How can I make Adam's profile in to Bobs profile?
August 1, 2011 1:13 PM   Subscribe

How can I migrate a local Win7 profile that is associated with a domain account?

Two users Adam and Bob. Bob was hired to replace Adam. Adam spent two weeks training Bob on his computer. I created a new user account for Bob in Active Directory on the domain server. Bob already has all of his preferences, short cuts, etc set in Adams account that he has been using.

Of course if he logs in as himself he has a fresh desktop and default settings in all the apps. How can I migrate all that profile information? We are not using roaming profiles.

I tried just copying the contents of Adam's profile directory into Bob's profile directory but then when Bob tried to log on it generated an error, "The Group Policy Client service failed the logon".

I'm sure I'm missing something obvious, but Googling around this morning did not produce anything useful for me.
posted by MrBobaFett to Computers & Internet (10 answers total) 1 user marked this as a favorite
You can temporarily make Adam's profile the default profile:

- Modify Adam's profile folder's security settings (c:\users\adam) so that the "Everyone" group has atleast read access.
- Open Regedit while logged in as an administrator
- Change the following key from "Default" to "Adam" (keep path leading up intact)
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList\ (string: Default)
- Make sure the Bob profile does not exist in the Users folder
- Log out of the administrator account and have Bob Log in
- Change the default profile back to "Default" once his account is confirmed to be working ok...then delete Adam's profile once it is no longer needed.
posted by samsara at 1:32 PM on August 1, 2011 [1 favorite]

P.S. forgot to mention, make sure you apply the "Everyone" group's read rights recursively on Adam's folder so all files and subfolders will be temporarily readable by anyone logging in.
posted by samsara at 1:35 PM on August 1, 2011

You do need to be a bit careful with permission alterations on profile folders in Windows 7.

The old Windows XP scheme puts the user's Temp folder and a bit of other assorted non-roaming stuff in %USERPROFILE%\Local Settings, and keeps non-roaming application settings in %USERPROFILE%\Local Settings\Application Data. Windows 7 uses the same folder (%USERPROFILE%\AppData\Local) for both of these things.

For backward compatibility with broken apps that just read and write blindly into %USERPROFILE%\Local Settings, Windows 7 puts a junction (NTFS symlink equivalent) there that points to %USERPROFILE%\AppData\Local. To cater for blind reads and writes to %USERPROFILE%\Local Settings\Application Data, that's another junction that also points to %USERPROFILE%\AppData\Local. There are also junctions at %USERPROFILE%\Application Data pointing to %USERPROFILE%\AppData\Roaming, at C:\Documents and Settings pointing to C:\Users, at C:\Users\All Users pointing to C:\Users\Public, and at C:\Users\All Users\Application Data pointing to C:\ProgramData (yes, there are apps stupid enough to stuff their settings blindly into C:\Documents and Settings\All Users\Application Data\AVG regardless of where Windows says the special folders are at).

All of these junctions are hidden. You can see them if you turn on the display of hidden files and folders in Windows Explorer (they just look like folders) but you will get Access Denied errors if you try to navigate inside them. That's because they all have Deny List Folder Contents for Everyone permissions applied.

If you modify the permissions on a user profile folder by recursively propagating that folder's own permissions to all its children, all those Access Denied errors go away - and now the user profile concerned is a hall of mirrors. Everything under %USERPROFILE%\AppData\Local now makes a second appearance under %USERPROFILE%\Local Settings, and a third appearance under %USERPROFILE%\Local Settings\Application Data. But wait! There's more! Look - there's a fourth copy, under %USERPROFILE%\Local Settings\Application Data\Application Data, and a fifth under %USERPROFILE%\Local Settings\Application Data\Application Data\Application Data, and so on until the pathnames involved get too long for Windows to deal with. This is messed up, and it confuses a lot of disk scan, backup and file-copy apps (including Windows Explorer!) that don't treat junctions specially. A few hundred megabytes of browser cache can easily blow out to tens of gigabytes of redundantly copied folders.

If you're doing anything the slightest bit clever with Windows 7 profiles, arm yourself with JunctionBox before you start.
posted by flabdablet at 5:28 PM on August 1, 2011

Response by poster: I liked Samsaras answer that sounded easy, I'm scared. I look at his machine first thing in the morning.
posted by MrBobaFett at 6:35 PM on August 1, 2011

What flabdablet mentions about junctions is true and can cause issues with some programs, however this operation should also be considered highly temporary just to copy the profile (which has worked in our lab environments here on campus). Once the profile is copied you'll want to make sure to set things back the way they were. If not deleting Adam's profile, remove the everyone group from the security tab and apply recursively/"replace all child object permissions" (will need to be done under the "Advanced" button for adding "Everyone" and removing them later when finished)
posted by samsara at 5:32 AM on August 2, 2011

If not deleting Adam's profile, remove the everyone group from the security tab and apply recursively/"replace all child object permissions"

This is exactly the operation that gives rise to the junction-mediated hall of mirrors. If you ever do this, run JunctionBox over the profile afterwards or you will have trouble.
posted by flabdablet at 5:50 PM on August 2, 2011

Response by poster: OK this looks like it almost worked. Except when Bob logged in, he did get the desktop and everything looks right except a warning pops up that he has been logged in with a temporary profile that will be deleted when he logs off.
So I used JunctionBox to restore the junctions and had him log in as Adam for today. So I can look into what the problem might be.
posted by MrBobaFett at 5:42 AM on August 3, 2011

Thanks flabdablet for keeping tabs on this. We normally do not clean up rights afterwards (but actually use the profile as a default one we can log into to for making changes in a lab environment). I wasn't fully aware of the junctions having rights applied during the recursive operation. Good to know about JunctionBox...will come in handy!

(as an aside: when using a default login profile...adding network printers can be tricky due to GUID mismatching, would recommend against it and install the printers per profile day Microsoft will come out with an OS that makes working on default profiles EASIER...I can only have hope!)
posted by samsara at 6:48 AM on August 3, 2011

MrBobaFett, if you still have trouble with temporary profiles try the following:

1. Open Regedit as an administrator and navigate to the following path:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]

2. Expand ProfileList and you'll see a list of SIDs for each profile that is on the PC
3. Examine the key "ProfileImagePath" in each SID to find the ones belonging to Bob
4. Rename the parent SID to have a .old at the end (including any for Bob that already end with .bak)

If this does not work, you can revert these keys by removing the .old. If you delete or rename these keys, Windows will create a fresh copy automatically when Bob logs in.
posted by samsara at 6:58 AM on August 3, 2011

one day Microsoft will come out with an OS that makes working on default profiles EASIER...I can only have hope!

I have completely given up hope of this. I have also given up hope of roaming profiles working even slightly reasonably any time soon. So what I do at my school site is do everything that needs consistent site-wide setup using logon and logoff scripts.

That way, if a profile gets b0rked all I need to do is delete it; the next time that user logs on, the logon script will see a profile that's had no work done to it and just set it all up again from scratch.

The only reason I found JunctionBox is that I had a customer machine with a WinFast infection and no backups :-)
posted by flabdablet at 3:52 PM on August 3, 2011

« Older Why is one area of a pretentious zip code so much...   |   Who is Granny Bard? Newer »
This thread is closed to new comments.