Do I have to delete the local user's key if I need to switch accounts betweeb local and domain?

Do I have to delete the local user's key if I need to switch accounts between local and domain?

This is really helpful.

It mostly works for me (on a Windows 8 slate) except I get a crash in Internet Explorer Control Panel when exiting Internet Explorer (IE 10)

My IE config is set to delete all cached files on exit, and with some judicious changing of options, it is the deletion of "Cookies And Website Data" option that causes the error (does not occur when unchecked). Seems to point to some sort of permissions problem somewhere in the IE browser cache. Have dug around and changed a few things but the problem does not go away.

Problem signature:
Problem Event Name: APPCRASH
Application Name: rundll32.exe_inetcpl.cpl
Application Version: 6.2.9200.16384
Application Timestamp: 50109cdd
Fault Module Name: Flash.ocx
Fault Module Version: 11.3.378.5
Fault Module Timestamp: 50bdbb8b
Exception Code: c0000005

Also, just an observation, but I think that the bulk setting of the permissions on the local users profile overwrites the read permission for "NT Service\WMPNetworkSvc" on any Music folders that have been shared in WMP so would make the files invisible to the WMP sharing service and so not visible to other PCs / media devices.

Do you have to log in as the domain user before you start the process? When I expand HKEY_LOCAL_MACHINE down to the profile list, I can't find a profile for the domain user, only for the local users.

Wonderfull mate! this works perfect for windows 8!!

I suppose that for migrating domain profile to a local profile a should do a reverse procedure? I tried but it didn`t work. As a result I ve got the domain prifile looks like local and other way around. Please advice what should I do to make this work?

I want to create local user profile from domain user profile. I dont have connection to the domain but I have domain admin password. After I do that I want to unjoin coputer from the domain. Never mind the replication, network drives etc. I only need all applications and their settings, e mail account and data to be reachable...

Thanks in advance

Regards,

Lazar

I've done this several times, but got stuck on a permissions issue. For some reason it's not setting the permissions for my domain user on the App Data hidden file or any subfolder for that matter during step 2 of the quick steps. I had to manually edit the permissions for each subfolder and set the domain user to full control in order for it to take effect. I could see it working when I did it your way, but when I double checked it, nothing was getting set. Very weird, but once I manually overwrote the permissions, everything was golden.

On Step 6, what do I do if I am accessing the Registry from the local Admin account? Do I still edit the properties on HKEY_CURRENT_USER even though the current user is my admin account, not the local profile that I am changing into a domain profile? There are issues that prevent me from logging on as the local user.

Will this procedure work with moving a profile from one domain to another?

Thanks for the posting. In my case a domain user account had been deleted and then recreated using the original username. I still had a copy of the data profile files for the original user profile and came across the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" fix described in microsoft's KB947215. But although all the security permissions for the files and sub directories in "C:/user/username/"were updated correctly with the new userID, the recreated user could not access anything.

It was your reference to granting full control on Advanced security settings on HKEY_CURRENT_USER key to the domain user that was the fix.In my case the domain user existed, and I needed to elevate them to administrator before updating the HKEY_CURRENT_USER key, but after that all was well. Thank you.

Hi, thanks for this very useful tutorial!
I've some question about it. Starting from XP tutorial, and comparing with this Win7 tutorial, I'm asking myself:
1) why is no more needed to take ownership of the user folder and then give it back to SYSTEM??
2) changing user permissions on HKEY_CURRENT_USER registry key (and childs) is the same to load hives from ntuser.dat and usrclass.dat and change manually permission on both?
3) changing permissions from inside regedit on HKEY_CURRENT_USER is *NOT* the same that changing permission on filesystem for files ntuser.dat and usrclass.dat, right?

Thanks

If in step 4 I copied the "ProfileImagePath" string to the "Default" profile, it would then clone that profile to any new profiles created on that machine right? Both local and Domain?

Thank you for this helpful guide.

I'm in the process of adding new machines to a domain at a remote office. Some of these machines are stand-alone and others are members of a soon-to-be-retired legacy domain.

Is a local account a necessary intermediate step for allowing a new domain's user account access to the user account and profile settings of the old domain?
(e.g. Give local access to old domain account -> remove PC from old domain -> add PC to new domain -> add new domain user -> give new domain user rights to local account -> new domain user has access to old domain account profile, data, etc.)

Doesnt work on windows 8 windows store apps dont work and log on issues with taksbar and desktop

actually, there is an even easier way:
1. once you've set up the local account the way you want it, go to C:\Users\ and rename Default to Default.bak

2. copy the local profile there and rename it to Default. don't forget to hide it (just the folder, not the contents)

any new accounts will use the settings from this new Default folder :)
you can always change the original Default folder back afterwards if you so choose.

Can you explain the Domain to Local approach? you say reverse the local to domain process. So I would
1. unjoin domain, restart and then login as local user
2. grant full permission to the c:\users\domain_user
3. while still logged inopen regedit
4. Expand the HKLM\software
5. login as local user

Then from Domain to Domain
1. Join new domain, restart, login as new domain user
2. Grant Full Permission to c:\users\olddomain_user
3. while still logged in as new domain user open regedit and grant full control
4. Expand HKLM\
5. Restart and login as new domain user?

We are starting a big migration project and we are removing from current domain and making local user on half our machines and then on the other half we are Unjoining old domain and joining new domain...Thanks in advance for all your support in this subject. Could save us days of work, if it works...

I have been having a problem where the migration works, but Chrome will no longer allow the user to go to any pages that were book marked when they were logged in as the local user. Has anyone had similar issues?

thank you verry much for this tips....

I searched far and wide on the Internet for a solution to this problem and spent hours trying to do this exact thing. Thank god I finally found this blog because it saved me so much time and headache. Quick, and easy to follow guide, definitely a huge help. Thanks so much to the poster!

Just tested this on Windows 8.1 and it seems to have worked flawlessly! Thanks!

Did a couple of extra things;
Had to change owner on both users\[local] and HKCU to apply permissions properly.
Deleted users\[local]\AppData\Local\Microsoft\Internet Explorer because permissions weren't applying to this folder.

This was a fairly fresh install of Windows so not a TON of apps.
Chrome, Steam, 7-Zip, Skype, CCCP, etc.

Many thanks for the info! I'll be migrating about 60 computers in the coming weeks. I've tried the Windows 7 migration wizard before with limited success. I look forward to seeing how this works out for us. Thanks again!

I have read all of this and the comments . . . am I wrong, isn't this simply storing the domain profile on the local "C" drive of the client machine? Should not the user profile be stored on the server in the "profiles" directory? What happens when the 'domain user' (tuser) logs into a different W7 client? Will the domain know to go to "that" client machine to get the profile? (This would be fine if tuser only logs in and out of his/her machine?)
Please do not miss understand. This situation should work fine for some people however, if I am looking to have a roaming profile this does not seem to be correct for my use. Am I wrong?

I have come to understand this, now. Thank you for you comment.

I tried this procedure and damn, what I can say?
YOU ARE AWESOME!!! YOU'RE THE MAN, DUDE!!!

I tried this in Windows 8.

This totally messed up my windows 8.1 install.

First of all, the fact that there was no domain user in the registry as the instruction did not mention a reboot and login with the domain user was a problem.

I did the following:
1. added the computer to the domain, lets call it COMPUTER
2. Rebooted and logged in as local user, lets call the user LOCALUSER
3. Added the DOMAINUSER with full recursive permissions to the LOCALUSER
4. Opened REGEDIT and properties for CURRENT_USER and behold, the DOMAINUSER already have full access to the top level folder, not according to the description here
5. To be sure, I opened up the permission advanced tab and selected the DOMAINUSER and the recursive option and selected apply, this resulted in an the message that security can not be changed for the selected key or subkeys...
6. Manually verified that DOMAINUSER seemed to have full access to a lot of the subkeys, but did not check all...as there are a lot
7. Went on to change the profilepath in the registry. And behold again, no DOMAINUSER profile present. Went back and read up on all comments, which pointed me in the direction of having to reboot and log in with DOMAINUSER and then rebooting and logging in with the LOCALUSER.
8. Opened up REGEDIT again and went on to change the profile path from LOCALSUER to DOMAINUSER
9. Deleted LOCALUSER from registry and rebooted.
10. Tried to log in with DOMAINUSER, fails during login, sadly missed the message, but something referring to profile manager and AD I think.
11. Logged in with LOCALUSER, which as it was deleted from the registry should not exist? worked, but now all apps and other functions are not working at all.

12. Total confusion and considering a total reinstall as the right seem to be totally messed up.

Please try the process on windows 8.1 if you have the possibility and update the guide so this does not happen to more people

/Micke

Good guide. You should probably make sure there is another user with local admin privileges on the target machine, so you can log in if anything goes wrong and if something happens to the computer/domain relationship.

Like someone else said above, I was unable to change the permissions, for either the profile folders or in the registry. Tried changing owners, rebooting. Didn't have time to figure all that out so I went to plan B.
There is a free utility that does all this for you. They use the same method as you have described above, but they do all the work for us. Check out the Forensit User Profile Wizard.
Thanks for the above, however. Not sure why I was having the security problems (Windows 7 Pro, and I was leaving the domain, not joining it). However, your technique was obviously sound in principle.

Thank-you. After 2 hours of struggling with a local to domain profile migration, you have saved my bacon and I get to go to bed now. :)

Excellent and very helpful article.
I would mention two minor details from my experience.
After adding the computer to the domain, it is necessary at least once to log on with the domain account simply so that the user exists in the ProfileList in the final step.
Additionally, I was doing this remotely via LogMeIn so this only applies in this case. Make sure the credentials you use for LogMeIn to access the computer are NOT those of the original computer account. If you do parts of the profile will be locked by the authentication process and will prevent the changing of security on some items.

On step 9, when I try to paste the ProfileImagePath, I get "Error Editing Value - Cannot edit ProfileImagePath: Error writing the value's new contents"

I am logged in using the local user account.

What is wrong ?

What are the steps for Domain to New Domain?

Hi Ingram,

while this method does indeed work, at first glance, it has some glitches and drawbacks you should be aware of.

Glitch: to be able to grant full permissions to certain registry keys and files you'll have to take ownership first.

Drawbacks: changing all persmissions to "Full control" creates gaping holes in the local security. They are (mostly) caused by the fact that the user does normally not have full access to all HKEY_CURRENT_USER registry keys and all c:\Users\<Username>\... subdirectories. There are regions like the Policy registry keys and some Internet Explorer directories (just to mention some) where a user has only Read access, for good reasons why.

Your method sets all those permissions to "Full Control"

Most users won't notice, since they will not realize that they (and any malicious software they may have started) do now have full control in areas where they should't have.

One of the useful functions sophisticated migration tools do provide is a mechanism which fixes those permissions after the migration.

Nevertheless your method is a useful quick (albeit dirty) hack, and the outcome will be satisfactory for many environments where local security isn't of much concern.

Armin.

Great article it works as described. Is there a version for Migrating from domain to new domain?

Hi, the information also copy to the domain profile?

Thanks

This isn't working as described. Right clicking on the local account and attempting to add user and permissions gives an error about appdata. Then when you go to regedit the network user does not exist

I followed these steps on Windows 10. It mostly worked, except these problems:

* Start Menu won't open for domain user I switched to
* System tray items also won't open

What permissions do I need to change to allow the Start Menu to work? And the various system tray items? (volume, notifications, time/date, etc)

THANKS

Finally got it to work! Your right win 7 = pain!

Here are some roadblocks I ran into:

1) If the local name and the domain name are not the same, you will have two user folders. You will probably want to eventually delete one of them. You will also probably want to go back to Regedit and rename the profile string to match the folder you keep.

2) I logged in once as the intended domain user before starting to create an entry in Regedit for this user

3) I had to run Regedit as admin to avoid permission errors