Migrating User Profiles in Windows XP

Acknowledgment

This procedure is based on an outline that Harry Brelsford published in Certification Magazine, August 2004, "Migrate Profiles on Small Business Server Networks." Thanks, Harry!

I would occasionally run into permissions issues using Harry's recipe, so with time and experiment I've added a few refinements.

Executive Summary

Assume new user's account name is "NEWuser" and we wish for NEWuser to use the "OLDuser" profile.

• Log in to workstation once as NEWuser so Windows will create NEWuser profile. Log off and log back in as admin.

• Give NEWuser Full Control of OLDuser profile under Documents and Settings.

• In registry, point NEWuser profile at OLDuser's profile.
  
  
• In registry, load hives for OLDuser's ntuser.dat and UsrClass.dat. Give NEWuser Full Control of both hives. Unload hives, close registry, log out of Windows.
  
  
• Log back into Windows as NEWuser and enjoy OLDuser profile.

How Exactly to Do It

Determine SIDs for NEWuser and OLDuser accounts.

• Download and install the Resource Kit Tool "getsid" from <http://support.microsoft.com/kb/927229>
  
  
• Get newuser's SID by running from server "getsid \\servername NEWuser \\servername NEWuser"
  
  
• Get OLDuser's SID by running from server "getsid \\servername OLDuser \\servername OLDuser"

Let Windows create the NEWuser profile. Login to workstation once as NEWuser, thereby automatically creating:

• The NEWuser profile at %SystemDrive%\Documents and Settings\NEWuser

• The registry pointer at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\SID_of_NEWuser\ProfileImagePath
  

Log off NEWuser and log back into Windows as local admin. (I don't like to log on to mystery workstations as domain admin and thereby risk handing domain admin credentials to resident malware.)

Open an explorer window using runas domain admin. Navigate to %SystemDrive%\Documents and Settings\OLDuser and change permissions:

• Add NEWuser and give NEWuser Full Control
  
  
• Click Advanced, check "Replace permission entries on all child objects with entries shown here that apply to child objects."
  
  
• Click Apply and wait for process to complete.
  
  
• OK your way out.
  

Launch regedit with domain admin credentials.

First we need to point the NEWuser to the OLDuser's profile:

• Navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\SID_of_OLDuser\ProfileImagePath
  
  
• Double-click the ProfileImagePath key and copy the path to the Windows clipboard
  
  
• Navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\SID_of_NEWuser\ProfileImagePath
  
  
• Double-click the NEWuser's ProfileImagePath key and paste the path you just copied from the OLDuser's ProfileImagePath.
  

Now we need to give the NEWuser permissions for two registry hives that are located in the OLDuser's profile.

To change permissions on ntuser.dat:

• Highlight the HKEY_LOCAL_MACHINE key (if you don't highlight either HKLM or HKU, the next step will be greyed out).
  
  
• Click File>LoadHive, and navigate to "C:\Documents and Settings\OLDuser\ntuser.dat". Click Open
  
  
• You'll be asked for a keyname. Any arbitrary name is fine, but I'd use something like OLDuser-ntuser. Click OK
  
  
• You now have a new subkey under HKLM named OLDuser-ntuser. Right-click it and click Permissions.
  
  
• Add NEWuser and give NEWuser Full Control.
  
  
• Click Advanced, check "Replace permission entries on all child objects with entries shown here that apply to child objects."
  
  
• Click Apply and wait for the process to complete. OK your way out.

To change permissions on UsrClass.dat:

• Highlight the HKEY_LOCAL_MACHINE key again.
  
  
• Click File>LoadHive, and navigate to "C:\Documents and Settings\OLDuser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat". Click Open.
  

• You'll be asked for a keyname. I'd use something like OLDuser-UsrClass. Click OK.
  
  
• You now have a new subkey under HKLM named OLDuser-UsrClass. Right-click it and click Permissions.
  
  
• Add NEWuser and give NEWuser Full Control.
  
  
• Click Advanced, check "Replace permission entries on all child objects with entries shown here that apply to child objects."
  
  
• Click Apply and wait for the process to complete. OK your way out.
  

Now we need to Unload both of the hives on which we just added permissions. Don't want to forget this.

• Highlight HKLM\OLDuser-ntuser and click File>UnloadHive. Yes, you're sure.
  
  
• Highlight HKLM\OLDuser-UsrClass and click File>UnloadHive. Again, you're sure.

Close Regedit and log out of Windows.

Log in to Windows as NEWuser. You should have the familiar OLDuser desktop and customizations.

How to Index that Shelf Full of Bare Hard Drives

I've got maybe a dozen bare or USB HDDs that I use for storing disk images and other big chunks of data.

When I'm heading out to a customer site, I'm never sure which HDD has enough free space for the disk image I might want to make. And when I need a particular disk image, I'm never sure on which HDD it might be stored.

So I have to connect 3 or 4 HDDs to my bench machine, boot it up and look at the HDDs with Windows Explorer. Then I have to rinse and repeat with the next 3 or 4 drives, until I find a HDD with sufficient free space or with the particular disk image I'm looking for.

Today I went looking for a better way, and I found it.

WinCatalog Light is a free download at www.wincatalog.com. It builds a catalog by scanning individual HDDs. Scans are very fast; typically just a few seconds for a complete HDD.

In the screenshot below, you see a catalog of HDDs whose volume labels were ComboGB_1, Dock_1, Dock_2, Dock_3, and Dock_5.

What's special about this is that we are now looking at a fully browsable, fully searchable, Explorer-like view of HDDs that are no longer attached to this machine.

USB/eSATA external HDDs for backup

I hear lots of concern about whether 3.5" portable HDDs are really sufficiently dependable to use as a backup solution. I've had no problems, but then I don't buy mystery packages. I choose my drive and I choose my enclosure. Here's what's worked for me.

Drives:

I use server-grade drives, typically Seagate Barracuda ES or ES.2. Seagate claims a 10x improvement in unrecoverable error rate compared with their desktop drives. MTBF is 1.2 million hours. Warranty is five years.

Drive Enclosures:

I use the MacAlly PHR-100 SU enclosures. These take SATA drives and have both a USB and a SATA connector. The drive is somewhat vibration-isolated from the enclosure by silicone-rubber donuts at each mountpoint. Note that the SATA connector is not eSATA, but the enclosures come with an adapter for connecting to eSATA cables.

Once you get the hang of it, you can mount a drive in an enclosure in about six minutes.

Carrying cases:

For transporting the drives, a $15 foam-filled pistol case works great.
<http://www.midsouthshooterssupply.com/item.asp?sku=00008811>
They're way lighter than Pelican cases, and way cheaper too. Three layers of foam; just make a cutout in the center layer to fit your drive. Sooner or later the drive is gonna get dropped or tossed in somebody's trunk. The pistol case takes away the worry.