user, lets call the user LOCALUSER
3. Added the DOMAINUSER with full recursive permissions to the LOCALUSER
4. Opened REGEDIT and properties for CURRENT_USER and behold, the DOMAINUSER already have full access to the top level folder, not according to the description here
5. To be sure, I opened up the permission advanced tab and selected the DOMAINUSER and the recursive option and selected apply, this resulted in an the message that security can not be changed for the selected key or subkeys...
6. Manually verified that DOMAINUSER seemed to have full access to a lot of the subkeys, but did not check all...as there are a lot
7. Went on to change the profilepath in the registry. And behold again, no DOMAINUSER profile present. Went back and read up on all comments, which pointed me in the direction of having to reboot and log in with DOMAINUSER and then rebooting and logging in with the LOCALUSER.
8. Opened up REGEDIT again and went on to change the profile path from LOCALSUER to DOMAINUSER
9. Deleted LOCALUSER from registry and rebooted.
10. Tried to log in with DOMAINUSER, fails during login, sadly missed the message, but something referring to profile manager and AD I think.
11. Logged in with LOCALUSER, which as it was deleted from the registry should not exist? worked, but now all apps and other functions are not working at all.
12. Total confusion and considering a total reinstall as the right seem to be totally messed up.
Please try the process on windows 8.1 if you have the possibility and update the guide so this does not happen to more people
/Micke
Good guide. You should
Good guide. You should probably make sure there is another user with local admin privileges on the target machine, so you can log in if anything goes wrong and if something happens to the computer/domain relationship.
Like someone else said above,
Like someone else said above, I was unable to change the permissions, for either the profile folders or in the registry. Tried changing owners, rebooting. Didn't have time to figure all that out so I went to plan B.
There is a free utility that does all this for you. They use the same method as you have described above, but they do all the work for us. Check out the Forensit User Profile Wizard.
Thanks for the above, however. Not sure why I was having the security problems (Windows 7 Pro, and I was leaving the domain, not joining it). However, your technique was obviously sound in principle.
Thank-you. After 2 hours of
Thank-you. After 2 hours of struggling with a local to domain profile migration, you have saved my bacon and I get to go to bed now. :)
Excellent and very helpful
Excellent and very helpful article.
I would mention two minor details from my experience.
After adding the computer to the domain, it is necessary at least once to log on with the domain account simply so that the user exists in the ProfileList in the final step.
Additionally, I was doing this remotely via LogMeIn so this only applies in this case. Make sure the credentials you use for LogMeIn to access the computer are NOT those of the original computer account. If you do parts of the profile will be locked by the authentication process and will prevent the changing of security on some items.
Thank you for the awesome
Thank you for the awesome tutorial!
Had to do this for Windows 10, and found this tutorial that covers that part quite well:
Migrate user profiles to new domain
Hope this helps!
On step 9, when I try to
On step 9, when I try to paste the ProfileImagePath, I get "Error Editing Value - Cannot edit ProfileImagePath: Error writing the value's new contents"
I am logged in using the local user account.
What is wrong ?
What are the steps for Domain
What are the steps for Domain to New Domain?
Hi Ingram,
Hi Ingram,
while this method does indeed work, at first glance, it has some glitches and drawbacks you should be aware of.
Glitch: to be able to grant full permissions to certain registry keys and files you'll have to take ownership first.
Drawbacks: changing all persmissions to "Full control" creates gaping holes in the local security. They are (mostly) caused by the fact that the user does normally not have full access to all HKEY_CURRENT_USER registry keys and all c:\Users\<Username>\... subdirectories. There are regions like the Policy registry keys and some Internet Explorer directories (just to mention some) where a user has only Read access, for good reasons why.
Your method sets all those permissions to "Full Control"
Most users won't notice, since they will not realize that they (and any malicious software they may have started) do now have full control in areas where they should't have.
One of the useful functions sophisticated migration tools do provide is a mechanism which fixes those permissions after the migration.
Nevertheless your method is a useful quick (albeit dirty) hack, and the outcome will be satisfactory for many environments where local security isn't of much concern.
Armin.
Great article it works as
Great article it works as described. Is there a version for Migrating from domain to new domain?
Hi, the information also copy
Hi, the information also copy to the domain profile?
Thanks
This isn't working as
This isn't working as described. Right clicking on the local account and attempting to add user and permissions gives an error about appdata. Then when you go to regedit the network user does not exist
I followed these steps on
I followed these steps on Windows 10. It mostly worked, except these problems:
* Start Menu won't open for domain user I switched to
* System tray items also won't open
What permissions do I need to change to allow the Start Menu to work? And the various system tray items? (volume, notifications, time/date, etc)
THANKS
Finally got it to work! Your
Finally got it to work! Your right win 7 = pain!
Here are some roadblocks I ran into:
1) If the local name and the domain name are not the same, you will have two user folders. You will probably want to eventually delete one of them. You will also probably want to go back to Regedit and rename the profile string to match the folder you keep.
2) I logged in once as the intended domain user before starting to create an entry in Regedit for this user
3) I had to run Regedit as admin to avoid permission errors
Your good knowledge and
Post new comment