If you are joining to Active Directory computers that are already in use by users you need to migrate their profiles from local to domain. Same thing happens when you migrate such a computer from one domain to another. Of course, user may still their local accounts but this is quite pointless :)
Migrate local user profile to domain profile
There are quick few steps to perform this operation (migrate from local to domain):
- Join computer to new domain and restart it
- Login in on old local account
- Grant full permissions on your home folder, such as C:\USERS\testuser, keep in mind to check the option to replicate permissions to all child objects. Don’t worry about not setting permissions on few folders like Documents/My music/Pictures etc. These are not real folders, they are just links, so no permissions can be set. Just ignore them.
- After this open Regedit
- Right-click on HKEY_CURRENT_USER and select permissions
- In new window click Advanced, then Add, and then type in DOMAIN ACCOUNT NAME. You may need to provide domain admin credentials to query AD.
- Select user, then check following options:
- Apply to: This Key and subkeys
- Full Control
- DO NOT SELECT LAST CHECKBOX – apply these permissions to objects and/or containerswithin this container only
- Click Ok, then ok, then ok
- Wait till finish and restart computer
- Login to domain account, this will local profile, store SID information in registry etc.
- Logout from domain profile, restart and login to local admin account.
- Open registry, navigate to HKLM\Software\Microsoft\Windows_NT\CurrentVersion\Profile List
- Find the one, with local path to profile in key: ProfileImagePath, copy value of this key, eg. C:\Users\test.local
- Find the other one with newly created profile path, eg. C:\Users\test.user.domain.
- Replace value of ProfileImagePath from old profile, eg. C:\Users\test.user.domain with C:\Users\test.local
- Double check permissions for folders, check value of the keys.
- If everything is ok, reboot computer and try to login to new domain profile. You should be welcomed with old desktop and settings.
- One thing to remember, all outlook passwords need to be re-entered since credentials storage is wiped.
Second part is about migrating domain account to new domain account.
Migrate user domain profile from one domain to another domain
This is quite similar to migrating local to domain. The difference is about setting permissions and joining to domain. As you know to be able to add domain account to permissions TAB, computer needs to be joined to domain. When computer is a member of a different domain already it might be confusing. So what we need to do:
- Login to local admin account
- Join new domain providing credentials to it, reboot computer
- Login again as local administrator making sure the computer is joined to the new domain – computer properties
- Now, we need to add user from new domain to permissions of user files and registry. Just repeat step 3
- Now, the registry part, it is a bit tricky since we need to load external registry because we won’t be able to log on old domain account.
- Open regedit, select HKLM, then select file/load registry hive. Navigate to old domain user account folder, select file NTUSER.DAT (hidden by default), specify a temporary name for that hive, like user-reg.
- Now right-click on user-reg, click permissions
- In new window click Advanced, then Add, and then type in NEW DOMAIN ACCOUNT NAME. You may need to provide domain admin credentials to query AD.
- Select user, then check following options:
- Apply to: This Key and subkeys
- Full Control
- DO NOT SELECT LAST CHECKBOX – apply these permissions to objects and/or containerswithin this container only
- Click Ok, then ok, then ok.
- Now navigate to HKLM\Software\Microsoft\Windows_NT\CurrentVersion\Profile List
- Find the one, with old domain path to profile in key: ProfileImagePath, copy value of this key, eg. C:\Users\test.olddomain
- Find the other one with newly created profile path, eg. C:\Users\test.newdomain
- Replace value of ProfileImagePath from old profile, eg. C:\Users\test.olddomain with C:\Users\test.newdomain
- Double check permissions for folders, check value of the keys.
- If everything is ok, reboot your computer and try to login using username from new domain.
That would be all. If you login to new domain account and cannot see/open a folder or file it is generally related to permissions. Just reboot computer, login to local admin or domain admin, select user profile and re-add permissions with propagation to child objects.
If you login and are presented with temporary profile, you need to re-set permissions for registry for new user. Basically it isn’t a big magic behind this, just simple permissions editing with path to profile swapping. That’s all:)
Hi Milos
This is a really, really hard way to do this.
USMT is made for exactly this purpose and there are plenty user interfaces for USMT out there.
USMTGUI is an easy to use, always updated, GUI including optimized XML files etc…
Their Current version is 10.12.1607
We use it as THE everyday user handling tool at CSU
https://support.csuchico.edu/TDClient/KB/ArticleDet?ID=13364
Hey, I must admit, that it isn’t the easiest way to do it, but at the time of writing this help I wasn’t aware of that tool. We only used original USMT from Microsoft in cooperation with MDT but that is not the subject of this post. Besides, as I read, USMT GUI described by you does not offer the possibility to change local profile to domain on the same machine.
Anyway, thanks for pointing this. Can be useful for migrating from one pc to another
93.5 bajate raho
Hello Milos,
This is very good solution and thank you for posting.
I need to migrate local users to domain users. Now, in testing environment I tried to migrate local user profile to domain profile but when I login with domain user I have prompted message that I have been signed with temporary profile. I double checked permissions and done couple of reboots but it is still the same.
Any suggestions?
Thank you in advance.
Hi, thanks for your comment. Logging with temporary profile can be caused by multiple factors: registry permissions, hard disk permissions, hard disk failures. Assuming it is because of playing around with profiles I thing what could happen is:
I would start with permissions in registry. Then I would double check the permissions on local profile. Did you try reverting your changes?
Also what you can try is to start up the registry as affected user and try to access the hives. That should tell if the permissions are good. Also you can try the same for local folders. Just runas cmd as different user and try to navigate to new local profile.
Hello! Milos.
Thank you for posting!
i try to migrate local profile to domain profile according to your method. when i logined with the domain account, i found that the desktop files had been migrated, but the files in my document, download were still in the local pfofile folder. There was nothing in those folders of the domain user.
Any suggestions?
Thank you .
what OS are you using? have you performed all steps according to this guide?
Hi, in step 3 of migrating local profile to domain, when you say grant full permission, do you mean (like #7) grant full control to the domain user?
Hey Kevin, that’s exactly what I meant. Full Control = Full Permissions :)
I’m wondering if you have insight on how to do this for Azure AD joined Windows 10 PCs.
unfortunately I never used Azure-Ad so it’s hard to tell. Apart from domain adding/credentials it should work as usual. Keep in mind, that caution must be taken for W10. This guide hasn’t been tested against W10.