If you are joining to Active Directory computers that are already in use by users you need to migrate their profiles from local to domain. Same thing happens when you migrate such a computer from one domain to another. Of course, user may still their local accounts but this is quite pointless 🙂

Migrate local user profile to domain profile

There are quick few steps to perform this operation (migrate from local to domain):

  1. Join computer to new domain and restart it
  2. Login in on old local account
  3. Grant full permissions on your home folder, such as C:\USERS\testuser, keep in mind to check the option to replicate permissions to all child objects. Don’t worry about not setting permissions on few folders like Documents/My music/Pictures etc. These are not real folders, they are just links, so no permissions can be set. Just ignore them.
  4. After this open Regedit
  5. Right-click on HKEY_CURRENT_USER and select permissions
  6. In new window click Advanced, then Add, and then type in DOMAIN ACCOUNT NAME.  You may need to provide domain admin credentials to query AD.
  7. Select user, then check following options:
    1. Apply to: This Key and subkeys
    2. Full Control
    3. DO NOT SELECT LAST CHECKBOX – apply these permissions to objects and/or containerswithin this container only
  8. Click Ok, then ok, then ok
  9. Wait till finish and restart computer
  10. Login to domain account, this will local profile, store SID information in registry etc.
  11. Logout from domain profile, restart and login to local admin account.
  12. Open registry, navigate to HKLM\Software\Microsoft\Windows_NT\CurrentVersion\Profile List
  13. Find the one, with local path to profile in key: ProfileImagePath, copy value of this key, eg. C:\Users\test.local
  14. Find the other one with newly created profile path, eg. C:\Users\test.user.domain.
  15. Replace value of ProfileImagePath from old profile, eg. C:\Users\test.user.domain with C:\Users\test.local
  16. Double check permissions for folders, check value of the keys.
  17. If everything is ok, reboot computer and try to login to new domain profile. You should be welcomed with old desktop and settings.
  18. One thing to remember, all outlook passwords need to be re-entered since credentials storage is wiped.

Second part is about migrating domain account to new domain account.

Migrate user domain profile from one domain to another domain

This is quite similar to migrating local to domain. The difference is about setting permissions and joining to domain. As you know to be able to add domain account to permissions TAB, computer needs to be joined to domain. When computer is a member of a different domain already it might be confusing. So what we need to do:

  1. Login to local admin account
  2. Join new domain providing credentials to it, reboot computer
  3. Login again as local administrator making sure the computer is joined to the new domain – computer properties
  4. Now, we need to add user from new domain to permissions of user files and registry. Just repeat step 3
  5. Now, the registry part, it is a bit tricky since we need to load external registry because we won’t be able to log on old domain account.
  6. Open regedit, select HKLM, then select file/load registry hive. Navigate to old domain user account folder, select file NTUSER.DAT (hidden by default), specify a temporary name for that hive, like user-reg.
  7. Now right-click on user-reg, click permissions
  8. In new window click Advanced, then Add, and then type in NEW DOMAIN ACCOUNT NAME.  You may need to provide domain admin credentials to query AD.
  9. Select user, then check following options:
    1. Apply to: This Key and subkeys
    2. Full Control
    3. DO NOT SELECT LAST CHECKBOX – apply these permissions to objects and/or containerswithin this container only
  10. Click Ok, then ok, then ok.
  11. Now navigate to HKLM\Software\Microsoft\Windows_NT\CurrentVersion\Profile List
    1. Find the one, with old domain path to profile in key: ProfileImagePath, copy value of this key, eg. C:\Users\test.olddomain
    2. Find the other one with newly created profile path, eg. C:\Users\test.newdomain
    3. Replace value of ProfileImagePath from old profile, eg. C:\Users\test.olddomain with C:\Users\test.newdomain
  12. Double check permissions for folders, check value of the keys.
  13. If everything is ok, reboot your computer and try to login using username from new domain.

That would be all. If you login to new domain account and cannot see/open a folder or file it is generally related to permissions. Just reboot computer, login to local admin or domain admin, select user profile and re-add permissions with propagation to child objects.

If you login and are presented with temporary profile, you need to re-set permissions for registry for new user. Basically it isn’t a big magic behind this, just simple permissions editing with path to profile swapping. That’s all:)