Managing User Profiles

A slap-dash solution for transferring profiles in toto. Anyone with a more elegant method?

Bill: I'm setting up a new Windows Server 2003 terminal server to replace an existing Windows 2000 terminal server running Citrix. I need to copy more than 70 user profiles from the existing server. Both servers are in the same domain.

I've tried copying the profiles using Explorer, but when the user logs on, instead of getting the copied profile, they get a default profile and I see a duplicate profile in Documents and Settings called Username.Domain. For example, if the copied profile is John, the new profile is John.DOMAIN.

I assume this is a permission problem, in that the user is not getting access to the profile folder to write or access the ntuser.dat file, but how do I get around it?
—John

John and Readers: I'm going to go through what I suggested to John and then I want your input.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

First, some quick background. A user profile consists of a folder in Documents and Settings that contains the user's profile folders along with a Registry hive called Ntuser.dat. The profile is protected in a couple of ways:

  • The profile folder has an Access Control List (ACL) that grants access only to the user, the System account, and members of the domain Administrators group.
  • The registry hive inside Ntuser.dat has security permissions that allow access only by the user, the System, and the Administrators group.

The system maintains a pointer to the user profiles in HLKM | Software | Microsoft | Windows NT | CurrentVersion | ProfileList using the SID of the user as the name of the Registry key containing the profile information. Here's a quick example for a user named avguser:

Key Name: HKLM\SOFTWARE\Microsoft\Windows NT\
          CurrentVersion\ProfileList\S-1-5-21-
          3862616078-362906602-1993679999-1015
Value:    ProfileImagePath
Data:     %SystemDrive%\Documents and Settings\avguser

If a user logs on and the ProfileList key has no entry for the user's SID, the system creates a new profile for the user by copying the Default User profile, either from the local machine or from the NETLOGON share.

If the system needs to a create a new profile but a folder with the user's logon name already exists in Documents and Settings, the system creates a new folder and gives it an extension that matches the user's domain.

Okay. With all that in mind, I recommended that John do the following:

  • Use xcopy /o to copy the profiles from the old server to the new one. This retains the ACLs of the files so that the user retains full control access to the profile. (Actually, you'd need to use xcopy /o /e /h to copy empty files and hidden files.)
  • Use Regedit to dump the entries in the ProfileList key to a REG file.
  • Edit the REG file to remove any profile entries, such as the Administrator profile, that would also exist at the new machine.
  • Import the REG file into the Registry of the new machine.
  • Verify that users log on and get their original profiles.

Although this works, frankly, it seems a bit inelegant to me. So here's what I'd like you to do. If you have a better way to do profile transfers and profile management in general, whether it be a cool script you developed or a favorite Microsoft tool or a third-party utility or whatever, send it to me. at boswell@101com.com; put "Profile Transfers" on the subject line of your message. I'll print the best submissions in a future column and I'll acknowledge the name of anyone who sends an idea, whether or not it gets printed.

As for the example I've provided, hope this helps.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Wed, Nov 18, 2009 Jesse

We have a huge server, trying to convert all users profiles to running roaming profiles, havn't start yet but just curious if we can run a script to accomplish our task.

Fri, Nov 16, 2007 Anonymous Anonymous

I am going through the same problem but on a local user pc that is not connected to the domain is it possible to local the SID from the registry and edit the registry in order to show the correct SID to the profile to restore access it to? if you can provide steps to this I would really appreciate it, for I am not able to implement roaming profiles here...

Tue, Oct 30, 2007 deepti Anonymous

perfect

Tue, Dec 28, 2004 JJim NJ

Roaming profiles are a must I agree.

As for size just redirect the Users "My Documents" to a network share so it doesn't roam. Also be sure to move the "Application Data" folder to a share if it contains thinks like Outlook PSTs This will greatly reduce the replicated profile.

In cases where you can't roam the profile use ths "User and Settings" migration tool. It's downloadeable from MS or available on the XP CD. It is installed on XP by default for just this reason.

There is also a toolkit that will allow prfile extraction and conversion of profiles using a batch script that can handle hundreds of users. This tool basicaly alows an admin to extract a moveable profile image that can be imported into any user profile.

Tue, Aug 10, 2004 Greg Milwaukee

Roaming profiles only work when you limit size. I my environment I cannot limit size on users. I have been using Microsofts copy profile tool to copy them to the network and then logging in as a the new user, logout and login as admin. Then copy the profile from the network to the new user acct. This has worked very good except for mapped drive scripting error which I have to manually delete from the registry. Lets here some ideas on how to copy a local domain profile to another computer or good tools. Please and thank you.

Tue, Apr 13, 2004 Eaa97 Oman

Excellent article, I'm using roaming profiles in our environment, and run GPOs over users as well to regulate the environment, just one thing creating problems sometimes, outlook profiles, they are getting lost and have to re-configure the user's mail client from time to time.

Sun, Apr 11, 2004 jay ny

Here's an easy way to get around all the problems you are having..... just input the 70 users again. Yes the tools to try to transfer profiles are cool to use if they work, which they don't a lot of the time, but by now you would have had all 70 profiles in and no other problems. Shortcuts are never the way when dealing with security.

Thu, Mar 18, 2004 Brandon California

Roming profiles is a good solution as long as you limit the profile folder size to 30Mb. (enable this policy using gpedit or a domain policy).
-- Set a maximum permitted roaming profile size--
All of our users have 3 folders under the profile (my documents, outlook, profile) the outlook folder is used for saving .pst files an other email related items.
this scenario helps when downloading and uploading profiles on a slow LAN.

Wed, Mar 17, 2004 vincent Anonymous

Roaming profiles are definately the way to go however if that's not an option you can attempt a straight upgrade, which may cause problems later or update the schema on your 2000 box do a clean update and then restore system state from backup, this is dependant upon your backups and some other factors.

Wed, Mar 17, 2004 Charles Taylor central coastal California.

I agree with Greg Shields about the roaming profiles. Plus, if you're doing any certificate management (sending digitially signed email, for example) roaming profiles help smooth things out. Just make sure the profile isn't being cached on the server (see the Group Policy Computer Configuration\Administrative Templates\system\Logon\Delete Cached Copies of Roaming Profiles.)

Also, I've noticed that sometimes you can get user.domain directories when Windows erroneously thinks files are being kept open. A disk check on reboot will fix that.

Tue, Mar 16, 2004 Anonymous Anonymous

I liked it,

Tue, Mar 16, 2004 Greg Shields Denver

An even smarter thing to do is to convert the profiles to roaming and store them on a profile server. Then, you don't have profile issues when you move from server to server. In fact, this becomes a requirement should you ever wish to load balance your terminal servers in the future.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.