Managing User Profiles

A slap-dash solution for transferring profiles in toto. Anyone with a more elegant method?

Bill: I'm setting up a new Windows Server 2003 terminal server to replace an existing Windows 2000 terminal server running Citrix. I need to copy more than 70 user profiles from the existing server. Both servers are in the same domain.

I've tried copying the profiles using Explorer, but when the user logs on, instead of getting the copied profile, they get a default profile and I see a duplicate profile in Documents and Settings called Username.Domain. For example, if the copied profile is John, the new profile is John.DOMAIN.

I assume this is a permission problem, in that the user is not getting access to the profile folder to write or access the ntuser.dat file, but how do I get around it?
—John

John and Readers: I'm going to go through what I suggested to John and then I want your input.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

First, some quick background. A user profile consists of a folder in Documents and Settings that contains the user's profile folders along with a Registry hive called Ntuser.dat. The profile is protected in a couple of ways:

  • The profile folder has an Access Control List (ACL) that grants access only to the user, the System account, and members of the domain Administrators group.
  • The registry hive inside Ntuser.dat has security permissions that allow access only by the user, the System, and the Administrators group.

The system maintains a pointer to the user profiles in HLKM | Software | Microsoft | Windows NT | CurrentVersion | ProfileList using the SID of the user as the name of the Registry key containing the profile information. Here's a quick example for a user named avguser:

Key Name: HKLM\SOFTWARE\Microsoft\Windows NT\
          CurrentVersion\ProfileList\S-1-5-21-
          3862616078-362906602-1993679999-1015
Value:    ProfileImagePath
Data:     %SystemDrive%\Documents and Settings\avguser

If a user logs on and the ProfileList key has no entry for the user's SID, the system creates a new profile for the user by copying the Default User profile, either from the local machine or from the NETLOGON share.

If the system needs to a create a new profile but a folder with the user's logon name already exists in Documents and Settings, the system creates a new folder and gives it an extension that matches the user's domain.

Okay. With all that in mind, I recommended that John do the following:

  • Use xcopy /o to copy the profiles from the old server to the new one. This retains the ACLs of the files so that the user retains full control access to the profile. (Actually, you'd need to use xcopy /o /e /h to copy empty files and hidden files.)
  • Use Regedit to dump the entries in the ProfileList key to a REG file.
  • Edit the REG file to remove any profile entries, such as the Administrator profile, that would also exist at the new machine.
  • Import the REG file into the Registry of the new machine.
  • Verify that users log on and get their original profiles.

Although this works, frankly, it seems a bit inelegant to me. So here's what I'd like you to do. If you have a better way to do profile transfers and profile management in general, whether it be a cool script you developed or a favorite Microsoft tool or a third-party utility or whatever, send it to me. at boswell@101com.com; put "Profile Transfers" on the subject line of your message. I'll print the best submissions in a future column and I'll acknowledge the name of anyone who sends an idea, whether or not it gets printed.

As for the example I've provided, hope this helps.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.